Overview
You've heard about the GFI LanGuard WAN Agent feature and would like to know more and try it out.
Details
How do I set it up and use it?
WAN Agent communication protocols
What is the WAN Agent?
The WAN agent is a new feature that helps address the need of customers to scan remote users without the need to use a VPN. The WAN agent empowers customers to identify and address vulnerabilities across distributed infrastructures from a centralized interface. With its lightweight design and minimal footprint, the WAN Agent ensures minimal resource consumption, granting you the freedom to optimize your vulnerability assessment and patch management strategy.
How does it work?
The WAN agent is installed in each remote computer that needs to be remotely scanned and patched using the GFI LanGuard console.
The WAN agent and the GFI LanGuard console will communicate securely using AWS to send/receive the commands for scanning and patching. The ports used by the WAN Agent are 443, 8443, and 8883.
How do I set it up and use it?
Prerequisites
- The installers and files referenced in the instructions below (including a PDF copy of this guide) can be downloaded from the prerequisite files folder.
- Submit a WAN Agent request with our Customer Care team to be provided with the following:
- Certificate ID
- Tenant ID
- LanGuard server WAN name
- Provisioning claim certificate
- Private Key for certificate
- LanGuard server certificate
- LanGuard server private key
- Outbound communication must be allowed from ports 443, 8443, and 8883 on the target machines where the WAN Agent is installed
Important: this process will require a reboot of both the GFI LanGuard host and the remote machine(s) where the agent(s) will be installed.
Enabling on the main install
- Download and install the Microsoft Visual C++ Redistributable
Note: if the installer says the required version is already installed, this step can be skipped - Install or Upgrade GFI LanGuard to the latest version supporting the WAN feature
- Unblock
tls12.ps1
and run it in Powershell in administrator mode
Note: If you get an error message stating that the script cannot be loaded because script execution is disabled, run the following command:Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
- Reboot the system
- Open the GFI LanGuard console, and go to Configuration > Agents management >
WAN Agents settings - In the input fields, add the data and files provided previously by the Customer Care team
Optional:- configure the WAN Agent offline timeout (in hours) to define how long after a WAN Agent goes offline it is considered inactive and removes itself from the target computer ("offline" is defined as no communication between the WAN Agent and the GFI LanGuard console e.g. due to connectivity or being decommissioned)
- limit the bandwidth the WAN agents take when downloading patches by checking Enable download bandwidth limit and setting the desired MB/sec
- Click Generate WAN Agent Installer to generate the WAN Agent installer MSI file, making a note of the location of the generated files
Note: It takes a moment to generate the MSI installer file - Click Apply
Installing on the remote machine
- Download and install the Microsoft Visual C++ Redistributable
Note: if the installer says the required version is already installed, this step can be skipped - Unblock
tls12.ps1
and run it in Powershell in administrator mode
Note: If you get an error message stating that the script cannot be loaded because script execution is disabled, run the following command:Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
- Reboot the system
- To uninstall any previous installations, run
MsiExec.exe /X{160301DE-306A-4ADE-8A47-BC5790AF0486}
- Download
LanGuardWANAgent.msi
to the remote machine (generated via step 4 of Enabling on the main install) > right-click > Run as administrator - Once the installation is completed, a new node for this agent with the machine’s name as the target will show up under Remote Devices in the computer tree of the GFI LanGuard server dashboard
Important: once the installation is completed, verify that the attendant service is running (especially if you did not install as admin). Run services.msc
in the command prompt > search for the service GFI LanGuard 12 Attendant Service > if it is not running, right-click > Start.
Scan and monitor
- Select the newly added machine > right-click > Scan > Custom Scan
Note: alternatively, you can select a group of computers that have the WAN Agent deployed - Choose the desired scanning profile
- Click Scan
Note: the scan will start but there will be no input on the console as the scan is running directly on the remote machine - To monitor the scan operation, go to Activity Monitor > Security Scans
WAN Agent communication protocols
For the WAN Agent feature, messages are exchanged between the WAN Agents and the GFI LanGuard console. These messages are classified into several distinct categories.
1XX (Agent to Server)
These are specific, targeted messages initiated by the agent to communicate its status, perform actions like changing network modes (WAN/LAN), initiate scans, or send updates. Examples include:
-
AgentInstalled (100): Notifies the server that an agent has been installed.
-
AgentSwitchToWAN (101): Informs the server that the agent is switching to WAN mode.
-
AgentScanStart (110): The agent informs the server that it has started a scan.
2XX (Broadcast by Agent)
Broadcast messages initiated by agents.
3XX (Agent Acknowledgements)
These are acknowledgement (ACK) messages sent by agents to confirm receipt or successful execution of requests initiated by the server. For example:
-
AgentScanRequest_ACK (300): Acknowledges the server's scan request.
-
AgentUpdateRequest_ACK (303): Acknowledges the server’s request to update the agent.
4XX (Agent Error Messages)
These messages indicate errors that occurred during actions initiated by the agent. Examples include:
-
AgentDeployPatchAgentRequest_ERR (401): Indicates an error occurred while the agent was trying to deploy a patch.
-
AgentUpdateRequest_ERR (403): Signals an issue with the agent update process.
5XX (Server to Agent Requests)
These are direct messages from the server to the agent, requesting specific actions. For example:
-
ServerRequestScan (500): Requests that the agent start a scan.
-
ServerRequestDeployPatchAgent (501): Requests the agent to deploy a patch.
6XX (Broadcast by Server)
These would be broadcast messages initiated by the server.
7XX (Server Acknowledgements)
These are acknowledgement messages sent by the server in response to agent actions. For example:
-
ServerAgentInstalled_ACK (700): Confirms that the server acknowledges the agent installation.
-
ServerScanStart_ACK (710): Acknowledges the agent's notification of scan start.
8XX (Server Error Messages)
These messages indicate errors that occurred during server-initiated actions or in response to agent actions. For instance:
-
ServerAgentInstalled_ERR (800): Indicates an issue with the server's handling of an agent installation.
-
ServerScanFinished_ERR (812): Indicates an error occurred when the scan finished.
In summary, the system facilitates a structured communication protocol where the WAN agents report status, perform actions, and respond to GFI LanGuard server requests. The GFI LanGuard servers can issue commands to agents, which are acknowledged or may trigger error responses based on success or failure.
WAN Agent scan timeout FAQs
How does the counter for the WAN agent offline timeout function?
The WAN agent scan timeout setting controls how long remote network scans can run before timing out. This setting is managed centrally on the LanGuard server and ensures that WAN agent scans don’t run indefinitely by enforcing a maximum duration limit.
After the timeout, does the absence of connection continue?
Once the timeout expires, the LanGuard server cancels its tracking of the scan job. However, the WAN agent continues scanning independently. If the scan completes, the WAN agent will send the results back to the server, which will process and update them despite having canceled the job.
After a timeout, when and how is the agent restarted?
The scan timeout only affects job tracking on the server side, not the WAN agent. The WAN agent continues running normally and will not restart due to this timeout.
Who is counting the time? The Agent, Relay, or Server?
The LanGuard server tracks and enforces the timeout, maintaining the timer for how long each WAN agent scan runs.
Who decides when the time is fulfilled? The Server, Agent, or Relay?
The LanGuard server decides and controls the timeout period for each WAN agent scan job.