Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Agent deployment (RemoteClientManagement)


Configure RCM

The feature "RemoteClientManagement" (RCM) enables automatic deployment of SecuLution Agent software in your ActiveDirectory. While you can use the SecuLution AdminWizard on any number of computers, we recommend you use the RCM feature only on the computer on which an administrator does his daily work.

System requirements for RCM:

  • Microsoft ActiveDirectory
  • Dot Net Framework 4.5

To setup RCM:

  • Install the RCMWizard from the AdminWizard folder of your SecuLution install-CD
  • (Re-) Start the AdminWizard
  • Select Extra > Directories > MS-Active-Directory > Start RCM Wizard from the menu

The RCM Wizard will then guide you through the required steps. Follow the on screen instructions. The RCM Wizard will ask for a UNC path in which the installation files of the SecuLution Agent are to be stored. You must set up this share manually, permissions need to be "Everyone" -> "Read, Execute".

RCMWizard

RCM tools update

The feature "RemoteClientManagement" uses MS Active Directory group policy objects to install the Agents on computers of your choice. This can also be done manually but SecuLutions RemoteClientManagement feature (RCM) sets everything up for you. Until Windows XP the Microsoft Group Policy Management Console (GPMC) was used. Since Windows Vista the GPMC is discontinued. Therefore updating the SecuLution RCMTools is not strictly required but it will make deployment of the Agent easier when managing from a computer running Windows Vista or later.

To update the RCMTools:

  • Install Microsofts RemoteServerAdministrationTools (RSAT)
  • Install SecuLutions RCMTools
  • Open path "C:\ProgramData\SecuLutionAdminWizard\RemoteClientManagement\RCM" in Windows Explorer
  • You may have to create two new directories "install" and "uninstall"
  • In directoy "install" the following files must be made available. You'll find these on your SecuLution install-CD or on the path you've yet been using for Agent deployment.
  • In directoy "uninstall" the following file must be made available. You'll find it on your SecuLution install-CD or on the path you've yet been using for Agent deployment, too.
  • Now (re-) start the SecuLution AdminWizard
  • Choose menu "Extra/Directories/MS-Active-Directory/Start RCM Wizard"
  • Now just follow the instructions on your screen. The RCM Wizard will guide you through the setup process.

Deploy Agents using RCM

To deploy Agents to computers in your ActiveDirectory, select the RCM tab.
You'll find four lists:
  • Hosts not running the Agent
  • Hosts marked for Agent deployment
  • Hosts on which the Agent has been successfully deployed
  • Hosts marked for Agent uninstallation

Just select one or more computer objects where the Agent should be deployed, then click on the arrow to move these objects from one list to another. Click apply to apply changes to the AD.

deploy

Notes:
Clicking on "apply" will change the computer's membership of security groups inside the OU SecuLution. This will apply the GPO object's security filtering. However, a computer only renews its own membership of AD groups at the time a user logs into that computer. Furthermore the GPO which is used for the installation of the Agent configures the GPO setting "run these programs at user login", which may not be immediately applied but in some cases requires one more reboot. This results in the following effect:
  • Day one: Admin uses RCM, group membership of computer changed in AD but the computer does not yet know about this
  • Day two: Computer started, user logs in, computer detects new group membership, GPO not yet applied
  • Day three: Computer started, user logs in, computer applies GPO, Agent installation triggered, after successful installation Computer is moved to the appropriate group in AD
  • Day four: Computer started, user logs in, computer detects new group membership, GPO will not be applied any longer

To avoid system messages on the user's screen, UAC is turned off by the RCM's GPO for installation and uninstallation of the Agent. This setting remains valid until the security filter for the GPO applies.


Agent update deployment using RCM

Download the new Agent update file, unpack it to "C:\ProgramData\SecuLutionAdminWizard\RemoteClientManagement\RCM\install", then (re-) start the RCMWizard.

To trigger an update of the SecuLution Agent to the latest version, select the computers in column "These hosts are currently running SecuLution" (1) and click the arrow to the left (2) to move the computers to the column "These hosts will install or update SecuLution on next login" (3).

rcmupdate

The RCM tools will take care of uninstallation, installation and change of group memberships in AD automatically. It is not necessary to manually check if the version is already up to date. The RCM tools identify the installed version automatically, therefore it is possible to move all computers from the 4th column to the 3rd
column independent of the currently running version.


Details about how RCM works internally

RCM in detail:

The RCMWizard verifies the following AD configuration and sets them accordingly.
  • A new OU SecuLution will be created in the root of your AD.
  • New groups will be created in the OU SecuLution:
    • Hosts to install the Agent
    • Hosts to uninstall the Agent
    • Hosts running the Agent
  • A user SSAdmin will be created and added to the group Domain-Admins
  • A GPO "Agent Management" will be created and linked to the domain root. This GPO
    • Configures "run these programs at system boot time"
  • A security filtering for the GPO will be added so that the GPO will be applied only to Computers which are members of the groups "install" or "uninstall".
security-filtering

If the RCM does not work as expected, you can delete all OUs (together with the users and groups contained therein) and GPOs which are related to SecuLution and start the RCMWizard again. The RCMWizard will then recreate and reconfigure all the required objects. If the RCM still does not work, please manually change the order in which GPOs are processed so that the SecuLution AgentManagement GPO is applied first.



Troubleshooting

Nothing happens.
By clicking "Apply", the computers membership in security groups in OU SecuLution is changed. This will affect the security filter of the Group Policy Object "SecuLution Agent Management". A Windows computer updates the information about which groups it is a member of a few minutes after the logon of a user. The Group Policy to install the SecuLution Agents will also be executed when a user logs in. This setting is not always immediately being applied by Windows, but may require restarts and the system being idle for a while. This can result in the following effect:

  • First day: The admin uses the RCM. The group membership of a computer in the AD is being changed. This will not have any effect on the computer itself at this time.
  • Second day: Windows boots. After login, Windows detects it's now member of a new group. Simultaneously Group Policies are applied. However, because the security filter for the Group Policy "SecuLution Agent Management" has not yet been updated, the GPO for SecuLution Agent management is not being applied.
  • Third day: Windows boots. After login, Windows will apply the Group Policy "SecuLution Agent Management" . As a result, the agent will be installed. After successful installation, the computer will be moved to the appropriate group in AD.
  • Fourth day: Windows boots. After login, Windows detects the change in group memberships. The security filter for the Group Policy "SecuLution Agent Management" has changed again, therefore the GPO will be applied no more.

The above operations take time. Rebooting the computer in order to force the application of GPO settings can effectively result in the opposite effect, because Windows might not come to the point where it can check its AD membership if rebooted too quickly. Waiting a few minutes before rebooting is generally a good idea.

In general, the Agent deployment is initiated successfully after one to two days. Installing, uninstalling or updating the SecuLution Agent requires exactly one reboot. However, it is possible that Windows Group policies may take some time to apply.


Still nothing happens.
If the Agent deployment still does not take place automatically:

  • Re- sort the precedence of your GPOs so to that SecuLution AgentManagement GPO is applied first.
  • Check the output (as admin) of "gpresult / R" to determine whether the computer (!not the user!) is correctly listed to be a member of the AD group "SecuLutionInstallAgent". Additionally check the section "Applied Group Policy Objects" for the line "SecuLution Agent Management". If this line is not listedm there's still something superseeding configured in your Active Directory which needs to be solved first.
  • Use rsop.msc to verify the effective settings.

What is the Splash Screen Starter?
If the DotNet Framework has not been used yet, starting a program that is based on DotNet can take a while. Running Splashscreenstarter.exe instead provides a visual indication that the RCMWizard is strting up now.

The RCMWizard does not start
If clicking on the menu "Extra / Directories / MS-Active-Directory / Run RCM Wizard" in AdminWizard does not start the RCMWizard, it can be started manually by right-clicking -> Run as administrator on Splashscreenstarter.exe in folder C:\ProgramData\SecuLutionAdminWizard\RemoteClientManagement.

The RCMWizard does not start. Error message 80040154 is shown.
The error 0x080040154 (CLASS_NOT_REGISTERED) is a Windows (not SecuLution) error. The error can occur if a required Windows component is not properly activated in Windows. Identified causes were for example a component of Dot Net Framework or the Remote Server Administration Tools not being installed properly. The RCMWizard can try to solve these issues. To do this, proceed as follows:

  • Close all instances of RCMWizard
  • Start cmd.exe as Administrator, type:
    • c:
    • cd \ProgramData\SecuLutionAdminWizard\RemoteClientManagement
    • RCMWizard.exe -preinstall
  • Start the RCMWizard


If this still does not produce the desired result, you can try to install the Remote Server Administration Tools manually. After that make sure "Control Panel> Programs and Features> Turn Windows features on or off> Remote Server Administration Tools> Feature Administration Tools> Group Policy Management Tools" is checked.