Skip to main content

Configuring Inventory Collection

As well as importing inventory information gathered by external tools, IT Asset Management can take inventory of computers directly, either by installing Inventory Agent on a target computer or by using remote execution. Either method of inventory gathering requires a simple web server configured on the inventory beacon. As well, if this inventory beacon acts as a 'parent' through which 'child' inventory beacons channel their uploads/downloads, the same web server needs to be in place.

The local web server for inventory gathering cannot be activated until the inventory beacon has downloaded and imported its configuration file, and is able to communicate with IT Asset Management (for details, see Creating and Registering an Inventory Beacon to Upload Inventory to Flexera One). Once the upstream communication is in place, you can configure the web server for downstream communications to and from inventory targets.

You can choose between a simple, self-hosted web server, and Microsoft IIS. One of the main purposes of this procedure is to advise the downstream devices how they are to communicate with the inventory beacon through the web server you have configured.

If your web server is to use basic authentication, make sure you have the account credentials (user name and password) ready, and that if you are using IIS, this account has access permissions for IIS. Consider using a long- running service account (see Changing IIS Passwords on Inventory Beacons for more insight).

To configure the local web server:

  1. In the inventory beacon interface, select the Local web server tab. By default, the first radio button is selected, so that there is no web server running on the inventory beacon. While this choice is selected, no inventory can be collected, whether by an installed Inventory Agent or by remote execution. Nor can child inventory beacons upload through this server.
  2. Choose which web server to configure.
    • The following are the main differences between the web servers:

      FeatureSelf-Hosted Web ServerIIS Web Server
      ProtocolSupports only HTTPSupports HTTP and HTTPS
      AuthenticationSupports only anonymous authenticationSupports anonymous or Basic Authentication
      PortPort number is configurableTarget devices will recognize only the default port numbers (port 80 for HTTP protocol; port 443 for HTTP protocol).
      Number of concurrent connectionsLimited to 100 connections per CPU core in the inventory beacon server.Configurable, with the default value being the maximum of 4,294,967,295 connections.
      Connection to SAPNot supported.Required.
    • To choose the self-hosted web server, continue here. To choose the IIS web server, skip forward to step 4.

  3. Select the Self-hosted web server radio button, and if necessary adjust the controls that become enabled for this choice:
  4. Set or clear the check box for Configure Windows Firewall. When this check box is clear, the inventory beacon makes no attempt to change the settings of Windows Firewall. When it is set, the inventory beacon attempts to configure only the port number you choose in the next field.
  5. Specify the port number on which managed devices should access this web server to upload inventory data, or leave the default value of 80.
    • It is best practice to set this value once while configuring the inventory beacon, and then not change it during operation.
info

Be extremely careful about modifying this value once the inventory beacon is operational. The inventory beacon sends this port number to all the devices it is targeting for inventory collection as they are adopted into management (and the inventory agent is installed).

When a managed device can see only one inventory beacon, or when all alternative inventory beacons are using Basic Authentication, managed devices will be 'orphaned' by a change in port number: they continue to fail in attempts to upload to the old port number. The cure for orphaned managed devices is to revert the port number on the inventory beacon to the initial value it had when the inventory beacon was configured and the managed devices were adopted.

The only circumstance in which you can change the operational port number on this web server is when all its managed devices can also see at least one other inventory beacon that is using anonymous authentication. In this case, the inventory beacons know of each other's existence (through their communication with IT Asset Management), and have configured applicable "fail- over" settings for each managed device. But be aware that, since no credentials are transmitted through IT Asset Management, a managed device cannot fail over to a beacon that uses Basic Authentication.

  1. Click Save (at the bottom of the tab) to send these settings to the targeted devices. Your work here is done, and you may skip the next step.
  2. Select the IIS web server radio button, and if necessary adjust the controls that become enabled for this choice:
  3. Check HTTPS to advise targeted devices that you have configured Microsoft IIS to use the HTTPS protocol. Leave clear if targeted devices should use the HTTP protocol to request updates and return inventory data.
    • When using Basic Authentication, keep in mind that credentials are transmitted Base-64 encoded but not encrypted. In this case, using HTTPS protects your credentials. If you set this check box, when you click Save an alert appears to remind you that the inventory beacon is not changing IIS settings, but merely communicating them to the targeted devices:

    • The beacon will not configure IIS for use with HTTPS. Please manually configure IIS to use HTTPS.

  4. Decide whether this inventory beacon should act as a fail-over location where managed devices (while unable to access their normal inventory beacons) can download updated configuration information.
    • Yes —The inventory beacon must use anonymous authentication (because inventory beacons with other authentication settings are excluded from the list of fail-over locations distributed to installed inventory agents). To achieve anonymous authentication, ensure that the check box Use Basic Authentication remains clear (not selected).

    • No —You may select the check box Use Basic Authentication (and remember to provide credentials below). After saving your settings in the inventory beacon interface, you must use the configuration pages for IIS to do the following:

    • Set Basic Authentication for the ManageSoftRL (reporting location, for uploads).

    • Set anonymous authentication for the ManageSoftDL (download location). This allows installed inventory agents that are locked to this inventory beacon to receive changes like new passwords, while all uploads use Basic Authentication set for the ManageSoftRL.

    • If you set this check box in the inventory beacon interface, when you click Save an alert appears to remind you that the inventory beacon is not setting up the account, but merely communicating the credentials to managed devices:

    • Please manually ensure that the specified account has permissions for IIS.

    • If you do not configure Basic Authentication in IIS for ManageSoftRL, so that it matches your choice of Basic Authentication in the inventory beacon interface, the Inventory Agents fail to upload to the inventory beacons, giving an HTTP 409 error. Please ensure that there are matching settings in the inventory beacon and in IIS.

  5. Enter the Username and Password for the account that managed devices should use when accessing IIS with Basic Authentication.
tip

This account must either be a local account on the inventory beacon, or an account in Active Directory. In either case, it must have access permissions for IIS.

Be extremely careful about modifying these credentials once the inventory beacon is operational. The inventory beacon sends these credentials to all the devices it is targeting for inventory collection as they are adopted into management (and the inventory agent is installed). If you (for example) change the password, managed devices using the old password will be 'orphaned' when the original password expires, unless you have configured the download location for anonymous authentication as described above. For approaches to managing password changes, see Changing IIS Passwords on Inventory Beacons.

  1. Click Save (at the bottom of the tab) to send these settings to the targeted devices. Your work here is done, and you may skip the next step.
  2. Select the IIS web server radio button, and if necessary adjust the controls that become enabled for this choice:
  3. Check HTTPS to advise targeted devices that you have configured Microsoft IIS to use the HTTPS protocol. Leave clear if targeted devices should use the HTTP protocol to request updates and return inventory data.
    • When using Basic Authentication, keep in mind that credentials are transmitted Base-64 encoded but not encrypted. In this case, using HTTPS protects your credentials. If you set this check box, when you click Save an alert appears to remind you that the inventory beacon is not changing IIS settings, but merely communicating them to the targeted devices:

    • The beacon will not configure IIS for use with HTTPS. Please manually configure IIS to use HTTPS.

  4. Decide whether this inventory beacon should act as a fail-over location where managed devices (while unable to access their normal inventory beacons) can download updated configuration information.
    • Yes —The inventory beacon must use anonymous authentication (because inventory beacons with other authentication settings are excluded from the list of fail-over locations distributed to installed inventory agents). To achieve anonymous authentication, ensure that the check box Use Basic Authentication remains clear (not selected).

    • No —You may select the check box Use Basic Authentication (and remember to provide credentials below). After saving your settings in the inventory beacon interface, you must use the configuration pages for IIS to do the following:

    • Set Basic Authentication for the ManageSoftRL (reporting location, for uploads).

    • Set anonymous authentication for the ManageSoftDL (download location). This allows installed inventory agents that are locked to this inventory beacon to receive changes like new passwords, while all uploads use Basic Authentication set for the ManageSoftRL.

    • If you set this check box in the inventory beacon interface, when you click Save an alert appears to remind you that the inventory beacon is not setting up the account, but merely communicating the credentials to managed devices:

    • Please manually ensure that the specified account has permissions for IIS.

    • If you do not configure Basic Authentication in IIS for ManageSoftRL, so that it matches your choice of Basic Authentication in the inventory beacon interface, the Inventory Agents fail to upload to the inventory beacons, giving an HTTP 409 error. Please ensure that there are matching settings in the inventory beacon and in IIS.

  5. Enter the Username and Password for the account that managed devices should use when accessing IIS with Basic Authentication.