5 Replies Latest reply on Feb 10, 2010 4:26 PM by jhaynes

    Spreading out MVM Appliances in a widely dispersed environment

      As the Vulnerability Manager guru for our company, I am responsible for deployment of scanners across the US.   I would like to make it as easy as possible on the folks who are doing the racking and stacking, so I would like to install and configure the MVM3000s before shipping them out to the datacenters.  Installing the software, putting in all of the settings to add them to our existing environment, and all that fun stuff.  The idea is that the Datacenter folks plug it up, validate that there is connectivity, then we are up working.

       

      This seems a bit off from the quick start guide - is there a problem with this approach?  Am I missing something that will doom me to failure?  Has anyone out there done this before and can provide me with any feedback or tips?

       

      Thanks!!

        • 1. Re: Spreading out MVM Appliances in a widely dispersed environment
          jhaynes

          Hi Roy,

          That approach should work just fine using the MVM3000.

           

          The remote scan engines need communicate to two devices on your network.

          • Database on Port 1433
          • FCServer on Port 3801

           

          If the IP Address for the Database and FCServer are going stay static between your staging area and production then all you need to do is change the IP Address on the scan engine before it ships out and make sure there is a communication path on TCP ports 1433 and 3801 back to the DB and FCServer.

           

          If the IP Address for the Database and FCServer are not going to stay static then you will need to also change the FCServers IP Address on the engine using the Foundstone Configuration Agent utility. Once the FCAgent on the scan engine checks back in with the FCServer it will pull down the new database IP Address that is configured in the FCM Console under Tools>Preferences>Database.

           

          I'm attached a screen shot of the two configurations screens in MVM that you might need to make changes too.

           

          Good Luck

          Jeff Haynes

          • 2. Re: Spreading out MVM Appliances in a widely dispersed environment

            Thanks Jeffrey

             

            The FC (Report Server) and the DB server will indeed remain static, so essentially, I should ensure that there is connectivity and that we are working well, then just ensure I change the IP address of the scan engine prior to sending it out.   Will I need to make that change on both the engine and the FC, or just the engine, and the FC will understand when it makes that first connection?

             

            Thanks again

            • 3. Re: Spreading out MVM Appliances in a widely dispersed environment
              jhaynes

              Well first we need to get some termanology straight so we are both on the same page.Assumeing that you are only using MVM3000's.

               

              FCServer and FCAgents:

              • All MVM3000s will have an FCAgent running on them.
              • One MVM3000 will have the FCServer running on it.
              • On the system running the FCServer you will also have the Foundstone Configuration Manager.
              • The FCAgents all contact the FCServer on TCP Port 3801.

               

              Scan Engine, Report Server, FCServer, API Server and Database:

              • There will be on database in your environment.
              • All Scan engines will connect to that database on TCP Port 1433.
              • The Report Server will connect to the database on TCP Port 1433.
              • The FCServer will connect to the database on TCP Port 1433.
              • The API Server will connect to the database on TCP Port 1433.

               

              From what I understood in your last post there will be a single system running the Database, FCServer and Report Server. If that is accurate and the IP Address of that system will not change then once you have a scan engine configured you will just need to assign it a new IP Address. Once it boots up on the new network it will just use normal TCP to connect back to the correct components. There isn't anything else you will need to do.

               

              Jeff Haynes

              • 4. Re: Spreading out MVM Appliances in a widely dispersed environment

                Looks like I was good and confusing -

                 

                We have one DB server A

                One report server (Enterprise Manager) B

                What used to be called a Primary Scan Engine(but now is the FC Server?) C which contains the API Server, Data Sync Server, two turtledoves and a partridge in a pear tree.

                A horde of Engines, happily scanning away D +

                 

                So all my new engines will need to speak with DB on 1433 - check

                all my new engines will need to speak with Primary Scan Engine C and its backpack of functionality on 3801 - check

                The report server already speaks to the DB on 1433, so its happy, and it doesnt have to muck about with the engines - check

                The Primary Scan Engine (FC Server) speaks with all my other engines, sends updates and the like, and can converse with the DB on 1433.

                 

                I think we are speaking the same terms now - I was off a bit in my youthful enthusiasm.

                 

                 

                Currently I am not using exclusively MVMs.   The new devices will be the first MVMs, we have installed the software, and are slowly converting to appliances (with these new scanners being in the forefront).  Once they are all up and functioning like greased lightning, we will be converting our other servers to an all MVM environment (probably over a 9 month - to a year time frame)

                 

                Appreciate the info!

                 

                Roy

                • 5. Re: Spreading out MVM Appliances in a widely dispersed environment
                  jhaynes

                  MVM 6.5 and previous used the concept of the Primary Scan Engine. The job of the Primary Scan Engine was to ack as the conduit for all requests made using the Enterprise Manager.That job has been taken over by the API Server.

                   

                  So when you say "What used to be called a Primary Scan Engine(but now is the FC Server?)" you are not correct . I put a quick jpg together on the data flow in MVM and the slight difference between 6.5 and 6.7 (6.7 and 6.8 works the same way).

                   

                  Jeff Haynes