Skip to main content

Footprint Agent Active Directory - Installation & Troubleshooting Guide

Andrew Jonathan
  • Updated

Overview

This instruction manual will guide you into installing Footprint Agent on your Active Directory. It is organized in three parts which can be read according to your needs:

Alternatively, you can check our proposed procedures to deploy the Footprint Agent.

  1. First part of the manual describes the software prerequisites for the Footprint Agent installation. Here, general and specific requirements that need manual configuration before the installation are presented.

  2. Second part of the manual takes you through the Footprint Agent installation steps. This section highlights possible bottlenecks in the installation process.

  3. Last part of this guide includes a section on troubleshooting to help you with problems you might have during the installation process. Here, scenarios in which the installation software fails to automatically ensure prerequisites are presented.

Table of contents:

1. Prerequisites

This section briefly describes the software requirements for the Footprint Agent installation. Divided in two sub-sections, it first goes through general prerequisites like required operating systems and services. Afterwards, next sub-section presents a set of specific prerequisites for the Active Directory installation.

General Prerequisites

Before running the installation process of the Footprint Agent, you must make sure that you have a compatible operating system and required services.

  • Minimum OS: Windows 7 SP1/Windows Server 2008 R2 SP1

  • Disk Space Required: 500 MB

  • latest installer version available (FootprintAngetInstaller.exe or FootprintAgentInstaller.msi) from your Footprint console.

  • Required Services Installed.
    Windows management instrumentation

Run the following line in PowerShell to check if it is installed properly:
Get-WmiObject Win32_OperatingSystem

If no error is generated, the service is activated.

WinRm

Run the following line in PowerShell to check if it is installed properly:

WinRM quickconfig

If no error is generated, the service is activated.

Specific Prerequisites for Active Directory installation type

Besides the above-mentioned prerequisites, there are also requirements specific to the type of installation you choose (See section 2. Installation Steps). As half of these are done automatically by the installer and require manual configuration only in exceptional cases, they are treated separately in the troubleshooting section (See section 3. Troubleshooting). Therefore, this section presents those prerequisites that have no automated implementation. For the sake of clarity, we enumerated them all here using the following tags:

Tag

Description

MANUALLY

Prerequisite; must be fulfilled before installation

AUTOMATIC BY THE INSTALLER

Prerequisite; fulfilled by the installer (if error occurs, troubleshoot manually presented in the last section)

For an installation type that allows the Agent to scan only the computer on which it is downloaded, the aforementioned general prerequisites are sufficient. However, for an Active Directory installation type, the following is necessary:

  • A valid Active Directory configuration; MANUALLY

(Fig. 1 - Active Directory Configuration error in the Footprint Agent installer)

How to check:
Run the following line in PowerShell:
(get-wmiobject win32_computersystem).Domain
The output should be the name of the Active Directory Domain. If not, the computer is not part of an Active Directory domain.

To install the Footprint Agent in the Active Directory, you must provide a set of valid credentials like the the username and password required in Installation Step 2 (see section 2: Installation Steps), As such, the user must:

  • be part of the Domain Admins or Administrators groups;MANUALLY

You can not run the Footprint Agent Installer without having an user account that is part of the Domain Admins or Administrators groups. Before running the installer, please make sure that you are logged with such an user account.

(Fig. 2 - This picture shows how to add the user account to the Domain Admins or Administrator groups)

  • have the “Password never expires” option activated MANUALLY

(Fig. 3 - This picture shows how to configure a password that does not expire. use the following link to learn more: Password never expires)

While the following three prerequisites are automatically taken care of by the installer given the user’s agreement, they also allow for manual configurations if needed. As such, the following section highlights the context in which possible bottlenecks can emerge for the automatic implementation of the remaining prerequisites:

  • Installed Remote Server Administration Tool; AUTOMATIC BY THE INSTALLER

  • Log on as a Service Privilege; AUTOMATIC BY THE INSTALLER

  • Adequate Firewall Rules; AUTOMATIC BY THE INSTALLER

2. Installation Steps

This section presents the installation steps you have to make in order to have the Footprint Agent up and running. Most of the possible bottlenecks that you may encounter during the installation process are related to the lack of general or specific prerequisites. If you check each of the aforementioned prerequisites, please go through each of the following steps as follows.

Step 1: Choosing the installation type

After you download the agent, read/accept the license agreements and choose an installation folder, you must chose one of the following installation types:

(Fig. 4 - Installation Type options display in the Footprint Agent installer)

  • Local - This computer only

    • This type of installation is designed for isolated components of your cyber infrastructure. For example, you may want to use this type of installation to scan only the computer on which the installation is performed.

  • Active Directory - Entire domain

    • This type of installation is designed for your entire cyber infrastructure. For example, you may want to use this installation type to scan all the computers joined in the same Active Directory as the computer on which the installation is performed.

  • Active Directory - Current Organization Unit

    • This type of installation is designed to scan only the Organizational Unit of the computer on which the installation is performed. For example, you may want to use this type of installation to scan computers that are part of the same Organizational Unit as the computer on which the installation is performed.

Both Active Directory installation require the Remote Server Administration Tools (RSAT). While the Remote Server Administration Tools installation is done automatically by the installer, manual treatment of possible errors is presented in the Troubleshooting section.

Notice that if you choose the local type of installation you can skip Step 2 and jump straight to Step 3 of the installation steps.

Step 2: Inserting Credentials

After choosing the type of installation that best fits your needs, you must provide credentials like the domain\user and password information.

The successful insertion of credentials means using an username that is part of the Domain Admins or Administrators group and using a a password that does not expire. Please check the Prerequisite Section to learn more about it.

(Fig. 5 - Credentials Requirements in the Footprint Agent installer)

Following the Active Directory Credentials insertion, you must also assure the Log on as a Service privilege and proper Firewall Rules requirements. While both are taken care automatically by the installer, manual treatment of possible is presented in the Troubleshooting section.

Step 3: Enter connection details

The last step supposes you enter the connection details available on the Footprint platform like the Footprint Agent Management URL and the Footprint Agent Token.

(Fig. 6 -Connection Details Requirements in the Footprint Agent installer)

3. Troubleshooting

This section presents possible scenarios in which error occurs in the installation process. The scenarios are organized according to the installation steps presented in the section above. Each scenario is accompanied by two sections which tell you:

What the error means

How to solve the error

Troubleshooting Step 1

Possible bottlenecks after choosing one of the two Active Directory installation types may emerge due to a lack of valid Active Directory configuration or a missing Remote Server Administration Tool. As the Active Directory configuration was covered in the first section of this manual (See section 1: Prerequisites), this section is preoccupied with the latter scenario.

Remote Server Administration Tools (RSAT) troubleshooting

The first bottleneck you may encounter besides having an invalid Active Directory (see Section 1: Prerequisites) is to lack Remote Server Administration Tools (RSAT). If you want to learn more about the Remote Server Administration Tools, please use the following link: Microsoft RSAT Official Documentation. If you don’t, check the following scenarios and see if you can solve your problem right away.

(Fig. 7 - RSAT error in the Footprint Agent installer)

RSAT was not found on the computer.

The Footprint Agent Installer is capable to install the RSAT automatically, if YES button is pressed.

  • Install RSAT Automatically

It is possible that, due to certain configurations of your computer, some error occurs when the installer tries to automatically install the RSAT. Any type of error in this process is signaled through the following message:

(Fig. 8 - RSAT automatic installation error in the Footprint Agent installer)

RSAT installation failed.

RSAT has to be installed manually.

  • Install RSAT manually

If the RSAT automatic installation failed, you must install it manually. In this regard, we provide with with a link that contains the installation instructions. Notice that the installation process differs based on your OS version.

To install please follow Microsoft instructions, depending on your OS version.

Run the following line in PowerShell to check if it is installed properly:
get-adcomputer -filter *

The result must be a list of computers that are added to Active Directory.

Troubleshooting Step 2

Possible bottlenecks after inserting your credentials may emerge due to a lack of user prerequisites or environmental requirements. While part of the user requirements were covered in the first section of this introductory manual, this section presents the Log on as a Service error scenario together with firewall rules configuration error.

Log on as a Service Privilege

A possible bottleneck you may encounter after providing valid credentials is the lack of the Log on as a Service privilege. Again, if you want to learn more about the Log on as a Service privilege, please use the following link: Log on as a Service. If you don’t, check the following scenarios and see if you can solve your problem right away.

As the Footprint installer tries to automatically set the Log on as a Service privilege, the following error may occur:

(Fig. 9 - Log on as a Service privilege error in the Footprint Agent installer)

An error occurred while trying to set the privilege automatically.

It has to be configured manually.

The picture below shows you the steps you have to take so as to add the Log on as a Service manually. As you can see, you Log on as a service proprieties must list the user or the group of the user. If it does not exist, you should add it.

(Fig. 10 - This picture shows how to manually activate the Log on as Service privilege )

Firewall rules

The installation of the Footprint Agent requires four inbound firewall rules as environmental requirements. While the installation software usually creates them automatically, you may encounter the following error after providing valid credentials:

(Fig. 11 - Firewall rules error in Footprint Agent Installer)

Error while configuring firewall rules

You must add and configure 4 rules in a Group Policy Object (GPO). To do that you must:

  1. Create a GPO

  2. Link it to the Domain

  3. Add the rules presented below to the Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced security/Windows Firewall with Advanced security/Inbound Rules

(Fig. 12 - Firewall rules error in Footprint Agent Installer)

The 4 rules are:

  • Footprint Agent - (DCOM-In):

  • Footprint Agent - (ASYNC-In)

  • Footprint Agent - (WMI-In)

  • Footprint Agent - (SMB-In)

Notice that the first three rules are program-based while the last one is port-based. Both the corresponding program or port will be used to name and configure the rules according to the following instructions:

Instructions to create firewall program-based rules: Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In)

Step 1: Choose the program type rule

(Fig 13 - First step to create firewall rule for Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In))

Step 2: Add the program path

For each program-based rule you should use the follwoing program paths:

  • Footprint Agent - (DCOM-In): %SystemRoot%\system32\svchost.exe

  • Footprint Agent - (ASYNC-In) %SystemRoot%\system32\webm\unsecapp.exe

  • Footprint Agent - (WMI-In): %SystemRoot%\system32\svchost.exe

(Fig 14 - Second step to create firewall rule for Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In))

Step 3: Allow the connection

This step is common to both program-based rules and the port based-rule.

(Fig 15 - Third step to create firewall rule for all rules)

Step 4: Apply only for Domain

This step is common to both program-based rules and the port-based rule

(Fig 16 - Fourth step to create firewall rule for all rules)

Take care in leaving Private or Public checked. This may allow users outside your domain take advantage to the access to your firewall rules.

Step 5: Name the Rules

For each program-based rule you should use the provided names, given the path you used.

  • Footprint Agent - (DCOM-In): %SystemRoot%\system32\svchost.exe

  • Footprint Agent - (ASYNC-In) %SystemRoot%\system32\webm\unsecapp.exe

  • Footprint Agent - (WMI-In): %SystemRoot%\system32\svchost.exe

(Fig 17 - Fifth step to create firewall rule for for Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In))

Step 6: Configure each Rule

Fro each program-based rule, ensure they have the following settings:

  • Footprint Agent - (DCOM-In)

(Fig 18 - Configurations for Footprint Agent - (DCOM-In) rule)

Check if this program: %SystemRoot%\system32\svchost.exe

  • Footprint Agent - (ASYNC-In)

(Fig 19 - Configurations for Footprint Agent - (ASYNC-In) rule)

Check if this program: %SystemRoot%\system32\webm\unsecapp.exe

  • Footprint Agent - (WMI-In)

(Fig 20 - Configurations for Footprint Agent - (WMI-In) rule)

Check if this program: %SystemRoot%\system32\svchost.exe

Step 7: Configure common rules

This configuration is common for both program-based and port-based firewall rules. The Remote IP address field presented in the right photo should contain all ipv4 and ipv5 obtained via ip config.

(Fig 21 - Configurations for all rules)

Instructions for the port-based rule Footprint Agent - (SMB-In).

Step 1: Choose the port type rule

(Fig 22 - First step to create firewall rule for Footprint Agent - (SMB-In) rule)

Step 2: Add the port path

Use the following port paths:

  • Footprint Agent - (SMB-In): TCP 445

(Fig 23 - Second step to create firewall rule for Footprint Agent - (SMB-In) rule)

Steps 3 and 4 are common to both program-based rules and port-based rules. Briefly you should Allow the connection and check only for Domain. Please check the above Instructions for program-based rules section if you run into problems.

Step 5: Name the rule

You should use the provided rule name:

  • Footprint Agent - (SMB-In): TCP 445

(Fig 24 - Fifth to create firewall rule for Footprint Agent - (SMB-In) rule)

Step 6: Configure the specific rule

Check that the Program field in the middle photo has System inserted in.

(Fig 25 - Configurations for Footprint Agent - (SMB-In) rule)

List of Figures

(Fig. 1 - Active Directory Configuration error in the Footprint Agent installer)

(Fig. 2 - This picture shows how to add the user to the Domain Admins or Administrator groups)

(Fig. 3 - This picture shows how to configure a password that does not expire. use the following link to learn more: Password never expires)

(Fig. 4 - Installation Type options display in the Footprint Agent installer)

(Fig. 5 - Credentials Requirements in the Footprint Agent installer)

(Fig. 6 -Connection Details Requirements in the Footprint Agent installer)

(Fig. 7 - RSAT error in the Footprint Agent installer)

(Fig. 8 - RSAT automatic installation error in the Footprint Agent installer)

(Fig. 9 - Log on as a Service privilege error in the Footprint Agent installer)

(Fig. 10 - This picture shows how to manually activate the Log on as Service privilege )

(Fig. 11 - Firewall rules error in Footprint Agent Installer)

(Fig. 12 - Firewall rules error in Footprint Agent Installer)

(Fig 13 - First step to create firewall rule for Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In))

(Fig 14 - Second step to create firewall rule for Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In))

(Fig 15 - Third step to create firewall rule for all rules)

(Fig 16 - Fourth step to create firewall rule for all rules)

(Fig 17- Fifth step to create firewall rule for for Footprint Agent - (DCOM-In), Footprint Agent - (ASYNC-In), Footprint Agent - (WMI-In))

(Fig 18 - Configurations for Footprint Agent - (DCOM-In) rule)

(Fig 19 - Configurations for Footprint Agent - (ASYNC-In) rule)

(Fig 20 - Configurations for Footprint Agent - (WMI-In) rule)

(Fig 21 - Configurations for all rules)

(Fig 22 - First step to create firewall rule for Footprint Agent - (SMB-In) rule)

(Fig 23 - Second step to create firewall rule for Footprint Agent - (SMB-In) rule)

(Fig 24 - Fifth to create firewall rule for Footprint Agent - (SMB-In) rule)

(Fig 25 - Configurations for Footprint Agent - (SMB-In) rule)

Related articles

Comments

0 comments

Please sign in to leave a comment.