We recommend proactively configuring your target networks with the following network settings, for optimum Network Discovery results. If you've already tried Network Discovery but had trouble connecting, or retrieving device information, please review the information below.
Domain environment checklist
This checklist details the recommended network settings for Windows domain environments. Share this with your IT administrator and request that they configure your network's domain controller as follows:
- GPO configuration for Windows Firewall (inbound rules)
- Domain configuration for allowing ICMP
- GPO configuration for Windows services
- Third-party firewalls
Note: We recommend enabling WinRM for WMI monitoring (via DC Group Policy) so you can get the most out of the Network Discovery feature. In particular, enabling WinRM will allow for seamless, remote agent installation within Network Discovery.
GPO configuration for Windows Firewall (Inbound Rules)
Allow Windows Management Instrumentation (WMI) service to operate through Windows
Firewall. This includes the following rules:
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (WMI-In)
- Windows Management Instrumentation (DCOM-In)
1. On the domain controller, go to Group Policy Management and edit the Default Domain Policy.
2. Under Computer Configuration, navigate to Policies > Windows settings > Security settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound rules > right-click and select New rule.
3. Under the Rule Type window, select Predefined: Windows Management Instrumentation (WMI). Then click Next.
4. Under Rules, select all three. Then click Next:
5. On the next page, select Allow the Connection, then click on Finish.
Domain configuration
Allow ICMP (Internet Control Message Protocol) to operate through Windows Firewall.
Note: ICMP requests are used to detect active devices to scan.
1. Go to Group Policy Management and edit the Default Domain Policy.
2. Under Computer Configuration, navigate to Policies > Windows settings > Security settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound rules > right-click and select New rule.
3. In the Rule Type window, select Custom. Then click Next.
4. In the Program window, select All programs. Then click Next.
Note: In order to use This program path, you will need to whitelist all of the .exe files from all Atera's packages (these can be found under C:\Program Files\ATERA Networks\AteraAgent\Packages).
5. Select ICMPv4 as the Protocol type. Then click Next.
6. Under the Scope window, select Any IP address for both sections. Then click Next.
7. Under Action, select Allow the connection. Then click Next.
8. Under Profile, select the relevant option according to the endpoints' network (select as many as required). Then click Next.
9. Add a name and a description. Then click Finish.
You're done! This is what the ICMP & WMI rules should look like.
GPO Configuration for Windows Services
The following four services need to be set up on Automatic startup:
- Remote procedure call (RPC)
- Remote Registry
- Windows Management Instrumental
- Windows update
1. On the domain controller, go to Group Policy Management and edit the Default Domain Policy.
2. Under Computer Configuration navigate to Policies > Windows Settings > Security Settings > System Services.
3. Right-click on each service > Properties > Check Define this policy settings > Automatic > click OK.
Third-Party Firewalls
Make sure third-party firewalls are disabled or configured similarly to Windows Firewall as above.
Note: By default, the computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. In addition to background updates, the Group Policy for the computer is always updated when the system starts. Therefore, you will need to allow the GPO to update, then you can run a scanning through Network Discovery.
SNMP Checklist (for retrieval of SNMP devices and monitoring setup)
- Ensure Remote Registry can operate through Windows Firewall, and that third-party firewalls are disabled or configured similarly to Windows Firewall.
- Ensure the desired monitoring agent is online.
- Ensure the SNMP device hostname/IP address is correct.
- Ensure the ports are open.
Note: If an SNMP device that you want to monitor does not use SNMP v1 and "Public" as the Community String, the device will appear as a Workstation instead of an SNMP device in the Network Discovery scan.