Configuring AD/LDAP Integration for User Authentication
In this chapter, you’ll learn how to configure Nectus to work with Microsoft Active Directory and the LDAP protocol for user authentication.
The specific topics we will cover in this chapter are:
- What are AD and LDAP?
- Why Configure Nectus Integration with AD/LDAP?
- How Nectus Authenticates Users
- Connecting Nectus to an LDAP Server
- Mapping AD/LDAP Groups to Local User Groups
- Mapping AD/LDAP Users to Local User Groups
1. What are AD and LDAP?
AD stands for Active Directory Domain Services. It is a Microsoft service that provides authentication and other services to devices on a network. It is an LDAP compliant database of users, groups, and other objects.
LDAP stands for Lightweight Directory Access Protocol. It is an Internet standard for accessing distributed directory services. Nectus uses LDAP to communicate with AD.
2. Why Configure Nectus Integration with AD/LDAP?
Configuring Nectus to integrate with AD/LDAP simplifies user management for large organizations. Like most applications, Nectus has its own local user authentication database. But when a organization has many applications maintaining separate user accounts for each application isn’t practical.
The solution is to maintain user accounts in AD. Using LDAP, each application can query the AD database for the user authentication information it needs. This greatly simplifies user account maintenance.
3. How Nectus Authenticates Users
Nectus is designed to function on its own or integrated with AD/LDAP. Security settings are based on Local User Groups whether the User Account is stored locally, or in AD.
When a user logs in Nectus first checks to see if the active user has a Local User Account. If so, Nectus uses this account for the login.
Note: To manage the Nectus Local User Accounts and the Local User Groups go to the Nectus Home Screen and select Settings -> Admin Accounts. This opens the “Admin Accounts” dialog box. See the article, “Creating User Accounts and User Groups” for details.
If the active user does not have a Local User Account, Nectus checks to see if Active Directory integration is configured. If so, it checks to see if the active user has an account in AD.
If the user has an account in AD, and the user’s LDAP Group Name is mapped to a Local User Group, Nectus uses the Local User Group settings.
If there is no mapping to a Local User Group, Nectus checks to see if the active user’s LDAP Account Username is mapped to a Local User Group and uses those settings.
If none of the above is true, Nectus denies the user access.
Important: We recommend that you always maintain at least one Local User Account in Nectus to ensure access even if the AD/LDAP connection is down.
4. Connecting Nectus to an LDAP Server
To integrate Nectus with AD you need to configure the LDAP Server settings and enable LDAP.
To configure the LDAP Server settings and enable LDAP go to the Nectus Home Screen and select Settings -> LDAP Integration.
This opens the “LDAP Integration” dialog box.
Select the LDAP Server tab and enter the LDAP parameters. You can see examples of the format for these parameters to the right of the relevant fields. Check LDAP Enabled.
5. Mapping AD/LDAP Groups to Nectus Local User Groups
Mapping an AD/LDAP Group to a Nectus Local User Group causes the entire AD/LDAP group to inherit the security settings from the Nectus Local User Group.
To map AD/LDAP Groups to Nectus Local User Groups, open the “LDAP Integration” dialog box and select the LDAP Access Groups tab.
Use a Browse button on the left to open the “Select group from LDAP Server” dialog box and select an LDAP Group Name.
Nectus returns you to the “LDAP Integration” dialog box. In the drop-down list to the right of the LDAP Group Name, select the Local User Group to map it to. An example of the proper LDAP Group Name format appears at the bottom of the dialog box.
6. Mapping AD/LDAP Usernames to Nectus Local User Groups
Mapping an AD/LDAP Username to a Nectus Local User Group causes the specific AD/LDAP User to inherit the security settings from the Nectus Local User Group.
To map AD/LDAP Account Usernames to Nectus Local User Groups, open the “LDAP Integration” dialog box and select the LDAP Access Accounts tab.
Use a Browse button on the left to open the “Select user from LDAP Server” dialog box and select an LDAP Account Username.
Nectus returns you to the “LDAP Integration” dialog box. In the drop-down list to the right, select the Local User Group to map the LDAP Account Username to. An example of the proper LDAP Account Username format appears at the bottom of the dialog box.
Management Interface Selection for Network Devices
Network Discovery, Technical NotesManagement Interface Selection for Network Devices
In this chapter, you’ll learn how Nectus selects Management Interfaces for Devices that are found during Discovery phase. Nectus will automatically select Management Interfaces using its own default logic. It also supports user-defined selection for cases where this is appropriate.
The specific topics we will cover in this chapter are:
1. Default Logic for Management Interface Selection
During Discovery, Nectus finds all SNMP Devices on the network. Every Device has one or more Interfaces. Some of those Interfaces will have IP Addresses assigned to them, and could be used as the Management Interface for that Device.
Nectus has default logic for selecting the Management Interface for each Device. It checks every Interface on a Device looking for potential Management Interfaces. To be considered for selection as the Management Interface, an Interface must meet the following requirements:
From this list of possible Management Interfaces, Nectus selects one according to this priority list:
If Nectus finds an Interface name that begins with Mgmt, it will use this as the Management Interface. If it does not find an Interface name that begins with Mgmt, it will look for one that begins with Loopback, and so on.
If Nectus does not find an Interface whose name starts with Mgmt, Loopback, or Vlan, it will select the lowest numbered IP Address on the Device.
This default logic allows Nectus to automatically select the correct Management Interface in most situations. To handle situations where the default logic is not appropriate, Nectus supports user-defined logic for Management Interface selection.
2. User-Defined Logic for Management Interface Selection
Defining your own Management Interface selection logic makes sense in two situations:
When a Device has applicable user-defined Management Interface selection logic, Nectus looks for that Interface before applying the default logic. As with the default logic, user-defined Management Interfaces:
To create user-defined logic for a specific Device type right-click the Device name. In the menu that appears, select View Device Info.
This opens the “View Device Info” dialog box.
On the General Info tab, find the SNMP Platform ID and click the icon to the right of it to copy the ID.
Note: All Devices with the same model number have the same SNMP Platform ID.
Next Step is to go to Settings -> Products and Categories -> SNMP OID Libraries.
Select SNMP OID Libraries.
This opens the “SNMP OID Libraries” dialog box.
Select Management Interface Name in the Filter by OID Type list. Nectus displays all the current user-defined Management Interface Selection rules.
Click the Add button to open the “Add” dialog box.
Enter the SNMP Platform ID and the Management Interface Name Nectus should use for this type of Device.
3. Applying Selection Rules to Existing Devices
Defining new Management Interface selection rules will have automatic effect on all devices that will be discovered after rule is created but does not automatically apply those rules to existing Devices.
You need to tell Nectus to apply those changes to existing Devices.
To apply the user-defined selection rules to existing Devices, return to the “SNMP OID Libraries” dialog box and click the “Apply to Existing Devices” button.
Cisco SNMP v3 Configuration Example for IOS Devices
Network Discovery, Technical NotesThis is basic configuration example of the SNMPv3 on IOS device.
This enables SNMP v3 with following parameters:
Authentication Protocol: MD5
Authentication Username: vconsole
Authentication Password: nectus
Privacy (Encryption) Protocol: AES-256
Privacy (Encryption) Password: nectus
Configuration Example
====================
snmp-server group NECTUS_V3_GROUP v3 auth read TESTv3
snmp-server view TESTv3 mib-2 included
snmp-server user vconsole NECTUS_V3_GROUP v3 auth md5 nectus priv aes 256 nectus
Locating Orphaned subnets in IPAM
IPAM (IP Address Management), Technical NotesLocating Orphaned IPAM Subnets
One of the key features of good IPAM is ability quickly find subnets that are part of the defined address space but have not been explicitly added to list of subnets available for allocation.
These subnets are normally called “orphaned” and can be presented as white spaces within address space.
Orphaned subnets are normally occurring when you import IPAM subnets from external source such as IGP routing table where address space is not contiguously divided among all the existing subnets.
Lets looks at this simplified example of the logic required for locating orphaned subnets.
For example, user defined full address space as 10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
and imported one subnet from IGP: 10.20.20.0/24 (10.20.20.0 – 10.20.20.255)
We can present full address space as a contiguous line starting from 10.0.0.0 and ending 10.255.255.255
Full IPv4 Address Space:
10.0.0.0 ———————————————————————————-10.255.255.255
Now let’s overlay single imported subnet into address space line:
10.0.0.0 ————-***Used*** —————————————————10.255.255.255
We see that there is some unused space to the left and to the right of the used space.
We need to find all the subnets that cover unused space so they can be presented in IPAM list of available subnets. The subnets that we are looking for must be largest subnets possible,
to minimize fragmentation.
Let’s summarize: Our goal is to find the largest subnet(s) that can be fit into the left and right empty segments.
Let first look at “left” empty space:
We can see that First and Last IP address of “left” empty segment have matching highest 11 bits.
Largest subnet that will fit into “left” empty segment will have First and Last IP with following parameters:
First IP address:
Last IP address:
After checking all possible options matching IP addresses are discovered.
This combination of First/Last IP gives us largest Subnet that will fit into “left” free segment as 10.0.0.0/12
We can see that 10.0.0.0/12 does not fully cover “left” empty segment so this discovery process has to be repeated for remaining empty space. Discovery may require several iterations until we get 100% coverage.
Similar approach must be applied to “right” empty segment until we identify all orphaned subnets and achieve 100% coverage of required address Space.
If your IPAM can’t perform this type of Discovery, you know where to download the best IPAM on the market: https://www.nectus5.com/download/
Splitting and Merging Subnets in IPAM
IPAM (IP Address Management), Technical NotesSplitting and Merging Subnets in IPAM
In this chapter, you’ll learn how and why to Split and Merge Subnets.
The specific topics we will cover in this chapter are:
1. Why Split or Merge Subnets?
Splitting and Merging Subnets lets you use your IP address space more efficiently. A full Class C Subnet has 256 usable addresses. But if you only need 30, using the full Subnet would result in a waste of over 200 IP addresses. Splitting the subnet would allow you to get the number of addresses you need, without wasting the rest. In addition, making a smaller Subnet reduces network traffic, as messages on that Subset are broadcast to fewer addresses.
Merging Subnets works the opposite. You may need a Subnet with 80 IP addresses, but instead have several smaller Subnets available. By merging smaller Subnets into one large one, you can use those addresses that might otherwise be wasted.
Nectus also allows you to move Subnets to different IPAM Containers. This makes it easy to reallocate IP addresses from their current location to the physical Sites that need them.
2. How to Split Subnets
To Split a Subnet go to the Nectus Sites Panel and select IPAM > All IPv4 Containers.
Nectus displays all existing IPAM Containers and any Unassigned Subnets. To see how many IP addresses are available in any Subnet, right-click it. In the menu that appears, select View Subnet Info.
This opens the “Subnet View Info” dialog box.
The Total IPs field on the General Info tab shows how many IPs the Subnet contains.
Navigate to the Subnet you want to split and right-click it. In the menu that appears, select Split.
This opens the “Split Subnet” dialog box.
The New Subnet Size list shows you the ways you can split the selected Subnet.
The Place New Subnets to: list allows you to assign the new Subnets you create to any existing IPAM Container.
3. How to Merge and Subnets
To Merge two or more Subnets go to the Nectus Sites Panel and select IPAM > All IPv4 Containers.
Navigate to the Subnets you want to merge and select each one. The Subnets you want to Merge must be contiguous, as in the screenshot below. Right-click one of the Subnets and in the menu that appears, select Merge Subnets.
This opens the “Merge Subnets” dialog box. The dialog box shows you which Subnets will be merged, and gives you the option to place the merged Subnet in any IPAM Container.
4. How to Move Subnets
You can move a Subnet without Splitting or Merging it. To move a Subnet to a different IPAM Container right-click the Subnet.
In the menu that appears, select Move Subnet to… and navigate the list of Containers to select the new location.
IPAM initial configuration automation: Subnets
IPAM (IP Address Management), Technical NotesIPAM initial configuration automation: Subnets
As soon as you install your favorite Nectus IPAM solution the first question that comes to your mind is “How do I add all of the existing Subnets into new IPAM”?
Let’s see what automation options does Nectus offer to ease your initial deployment pains.
There are three primary places where your existing subnets can be imported from
Importing from IGP
Importing most of your subnets from IGP is the primary way to get most (if not all) of your subnets into IPAM in a single click of the button. Just right click on IPAM container Tree and select “Import Subnets from Routing Table” Option.
Provide your Core Router’s IP Address and press “Import” button
Nectus will download IGP routing table from core router via SNMP and add each subnet into IPAM database. When importing subnets from IGP Nectus starts loading subnets starting from
smallest (/32) to biggest (/8 and higher). Each new added subnet is validated against overlapping with any of the existing IPAM subnets.
This logic ensures that summarized prefixes that are present in the routing table will not be added to IPAM.
Nectus does not import any BGP subnets to prevent public Internet prefixes leaking into IPAM.
You can repeat IGP Import several times with different Core routers if there is a reason to believe that different Core routers may produce different set of subnets.
Importing from DHCP Servers
Importing subnets from DHCP Servers works similarly to IGP Import. Right Click on any of the IPAM containers and Select “Import Subnets from DHCP” Option.
Nectus load all the DHCP pools from all the DHCP servers configured in “IPAM Integration” page and add those into IPAM database if they have not been already added during IGP Import Phase.
All the subnets imported from DHCP Servers are validated against overlapping with any of the existing IPAM subnets.
Currently DHCP Import is only supported for Microsoft Windows DHCP servers and require
operational WMI Integration configuration.
Importing from CSV Files
And final and still viable option is to Import your subnets from CSV File.
Select “Import from CSV” in context menu of any of the IPAM Containers to load your subnets from CSV File.
Finding Unused Subnets
Once you finished loading your “in-use” Subnets into IPAM next step is to identify what subnets are “available” since subnets that are not allocated yet will not be present in the IGP or DHCP Servers.
To identify unused subnets Nectus takes your Address Space Subnets defined in IPAM Global integration page and excludes all of the “in-use” subnets to calculate list of subnets that can be presented as available. All available subnets will be added to “Unassigned Subnets” default IPAM container.
Right-click on any IPAM container to access this menu option.
Making IP Reservations in Nectus IPAM
IPAM (IP Address Management), Technical NotesMaking IP Reservations in Nectus IPAM
In this chapter, you’ll learn how to make IP reservations in Nectus IPAM.
The specific topics we will cover in this chapter are:
1. Adding New IP Reservation
To create a new IP Reservation, navigate to desired Subnet in selected IPAM container
and right-click for context menu.
Click on “Reservations” option to bring up a list of current Reservations in this specific Subnet.
Switch to a “MAP” Tab to see what is available for Reservations in this subnet
Righ- Click on Selected IP on the MAP and Select “Add IPv4 To Reservation”
Fill all the desired reservation parameters and press “ADD” button
As part of IP reservation creation process you have an option to create DNS “A” Records
in forward and reverse DNS lookup zones with DNS Server configured on IPAM Integration Page.
2. How to Delete IP Reservation
To delete IP reservation right click on desired reservation on subnet MAP view Page and select “Delete Reservation” Option
As part of reservation deletion process, you can also automatically delete DNS “A” records on DNS servers if those records were previously added during reservation creation process.
3. Searching for IPAM Reservation
Best way to search for existing IP reservations is via “IPAM Subnets and Reservations” Table
located in “Inventory -> IPAM Subnets and Reservations” Page
Table view provides multiple search and filtering options for any parameters defined for IP reservations.
Managing IPAM Containers in Nectus
IPAM (IP Address Management), Technical NotesManaging IPAM Containers in Nectus
In this chapter, you’ll learn what IPAM Containers are and how to manage them.
The specific topics we will cover in this chapter are:
1. What are IPAM and IPAM Containers?
IPAM stands for Internet Protocol Address Management. It is a system for managing the Internet Protocol (IP) address space used in a network. With IPAM you can see which IP subnets are in use and which site is using them.
The Nectus IPAM Container model allows you to create a hierarchical structure for managing subnets and mapping them to physical Sites.
2. How to Create IPAM Containers
To create an IPv4 IPAM Container go to the Nectus IPAM Panel and select IPAM -> All IPv4 Containers.
Nectus displays any existing IPAM Containers. Containers that have subnets assigned to them are displayed in green, with the number of subnets they contain appearing to the right of the Container name.
To add a new IPAM Container right-click an existing Container or All IPv4 Containers. In the menu that appears select Create New Container Level.
This opens the “Create New Container Level” dialog box.
Enter the Container Level Name and click Save. The new Container appears in the hierarchy below the location shown in Container Path:.
3. How to Move IPAM Containers
To move an IPAM Container right-click the Container Name. In the menu that appears, select Move Current Container to… and navigate the list of Containers to select the new location.
4. How to Modify IPAM Containers
To modify an IPAM Container right-click the Container Name. In the menu that appears, select Properties.
This opens the “Edit Container Properties” dialog box.
Edit the Container Level Name as desired.
5. How to Delete IPAM Containers
To modify an IPAM Container right-click the Container Name. In the menu that appears, select Delete Current Container Level.
This opens the “Delete Container Level” dialog box.
Note: Nectus will not let you delete an IPAM Container that has subnets assigned to it. If you try, Nectus displays the following message:
Configuring AD LDAP Integration for User Authentication
Access Right Management, Technical NotesConfiguring AD/LDAP Integration for User Authentication
In this chapter, you’ll learn how to configure Nectus to work with Microsoft Active Directory and the LDAP protocol for user authentication.
The specific topics we will cover in this chapter are:
1. What are AD and LDAP?
AD stands for Active Directory Domain Services. It is a Microsoft service that provides authentication and other services to devices on a network. It is an LDAP compliant database of users, groups, and other objects.
LDAP stands for Lightweight Directory Access Protocol. It is an Internet standard for accessing distributed directory services. Nectus uses LDAP to communicate with AD.
2. Why Configure Nectus Integration with AD/LDAP?
Configuring Nectus to integrate with AD/LDAP simplifies user management for large organizations. Like most applications, Nectus has its own local user authentication database. But when a organization has many applications maintaining separate user accounts for each application isn’t practical.
The solution is to maintain user accounts in AD. Using LDAP, each application can query the AD database for the user authentication information it needs. This greatly simplifies user account maintenance.
3. How Nectus Authenticates Users
Nectus is designed to function on its own or integrated with AD/LDAP. Security settings are based on Local User Groups whether the User Account is stored locally, or in AD.
When a user logs in Nectus first checks to see if the active user has a Local User Account. If so, Nectus uses this account for the login.
Note: To manage the Nectus Local User Accounts and the Local User Groups go to the Nectus Home Screen and select Settings -> Admin Accounts. This opens the “Admin Accounts” dialog box. See the article, “Creating User Accounts and User Groups” for details.
If the active user does not have a Local User Account, Nectus checks to see if Active Directory integration is configured. If so, it checks to see if the active user has an account in AD.
If the user has an account in AD, and the user’s LDAP Group Name is mapped to a Local User Group, Nectus uses the Local User Group settings.
If there is no mapping to a Local User Group, Nectus checks to see if the active user’s LDAP Account Username is mapped to a Local User Group and uses those settings.
If none of the above is true, Nectus denies the user access.
Important: We recommend that you always maintain at least one Local User Account in Nectus to ensure access even if the AD/LDAP connection is down.
4. Connecting Nectus to an LDAP Server
To integrate Nectus with AD you need to configure the LDAP Server settings and enable LDAP.
To configure the LDAP Server settings and enable LDAP go to the Nectus Home Screen and select Settings -> LDAP Integration.
This opens the “LDAP Integration” dialog box.
Select the LDAP Server tab and enter the LDAP parameters. You can see examples of the format for these parameters to the right of the relevant fields. Check LDAP Enabled.
5. Mapping AD/LDAP Groups to Nectus Local User Groups
Mapping an AD/LDAP Group to a Nectus Local User Group causes the entire AD/LDAP group to inherit the security settings from the Nectus Local User Group.
To map AD/LDAP Groups to Nectus Local User Groups, open the “LDAP Integration” dialog box and select the LDAP Access Groups tab.
Use a Browse button on the left to open the “Select group from LDAP Server” dialog box and select an LDAP Group Name.
Nectus returns you to the “LDAP Integration” dialog box. In the drop-down list to the right of the LDAP Group Name, select the Local User Group to map it to. An example of the proper LDAP Group Name format appears at the bottom of the dialog box.
6. Mapping AD/LDAP Usernames to Nectus Local User Groups
Mapping an AD/LDAP Username to a Nectus Local User Group causes the specific AD/LDAP User to inherit the security settings from the Nectus Local User Group.
To map AD/LDAP Account Usernames to Nectus Local User Groups, open the “LDAP Integration” dialog box and select the LDAP Access Accounts tab.
Use a Browse button on the left to open the “Select user from LDAP Server” dialog box and select an LDAP Account Username.
Nectus returns you to the “LDAP Integration” dialog box. In the drop-down list to the right, select the Local User Group to map the LDAP Account Username to. An example of the proper LDAP Account Username format appears at the bottom of the dialog box.
Preventing Specific Subnets from Being Discovered by Nectus
Network Discovery, Technical NotesPreventing Specific Subnets from Being Discovered by Nectus
In this chapter, you’ll learn how to prevent specific subnets from being discovered by Nectus.
The specific topics we will cover in this chapter are:
1. Why Prevent Specific Subnets from Being Discovered?
Preventing specific IP subnets from being discovered can provide improved security. For example, if your client is a city government, they might want to hide the Subnet of the police force or other crucial services. A bank might want to hide the Subnet that their ATMs run on.
2. How Does Nectus Prevent Specific Subnets from Being Discovered?
Before Nectus scans the network, it consults the Excluded Subnets List. It doesn’t scan any Subnets it finds in this list and deletes any information about those Subnets from the Management Information Base (MIB).
3. Working with the Excluded Subnet List
To work with the Excluded Subnet List go to the Nectus Home Screen and select Settings -> Network Discovery Settings.
This opens the “WMI Monitoring Settings” dialog box. Select the Excluded Subnets tab.
Click Add to open the “Add Excluded Subnet” dialog box.
Enter the IPv4 Subnet and the number of Mask bits to identify the Subnet you want excluded.
Note: If you remove a Subnet from the Excluded Subnet List, it, and all the Devices on it, will appear the next time Nectus runs Discovery.
Preventing Specific Devices from Being Discovered by Nectus
Network Discovery, Technical NotesPreventing Specific Devices from Being Discovered by Nectus
In this chapter, you’ll learn how to prevent specific Device types from being discovered by Nectus.
The specific topics we will cover in this chapter are:
1. Why Prevent Specific Devices from Being Discovered?
Preventing certain Device types from being discovered and displayed in the SNMP Devices list makes it easier to manage your network device inventory.
For example, you could have hundreds of printers connected to your network. But under normal circumstances, you probably don’t need to monitor them.
Preventing Nectus from discovering specific devices saves Nectus Server resources for the devices you really want to monitor.
2. How Does Nectus Prevent Specific Devices from Being Discovered?
During discovery Nectus collects information about every network device it finds. This information include SNMP Platform OID.
Nectus maintain “SNMP Platform OID Ignore-List” which contains a list of SNMP Platform IDs that should be ignored during discovery.
By adding specific SNMP Platform OID to “Ignore-List” you can prevent devices with that Platform ID from being added by Nectus to its database.
3. Adding Devices to the Ignore OID List
To add a Device type to the Ignore OID List, go to the “SNMP Devices” Panel on the Nectus Home screen and open the All Devices list. Navigate to the Product Specific Level containing the type of Device you want to hide and right-click on it. In the shortcut menu that appears, select Add to Ignore List and Delete.
Confirm the operation in the “Add to Ignore List and Delete” dialog box that appears.
Nectus adds the Device type to the Ignore OID List and removes this Sub-Category and all its Devices from the SNMP Devices list.
4. Editing the Ignore OID List
You can manually edit the Ignore OID List to hide Device types, make them discoverable again, or change the OID Prefix associated with them.
To edit the Ignore OID List go to the Nectus Home Screen and select Settings -> Network Discovery Settings.
This opens the “WMI Monitoring Settings” dialog box. Select the Ignore OID List tab.
Use the controls here to add Device types to the Ignore OID List or remove them from it. Any previously hidden Devices will appear the next time Discovery runs.
You can also manually change the OID Prefix by clicking the Edit icon to the right of the Sub-category to open the “Update OID” dialog box.
Monitoring Windows Event Log with WMI in Nectus
Technical Notes, Windows Server (WMI) MonitoringMonitoring Windows Event Log with WMI
In this chapter, you’ll learn how to use WMI to monitor the Windows Event Log. Nectus lets you create profiles that use WMI to monitor specific Events and to send Alerts related to them.
The specific topics we will cover in this chapter are:
1. What is WMI?
WMI (Windows Management Instrumentation) is a set of specifications and interfaces that provides information about the status of local and remote computers running Microsoft Windows. In this chapter we look at how Nectus uses WMI to monitor the status of Windows Processes and send Alerts based on that status.
Note: WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) standard and the Common Information Model (CIM) standard from the Distributed Management Task Force (DMTF).
2. Why Monitor the Windows Event Log?
There are many reasons to monitor the Windows Event Log. One of the most important is preventing security breaches. Events that show a configuration change, a failure, or an unexpected login attempt could be triggered by an attack on the server.
3. Creating a WMI Monitoring Profile
To create a WMI Monitoring Profile go to the Nectus Home Screen and select Monitoring -> WMI Monitoring Settings.
This opens the “WMI Monitoring Settings” dialog box.
Click Add Profile -> System.
Create a new Profile by entering the Monitoring Profile Name and checking the Event log monitoring Enabled box. In addition, check the types of Alerts you want to send. See Section 4, “Editing a WMI Monitoring Profile” for details on how to specify which Events you want to monitor and how you want to be alerted.
Check the Default Profile box if you want to make this the new default WMI Monitoring profile.
4. Configuring Event Log Monitoring
To configure Event Log monitoring, open the “WMI Monitoring Settings” dialog box and select the Edit Profile icon for the Profile you want to edit. In “Edit WMI Monitoring Profile” dialog box that appears select the System tab.
4.1 Editing Options
Select the Event log monitoring Options icon to open the “WMI Event Log Filters” dialog box.
Click Add Filter to open the “Add Event Log Filter” dialog box.
Enter the Filter Name and optionally select a specific Event Log File to monitor. Fill out the rest of the fields as necessary to specify the Event you want to monitor. The new filter will appear in the “WMI Event Log Filters” dialog box.
4.2 Editing Alerts and Templates
In the System tab of the “Edit WMI Monitoring Profile” dialog box, check or clear the types of Alerts to send for the Events. To edit the format of the Alerts, open the “Edit Alert Handler” dialog box by clicking the Edit Alert Templates icon.
5. Assigning a Profile to a WMI Server Group
In the WMI Servers Panel on the Nectus Home screen, open the WMI Servers list. Right-click a WMI Server Group and select Properties.
This opens the “Edit WMI Server Group” dialog box.
Check the Enable Monitoring box, then select the WMI Monitoring Profile to use from the Monitoring Profile drop-down list, and specify which groups will receive the Alerts.
The icons to the right of the Monitoring Profile list allow you to edit a Profile or add a new Profile directly from here.
Monitoring Windows Processes with WMI in Nectus
Technical Notes, Windows Server (WMI) MonitoringMonitoring Windows Processes with WMI
In this chapter, you’ll learn how to use WMI to monitor Windows Processes. Nectus lets you create profiles that specify which Processes to monitor with WMI and to send Alerts related to them.
The specific topics we will cover in this chapter are:
1. What is WMI?
WMI (Windows Management Instrumentation) is a set of specifications and interfaces that provides information about the status of local and remote computers running Microsoft Windows. In this chapter we look at how Nectus uses WMI to monitor the status of Windows Processes and send Alerts based on that status.
Note: WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) standard and the Common Information Model (CIM) standard from the Distributed Management Task Force (DMTF).
2. Why Monitor Windows Processes?
You will normally want a particular set of Windows Processes running on your servers. Nectus can notify you when these Processes run, ensuring you that everything starts properly. You can also watch for specific Processes you don’t want on your servers.
For example, viruses run as Processes. If you know the names of the Processes associated with a specific virus, Nectus can notify you if any of those Processes starts running on one of your servers.
Monitoring for stopped Windows Processes lets you respond quickly to the failure of an important business Process.
3. Creating a WMI Monitoring Profile
To create a WMI Monitoring Profile go to the Nectus Home Screen and select Monitoring -> WMI Monitoring Settings.
This opens the “WMI Monitoring Settings” dialog box.
Click Add Profile -> Processes.
Create a new Profile by entering the Monitoring Profile Name and checking the Enabled boxes next to the metrics you want to monitor. In addition, check the types of Alerts you want to send for each Monitored Metric. See Section 4, “Editing a WMI Monitoring Profile” for details on how to specify which Processes you want to monitor and how you want to be alerted.
Check the Default Profile box if you want to make this the new default WMI Monitoring profile.
4. Editing a WMI Monitoring Profile
To edit a WMI Monitoring Profile, open the “WMI Monitoring Settings” dialog box and select the Edit Profile icon for the Profile you want to edit. In “Edit WMI Monitoring Profile” dialog box that appears select the Processes tab.
4.1 Editing Options
Select the Options icon for the Metric you want to edit to open the “WMI Options” dialog box.
Set the number of Consecutive Readings needed to trigger an alert then click the Add Name button to add the Processes you want to monitor.
4.2 Editing Alerts and Templates
In the Processes tab of the “Edit WMI Monitoring Profile” dialog box, check or clear the types of Alerts to send for each Monitored Metric. To edit the format of the Alerts, open the “Edit Alert Handler” dialog box by clicking the Edit Alert Templates icon.
5. Assigning a Profile to a WMI Server Group
In the WMI Servers Panel on the Nectus Home screen, open the WMI Servers list. Right-click a WMI Server Group and select Properties.
This opens the “Edit WMI Server Group” dialog box.
Check the Enable Monitoring box, then select the WMI Monitoring Profile to use from the Monitoring Profile drop-down list, and specify which groups will receive the Alerts.
The icons to the right of the Monitoring Profile list allow you to edit a Profile or add a new Profile directly from here.
Monitoring of Windows Services with WMI in Nectus
Windows Server (WMI) MonitoringMonitoring of Windows Services with WMI in Nectus
In this chapter, you’ll learn how to use WMI to monitor Windows Services. Nectus lets you create profiles that specify which services to monitor with WMI and how to send alerts related to them.
The specific topics we will cover in this chapter are:
1. What is WMI?
WMI (Windows Management Instrumentation) is a set of specifications and interfaces that provides information about the status of local and remote computers running Microsoft Windows. In this chapter we look at how Nectus uses WMI to monitor the status of Windows Services and send Alerts based on that status.
Note: WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) standard and the Common Information Model (CIM) standard from the Distributed Management Task Force (DMTF).
2. Why Monitor Windows Services?
Knowing which Windows Services are running lets you spot misconfigured servers easily. You can ensure that all required services such as anti-virus software are running. You can also see if any unwanted services such as a web server are running.
Monitoring for stopped Windows Services lets you respond to the failure of an important service quickly.
3. Creating a WMI Monitoring Profile
To create a WMI Monitoring Profile go to the Nectus Home Screen and select Monitoring -> WMI Monitoring Settings.
This opens the “WMI Monitoring Settings” dialog box.
Click Add Profile -> Services.
Create a new Profile by entering the Monitoring Profile Name and checking the Enabled boxes next to the metrics you want to monitor. In addition, check the types of Alerts you want to receive for each Monitored Metric. See Section 4, “Editing a WMI Monitoring Profile” for details on how to specify which Services you want to monitor and how you want to be alerted.
Check the Default Profile box if you want to make this the new default WMI Monitoring profile.
4. Editing a WMI Monitoring Profile
To edit a WMI Monitoring Profile, open the “WMI Monitoring Settings” dialog box and select the Edit Profile icon for the Profile you want to edit. In “Edit WMI Profile” dialog box that appears select the Services tab.
4.1 Editing Options
Select the Options icon for the Metric you want to edit to open the “WMI Options” dialog box.
Set the number of Consecutive Readings needed to trigger an alert then click the Add Name button to add the Services you want to monitor.
4.2 Editing Alerts and Templates
In the Services tab of the “Edit WMI Monitoring Profile” dialog box, check or clear the types of Alerts to receive for each Monitored Metric. To edit the format of the Alerts, open the “Edit Alert Handler” dialog box by clicking the Edit Alert Templates icon.
5. Assigning a Profile to a WMI Server Group
In the WMI Servers Panel on the Nectus Home screen, open the WMI Servers list. Right-click a WMI Server Group and select Properties.
This opens the “Edit WMI Server Group” dialog box.
Check the Enable Monitoring box, then select the WMI Monitoring Profile to use from the Monitoring Profile drop-down list, and specify which groups will receive the Alerts.
The icons to the right of the Monitoring Profile list allow you to edit a Profile or add a new Profile directly from here.
How to Implement Device View Restrictions in Nectus
Access Right Management, Technical NotesIn this chapter, you’ll learn how to implement User Group based Device Access Restrictions with the help of Device Views. By assigning one of these Views to a User Group, you control which Devices the Users in that Group can see.
Implementing Device View restrictions allows members of User Groups to focus on only those devices that are relevant to their work. For example, if your company has three facilities, you might create one View for each facility, showing only the servers that are physically located at that facility.
The specific topics we will cover in this chapter are:
1. Creating a Device View
To create a Device View go to the Nectus Home Screen and select Inventory -> Views -> SNMP Device Views.
This opens the “SNMP Devices Views” dialog box.
Click the Add View button to open the “Add SNMP Devices View” dialog box. Create the new View by entering a View Name and adding Devices to the “Selected SNMP Device” list.
2. Creating a User Group
To create a new User Group go to the Nectus Home Screen and select Settings -> Admin Accounts.
This opens the “Admin Accounts” dialog box. Select the User Groups tab.
Click Add New Group to open the “Add Group” dialog box. Enter the Group Name and make any changes necessary for the GUI and Context Menu tabs.
3. Applying the Device View to the User Group
Select the Views tab. Select the Device View in the “SNMP Devices Views” drop-down list.
4. Creating a User Account and Assigning it to the User Group
Return to the “Admin Accounts” dialog box. Select the User List tab.
Click Add New Account to open the “Add Account” dialog box. Enter the required information for the User and select the User Group in the “Group” drop-down list.
5. Results of Applying the Access Restrictions
Applying the Device View to the User Group results in Access Restrictions for the Users in that Group.
When a User from that group views the SNMP Devices Pane on the Nectus Home Screen, he can only see the Devices that were included in the Device View.
When the User views the Sites pane, he can only see the Sites that contain Devices included in the Device View.
Setting up AWS permissions to perform monitoring and backup with Nectus
AWS Monitoring, Technical NotesNectus AWS monitoring does not require root user permissions to performs it’s actions. Actually it requires a small set of permissions, so it’s more secure and reasonable to have a special AWS user’s account having that minimal set of grants. This guide will show to create such user’s account.
First login to the AWS console as a root user and choose IAM from the list of Services.
When you see the following form, choose Users.
Then select “Add user” on the following screen.
Enter user name and enable “programmatic access” in the next form.
Select “Attach existing policies directly” and then enable following 3 policies:
They could be found using “Filter policies” field.
After that click “Next: Review” button and you’ll see the following screen. Click “Create User” button.
If everything is OK and the user was created in AWS then the following form will appear. You should store Access key ID and Secret access key of the user since they are required by Nectus Monitoring. Click “Download .csv” and store this file. Also you can click “Show” to display the secret access key on the screen.
Last step is integrating AWS user’s access keys into Nectus Monitoring. Select Settings -> General Settings -> AWS integration in the Nectus GUI.
In the following form paste Access Key ID and Secret Access Key copied from AWS console (or from downloaded .csv-file).
Click OK to save the changes and Nectus is ready to perform AWS monitoring and backup.
Creating User Accounts and User Groups
Access Right Management, Technical NotesCreating User Accounts and User Groups
In this chapter, you’ll learn how to create User Accounts and assign them to User Groups. You’ll also learn how to create User Groups and set their Access Rights.
The specific topics we will cover in this chapter are:
1. Creating User Accounts
Every Administrator should have their own User Account. To create a new User Account go to the Nectus Home Screen and select Settings -> Admin Accounts.
This opens the “Admin Accounts” dialog box.
Select the User List tab and click Add New Account to open the “Add Account” dialog box.
Enter the information for the user. Fields marked with an asterisk ( * ) are required. The group you assign determines the User’s Access Rights. You can assign the User to an existing Group, or create a new Group.
2. Creating User Groups
To create a User Group return to the “Admin Accounts” dialog box and select the User Groups tab.
Click Add New Group to open the “Add Group” dialog box and enter a Group Name.
Note that you can use the icons to the right of the Group Names to edit or delete an existing User Group.
3. Setting User Group Access Rights
Select the Group’s Access Rights from the drop-down list. Selecting “Read Only” or “Read / Write” rights sets all the GUI and Context Menu options to those values.
Selecting “Custom” rights allows you to set each GUI and Context Menu item individually. The options are “Read Only”, “Read / Write”, and “Hide”.
Select the Views tab to specify which views the User can see.
The drop-down list next to each view lists the items that will appear for that view. Setting “SNMP Devices Views” to “Cisco” for example causes only Cisco devices to appear in the SNMP Devices section or the Sites Section.
You can also designate the User Group as a “Super Admin.” Your installation must always have at least one Super Admin Group to ensure that Users have access to the system.
Tracking Objects in Wireless Networks
Nectus News, Technical Notes, WirelessTroubleshooting of any wireless problems usually starts with determination of specific Access Point where client is currently associated with and tracking wireless client’s roaming behavior in time.
Access Point detection helps to understand current RSSI levels at given selected channel and presence of alternative AP at the client’s location.
Nectus provides basic tools that make locating and tracking wireless objects an easy task.
The specific topics we will cover in this chapter are:
1. Using the Wireless Client Search Tool
The Wireless Client Search tool shows you which access point (AP) a Wireless Client is connected to right now. To use Wireless Client Search go to the Nectus Home Screen and select Tools -> Wireless Tools -> Wireless Client Search.
This opens the “Wireless Client Search” dialog box.
Search for the wireless object by entering all or part of the Client MAC Address, IP Address, or Username. Set the Search Scope by checking any of the supported Wireless Controller types.
The search returns any matching objects in a table.
Click the MAC Address of the object to see all the Basic information the system has about that object.
Click the Client RSSI Info tab to see the RSSI (Received Signal Strength Indication) for every access point the object can detect.
2. Using the Wireless MAC Tracking Tool
The Wireless MAC Tracking tool is useful for troubleshooting intermittent problems. It uses the object’s MAC address to record which AP the object is connected to over a period of time. To use Wireless Client Search go to the Nectus Home Screen and select Tools -> Wireless Tools -> Wireless MAC Tracking.
This opens the “Wireless MAC Tracking” dialog box.
Click Add to begin tracking a MAC Address.
Enter the MAC Address you want to track, the Controller type, the Frequency of recording data, and the Duration of time you want to track the MAC address.
Once the Duration is complete, you can see the results by clicking the View MAC Tracking icon.
Silicon Valley in 1992
Nectus NewsGenerating Wireless Heat Maps in Nectus
Network Topology Visualization, Technical Notes, WirelessGenerating Wireless Heat Maps
Wireless Heat Map is the visual representation of the wireless signal levels at different locations of specific selected area.
Area can be a building floor or outdoors. We read signal level directly at the antennas of the Wireless APs and calculate signal attenuation with a distance
and overlay resulting signal levels on top of area map with a known dimensions.
In this chapter, you’ll learn how to generate Wireless Heat Maps of any area.
The specific topics we will cover in this chapter are:
1. Preparing the Background Image
The Background Image shows the physical layout of the area that will be included in the Heat Map.
The image needs to be scaled with equal proportions horizontally and vertically. PNG and JPEG image formats are supported. You will need to be able to enter the corresponding length of the image, in feet, to create an accurate Heat Map.
Create the Background Image before proceeding to Step 2.
2. Creating a New L2 Topology
Once you have the Background Image prepared, you will need to create a new L2 Topology for your Heat Map. To create a new L2 Topology go to the Nectus Home Screen and select Topologies -> Start New L2 Topology.
An empty L2 Topology appears.
3. Placing the Background Image and Specifying the Scale
To place the Background Image in the Topology, click the L2 Topology Settings icon to open the “Settings” dialog box then select the Background tab.
Check the Display Image check box and load the Background Image you created in Step 1.
Enter the horizontal length of the Background Image (in feet) in the Background image length in Feet field.
Once the Background Image is visible in the Topology you can resize and reposition it as desired.
4. Placing the Wireless Controller
Find the Wireless Controller for this area in the Wireless Controllers section of the Sites Panel and drag it onto the Topology.
Click the Settings icon to open the “Settings” dialog box. Select the Wireless tab.
Check Show Wireless APs along with any other options you want displayed on the Heat Map. Nectus includes a large collection of Wireless AP icons you can use to customize the map.
Once you click OK the Heat Map reappears with a color-coded scale of signal levels.
5. Expanding the Topology and Selecting Your Access Points
Now you need to expand the Topology. This displays the Wireless Access Points that are connected to the Wireless Controller. To expand the Topology, right-click the Wireless Controller icon and select Expand L2 Network Topology.
This opens the “Expand L2 Network Topology” dialog box. Select the Wireless tab and expand the All Wireless Controllers list to see the Wireless APs connected to the controllers in the Topology. Check the Wireless APs you want to include in the Heat Map.
Click Generate Topology to add the selected Wireless APs to the Heat Map.
6. Positioning Wireless APs on the Heat Map
Drag each Wireless AP to its physical location on the Background Image. Once you do this, the Heat Map will show wireless coverage for this area.
Enabling Monitoring for SNMP Interfaces
Network Monitoring, Technical NotesEnabling Monitoring for SNMP Interfaces
In this chapter, you’ll learn how to enable monitoring and create monitoring groups for SNMP Interfaces.
The specific topics we will cover in this chapter are:
1. Automatic Discovery and Grouping of SNMP Interfaces
During the Discovery phase all network Interfaces are automatically added to the group called “No Monitoring Group.” This group has all monitoring functionality disabled and serves as a parking space for all unmonitored Interfaces.
To enable monitoring for a particular Interface you must move that interface from the “No Monitoring Group” to any group that has the monitoring checkbox set to “ON” and has a Monitoring Profile assigned.
2. Creating and Activating Monitoring Groups
To create and activate SNMP Interface Monitoring Groups go to the Nectus Home Screen and select Monitoring -> SNMP Monitoring Groups -> Interface Monitoring Groups.
This opens the “Interface Monitoring Groups” dialog box.
Nectus provides you with two predefined Monitoring Groups:
Click the Add Group button to open the “Add Monitoring Interface Group” dialog box and create an additional Monitoring Group.
To monitor a group, check its Enable Monitoring box in the “Interface Monitoring Groups” dialog box.
Next select the Monitoring Profile you want to use for the Group. See the next section for more information on Monitoring Profiles.
Then click the Edit Alert Recipients icon to open the “Alert Recipients” dialog box and select lists that specify who will receive alerts from this particular Monitoring Group and Profile.
3. Creating and Customizing Monitoring Profiles
Each Monitoring Group must have a Monitoring Profile that determines which parameters are monitored. You can customize each Profile, and create individual Profiles for each Monitoring Group.
To create a new Profile, go to the Nectus Home Screen and select Monitoring -> SNMP Monitoring Profiles -> Profiles – SNMP Interface Monitoring. This opens the “Interface Monitoring Profiles” dialog box. Click the Add Profile button to create a new Profile.
To edit a Profile click the Edit icon to the right of the Monitoring Profile for the Group. This opens the “Edit Device Monitoring Profile” dialog box.
Some of the parameters here allow you to set Threshold values or other customizations.
Set the Enabled checkbox next to each Parameter you want to monitor. Check any of the Log to DB, Email Alerts, SMS Alerts, or Traps Alerts boxes to send those types of alerts.
4. Customizing Alerts
To customize the alerts, click the Edit Alert Templates button to open the “Edit Alert Handler” dialog box.
If you select Email Alerts or SMS Alerts, Nectus will generate Alert messages when the Monitored Parameter exceeds threshold and Recovery messages when the Parameter returns to normal.
Selecting the tab for one of these messages allows you to customize the appearance of that message.
5. Placing Interfaces in Monitoring Groups
Once you have created the Monitoring Groups you want to use you need to place Interfaces in them. To do so, click the Monitoring Group Name to open the “Edit Monitoring Interface Group” dialog box.
Select the Group you want to add Interfaces to on the left, and the Group you want to take them from on the right. Use the arrows to move Interfaces between the two Interface Groups.
Note that if you move an Interface that is currently being monitoring into the No Monitoring Group, Nectus will immediately stop monitoring that Interface. This can be useful for situations where you know an Interface will be down for some time (extended maintenance, for example) and you don’t want the system to send alerts.