BES Asset Discovery

BES offers several ways to identify computers that do not have the BES Client installed or running:


  • BES Client Deploy Tool - A tool that will connect to Active Directory and check if the computers have the BES Client service running. The BES Client Deploy Tool comes installed when you install the BES Installation Generator. The BES Client Deploy Tool can be used to install the BES Client if the computers are in the Active Directory domain.

  • BES Scanner - A standalone tool based on NMAP designed to scan an IP range to look for computers without the BES Client running. The BES Scanner is available here. The BES Scanner can be used to run a simple immediate scan for unmanaged computers in an IP range.

  • BES Asset Discovery Fixlet Site - A Fixlet site that allows you to remotely deploy "Scan Points" to periodically scan the remote subnets and then import the data into the BES Console. Read below for more details.

BES Asset Discovery


The BES Asset Discovery Fixlet site allows you to help find unmanaged computers that do not have the BES Client installed (or computers that do not have the BES Client running) that are on the network and additionally help you identify network devices such as routers, printers, and switches that cannot have the BES Client installed.

BES Asset Discovery works by allowing you through Fixlet messages and Tasks to deploy "Scan Points", which are NMAP scanners, to specified BES Clients in your network. You can then use Fixlets and Tasks to periodically run scans. The scan results are automatically shipped to the BES Server, which imports the data into the database. The scan information can then be viewed in the BES Console in the "Unmanaged Asset" tab.


Here are some pictures illustrating the process.

The designated scan points will scan their local subnets:


The result are then automatically sent to the BES Server, imported in the database, and available for view in the BES Console "Unmanaged Assets Tab":




Instructions for using BES Asset Discovery


Follow these simple instructions to begin using the BES Asset Discovery:

  1. First, read the warning below about using the BES Asset Discovery.
  2. You will need to obtain a masthead for the BES Asset Discovery site. Email licensing@bigfix.com to request the masthead for this site as production evaluation (or if you are using an evaluation copy of BES, the evaluation installer will allow you to install the BES Asset Discovery site).
  3. After the site subscribes, use the "Install Nmap Asset Discovery Import Service" Task to install the Importer tool as a service on the BES Server. The Importer service will run periodically (by default, every 5 minutes) and check for new Nmap scan data on the BES Server.
  4. Use the "Designate Nmap Scan Point" Task to establish scan points throughout your network.
  5. After you deploy the scan points, a Task titled "Run Nmap Scan" will become relevant. Running this Task will perform a scan. A scan on a class C network usually takes about 20-30 minutes. You can also create your own Tasks to schedule and configure Nmap scans using the "Asset Discovery Nmap Configuration Wizard".
  6. When a scan point has finished its scan, the results will be uploaded to the BES Server and imported into the database by the Importer service. The scan results will then be visible through the Unmanaged Asset tab in the BES Console. Note that you must be logged into the BES Console with Master Operator privileges to view Unmanaged Asset data.
  7. To remove Unmanaged Asset information from the database, use the "Delete Nmap Asset Discovery Data" Task.
  8. At any point, activate the "Nmap Scan Point Statistics" analysis to view information about designated Nmap scan points.

Warnings The warnings below are very important, please read them before installing the BES Asset Discovery Fixlet site. Check with your network team before scanning the network!

    Licensing
  • When you designate scan points, you are installing the NMAP scanner application available from http://www.insecure.org/nmap. You must agree to the license agreement for NMAP before designating the scan points.
  • When you designate scan points, you are installing the packet capture library, WinPCAP 3.1, available at http://winpcap.polito.it/install/default.htm will be installed. You must agree to the license agreement for WinPCAP before designating the scan points.
  • Nmap is distributed in a .zip file. In order to extract it, BES will temporarily download and use Info-Zip's decompression tool. Info-Zip is an open-source decompression utility. More information on Info-Zip is available at http://www.info-zip.org/. You must agree to the license agreement for Info-Zip before designating the scan points.


Potential Scanning Issues
  • Network scans can potentially trigger Intrusion Detection Systems.
  • Network scans can potentially cause old network devices, such as old printer network devices, to fail if scanned.
  • Network scans can potentially cause personal firewalls, such as ZoneAlarm or BlackIce, to advise the user that a computer is scanning the local computer.
  • NMAP is sometimes flagged by virus scanners as a potentially harmful tool (because it can be used for malicious purposes). Check to make sure your virus scanner is not set to block NMAP from running.
  • If you set NMAP to scan a very large network (such as 10.10.*.*) it will take a very long time and could consume significant bandwidth during the scan. Note that the default scan is the local Class C network, which usually is a fast LAN. BigFix does not recommend scanning large networks across the WAN with this tool.
  • Using NMAP to scan is usually a very safe operation, but there potentially could be issues specific to your organization that could result from scanning computers. Please obtain the appropriate authorization before proceeding.

Please send questions and comments to betafeedback@bigfix.com.