As far as I know (and Im remembering this from a training course, not through experience - we dont have RD enabled), a Rogue Sensor can only detect within that subnet.. you have to install another sensor on the target subnet if you want it scanned.
1) Install RSD on DHCP servers (we've had some issues with clients not being able to pull an IP fast enough and it was pointed at RSD) 2) Install RSD on random devices throught the subnet (leave off mobile devices, preferably devices that sit still and are not used alot) 3) Use desktop management software/NAP to deploy package rather than EPO
Just to add a point - it depends to a certain extent on what you want RSD to do for you. If you want it to pick up your new machines as they are added to the network and deploy an agent to them, say, then this approach is fine. However if you want RSD to detect potentially unwanted machines in your environment, then just having a sensor on the DHCP server may not be enough since a rogue machine with a static IP will never request an address and the sensor on the DHCP server won't see it. If you're worried about hostile machines and want to cover all the bases, then you'll need a sensor per subnet.
JB hit the nail on the head. If you have TPS you might want to look into NAC which would allow you to only allow systems on the network if they meet compliance. With RSD in a large environment there are alot of problems.
You're always going to get this, as far as I know: the sensor is effectively doing a port scan, and HIPs is alerting accordingly. The only way to stop this would be to reduce the functionality of HIPs, which I'm sure you don't want to do, or to avoid scanning the machine.
In ePO 4.0 this means turning off the OS detection in the sensor policy: in ePO 4.5, you can mark the machines you don't want scanned as exceptions and then the sensors will ignore them.
Unfortunately these are mutually exclusive operations... the sensor performs a port scan, and HIPs detects port scans. If there was a way to tell HIPs to ignore the type of port scan that the sensor uses, you'd be introducing a hole in your coverage: it would be comparatively simple for malware to mimic the sensor's activity and so go undetected.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.