How network discovery works
Cloud Security for Endpoints by Bitdefender protects systems using security technology that has been rated number one time and time again. It does not require on-site server hardware and maintenance as it is managed by Cloud Security Console, a powerful and intuitive interface to a solution that can scale to defend any number of systems, no matter where they are located.
This article describes how Cloud Security for Endpoints performs network discovery and what the requirements are. For troubleshooting instructions, check this article.
To make deployment easier, Cloud Security for Endpoints includes an automatic network discovery mechanism based on which the client software (Endpoint Client) can be installed on endpoints remotely from Cloud Security Console. This is an overview of the process:
1. You must first manually install Endpoint Client on a computer in your network (for example, using the URL installation).
2. Once installed on the first computer, Endpoint Client automatically detects most computers in the local network and sends the detected computers list to Cloud Security Console. This process might take a few minutes.
3. Detected computers without Endpoint Client installed are displayed as unmanaged computers in Cloud Security Console, on the Computers page.
4. To remotely install protection on unmanaged computers, you just select them from the Computers page and then run the Install Client task. Remote installation is performed in the background, without the user knowing about it. Installation task results can be checked from the Computers > View Tasks page.
5. After the initial network discovery, Cloud Security Console keeps the unmanaged computers list updated by designating specific Endpoint Client instances to perform network discovery every hour. Newly detected unmanaged computers are added to the existing list. Previously detected computers that have not been detected again by the latest network discovery are also kept in the list.
It might take from one to a few hours for new network computers to show up in Cloud Security Console.
6. You must periodically check the unmanaged computers list in Cloud Security Console and take the proper actions:
- Install protection remotely on newly detected computers.
- Exclude computers you do not want to protect with Cloud Security for Endpoints.
- Exclude and delete computers that have been removed from the network.
Continue with the following sections for technical insights, requirements and troubleshooting instructions.
How network discovery works
Cloud Security for Endpoints relies on the Microsoft Computer Browser service to perform network discovery. The Computer Browser service is a networking technology used by Windows-based computers to maintain updated lists of domains, workgroups, and the computers within them and to supply these lists to client computers upon request. Computers detected in the network by the Computer Browser service can be viewed in My Network Places or Windows Explorer windows or by running the net view command in a command prompt window. The service is widely used in corporate computer networks, which makes it a viable option for network discovery.
Cloud Security for Endpoints does not use network information from Active Directory or from the network map feature available in Windows Vista and later. Network map relies on a different network discovery technology: the Link Layer Topology Discovery (LLTD) protocol.
Cloud Security for Endpoints is not actively involved in the Computer Browser service operation. Endpoint Client only queries the Computer Browser service for the list of workstations and servers currently visible in the network (known as the browse list) and then sends it to Cloud Security Console. Cloud Security Console processes the browse list, appending newly detected computers to its Unmanaged Computers list. Previously detected computers are not deleted after a new network discovery query, so you must manually exclude & delete computers that are no longer on the network.
Endpoint Client queries the Computer Browser service and communicates with Cloud Security Console via the Endpoint Agent (epag.exe) module.
The initial query for the browse list is carried out by the first Endpoint Client installed in the network.
- If Endpoint Client is installed on a workgroup computer, only computers from that workgroup will be visible in Cloud Security Console.
- If Endpoint Client is installed on a domain computer, only computers from that domain will be visible in Security Console. Computers from other domains can be detected if there is a trust relationship with the domain where Endpoint Client is installed.
Subsequent network discovery queries are performed regularly every hour. For each new query, Cloud Security Console divides the managed computers space into visibility areas and then designates one Endpoint Client in each area to perform the task. A visibility area is a group of computers that detect each other. Usually, a visibility area is defined by a workgroup or domain, but this depends on the network topology and configuration. In some cases, a visibility area might consist of multiple domains and workgroups.
If a selected Endpoint Client fails to perform the query, Cloud Security Console waits for the next scheduled query, without choosing another Endpoint Client to try again.
For full network visibility, Endpoint Client must be installed on at least one computer in each workgroup or domain in your network. Ideally, Endpoint Client should be installed on at least one computer in each subnetwork.
More about the Microsoft Computer Browser service
Quick facts about the Computer Browser service:
- Works independent of Active Directory.
- Runs exclusively over IPv4 networks and operates independently within the boundaries of a LAN group (workgroup or domain). A browse list is compiled and maintained for each LAN group.
- Typically uses connectionless server broadcasts to communicate between nodes.
- Uses NetBIOS over TCP/IP (NetBT).
- Requires NetBIOS name resolution. It is recommended to have a Windows Internet Name Service (WINS) infrastructure up and running in the network.
- Is not enabled by default in Windows Server 2008 and 2008 R2.
For detailed information on the Computer Browser service, check the Computer Browser Service Technical Reference on Microsoft Technet.
In order to successfully discover all the computers (servers and workstations) that will be managed from Bitdefender’s Cloud Security Console, the following are required:
- Computers must be joined in a workgroup or domain and connected via an IPv4 local network. Computer Browser service does not work over IPv6 networks.
- Several computers in each LAN group (workgroup or domain) must be running the Computer Browser service. Primary Domain Controllers must also run the service.
- NetBIOS over TCP/IP (NetBT) must be enabled on computers. Local firewall must allow NetBT traffic.
- File sharing must be enabled on computers. Local firewall must allow file sharing.
- A Windows Internet Name Service (WINS) infrastructure must be set up and working properly.
- For Windows Vista and later, network discovery must be turned on (Control Panel > Network and Sharing Center > Change Advanced Sharing Settings). To be able to turn on this feature, the following services must first be started:
o DNS Client
o Function Discovery Resource Publication
o SSDP Discovery
o UPnP Device Host
- In environments with multiple domains, it is recommended to set up trust relationships between domains so that computers can access browse lists from other domains.
Computers from which Endpoint Client queries the Computer Browser service must be able to resolve NetBIOS names.
The network discovery mechanism works for all supported operating systems, including Windows Embedded versions, provided the requirements are met.