1.2 How Agent Manager Works

Agent Manager includes a number of software components that you can distribute and install as needed to meet your security management objectives and environment.

If you are evaluating Agent Manager, you can install all the components on one computer. However, this approach is not recommended for a production installation. You must plan to distribute the workload over a number of computers, installing components strategically.

The following table defines the major purposes of the product components.

Software Component	Purpose
Windows Agent	Services running on Windows computers to monitor the operating system, devices, or applications, such as antivirus products.
Windows Central Computer Components	Software running on central computers that receive data from agents and send log data to Sentinel.Central computers also install, uninstall, and configure Windows agents, distribute rules to Windows agent computers, and control data flow between all agents and the Sentinel servers.
Databases	Databases located on the database server store configuration data. Agent Manager includes the AgentManager database and AgentManagerCommon database in a Microsoft SQL Server repository. NetIQ recommends that you use a dedicated SQL Server instance for Agent Manager.

Because of the inherent adaptability of Agent Manager, there is no “one‑size‑fits‑all” solution for installing Agent Manager. When you install Agent Manager, you can decide where to install the product components based on your environment and requirements for load balancing, failover, and performance.

The agent computers, central computer, and database server make up a product installation. You can control where to install various components of the configuration group, including where to install the database server and how many central computers to install.

A choice of configuration options is especially important in large distributed enterprises or when communicating over slower network links, such as WANs.

The best way to choose a deployment model is to conduct a pilot study that emulates the data collection you want to install, the production hardware you plan to use, and the anticipated event volume.

The following model illustrates a typical way to deploy Agent Manager in a production environment.

This model uses many agents that report to distributed central computers, and one Sentinel server configured to gather event data and store configuration information for Agent Manager. For more information about the roles agent servers serve in a configuration group, see Anticipating Your Hardware Needs.

The following table outlines the major purpose of each component running on computers in the configuration group and identifies important hardware considerations.

Computer Roles	Software Components
Central Computers	Agent Administrator – installs, configures, identifies, updates, and uninstalls agents on Windows computers. Consolidator –receives event data from data collection policies, and periodically distributes to Windows agents. The Consolidator also acts as an agent on its local computer. If a central computer becomes unavailable, another central computer continues to collect event data from agents. Core Service –sends queued events to Sentinel. Data Access Server –interacts with the database server and provides database access control. Agent Manager Console –customizes data collection rules, and other Agent Manager components for your environment.
Database server	AgentManager database – stores configuration data. AgentManagerCommon database – stores user settings for the configuration group.

Agent Manager Agents installed on Windows computers communicate with the central computer at specified intervals to transfer data and receive data collection rules. Data collection rules define how Agent Manager collect information.

Your enterprise can adjust the following default communication intervals to meet your needs:

Allow the appropriate time for any configuration or rule changes you make to take effect. The product can take up to 15 minutes to automatically begin enforcing the rule on monitored Windows computers.

A monitored computer is a computer from which Agent Manager collects and processes information. Collected information can indicate critical security events occurring on the monitored computer.

Agent Manager uses the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols included in the Microsoft Secure Channel (SChannel) security package to encrypt data.

Agent Manager supports all SChannel cipher suites, including the Advanced Encryption Standard (AES), adopted as a standard by the U.S. government. central computers and agents authenticate one another by validating client and/or server certificates, an industry-standard technique for establishing trust.

Out of the box, Agent Manager uses a default self-signed certificate, installed on the central computer, for communication between the central computer and monitored Windows agents. If you want to enable authenticated communication, you can implement your own Public Key Infrastructure (PKI) and deploy custom certificates on central computers and agents, replacing the default central computer certificate.

The following Agent Manager core service components comply with the requirements of the FIPS 140-2 Inside logo program:

Agent Manager automatically adds agents to Windows computers throughout your network. As you add Windows computers to your network, Agent Manager automatically detects those computers, checks them for the role they serve in the network, such as an IIS server, and installs agents as necessary.

As your Windows network changes, Agent Manager automatically changes with it. Agent Manager ensures that the right knowledge is applied to the right computers at the right time.

The low‑overhead components in Agent Manager allow you to monitor hundreds of servers in your enterprise with little system degradation. Agent Manager also regularly updates Windows agents with new or modified data collection rules. Central computers automatically apply updated data collection rules to the appropriate monitored Windows computers.

For the list of Microsoft Windows endpoint event sources that Agent Manager can monitor, see System Requirements.

Agent Manager can receive and process data in both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) formats. In addition, you can install Agent Manager components on dual-stack computers, which are computers that have both IPv4 and IPv6 running at the same time.

However, you cannot install Agent Manager components on computers running only IPv6. Agent Manager requires that IPv4 be installed, either by itself or along with IPv6.