Microsoft SMS

Introduction

In an enterprise environment, Microsofts Systems Management Server (SMS) may be used to manage client PCs Software packages, pushing SW package updates, querying inventory and ensuring that client packages stay up to date.

MS-SMS has an MS-SQL server in its core certain information in there, such as MAC addresses and system names may be useful to FreeNAC.

The FreeNAC SMS class "SMSEndDevice.php" is usually called by "postconnect", and it queries information from its local SMS copy, to find out if the MAC address of an unknown device currently trying to connect to the LAN is in the SMS database.

postconnect then allows the device, if information is found, and updates the FreeNAC tables with the information from SMS, such as logged on user, system name etc.

If you plan to use this module, you need to modify the postconnect section of your policy file accordingly. A sample snippet is shown below:

 /**
* The postconnect method is used by the postconnect daemon.
* It updates information for PORTS and HOSTS
* This method writes to the database, so it shouldn't be called from a slave server.
* @param object $REQUEST     A SyslogRequest object
*/
public function postconnect($REQUEST)
{
# SMS module
$SMS_HOST=new CallWrapper(new SMSEndDevice($REQUEST));
#Insert End device if unknown
$SMS_HOST->insertIfUnknown();
#Insert a switch or port if unknown
$REQUEST->switch_port->insertIfUnknown();
#Update port information
$REQUEST->switch_port->update();
# Update host lastseen timestamp
$REQUEST->host->update();
} 

Installation

Pre-requisites: In order to install this feature, you need FreeTDS installed and of course an MS-SMS server.

Configuration: MS-SMS server

An SQL 'view' will have to be created on the MS-SMS server with the correct fields. The view should have these fields:

1. Name0: end-device name
2. User_Name0: the user last logged onto that end-device
3. Operating_System_Name_and0: The operating system detected on the en-device
4. MACAddress0: The MAC associated with the end-device.

Create an SQL user, which FreeNAC will use to query MS-SQL. Give this user SELECT rights on the above view.

You also need to create the SMS table (nac_sms_1) in the FreeNAC database. To do so, go to /opt/nac/contrib and run the following command:

mysql opennac < sms_tables 

Configuration: FreeNAC

1. The first step is to configure 'FreeTDS' so that SQL queries to MS-SQL actually work.

Add the following instance to freetds.conf. Adjust the host and perhaps port for your MS-SQL server:

[epo_alias]
host = server.domain.com
port = 1433
tds version = 4.2
dump file = /var/log/freetds_sms.log
dump file append = yes
debug level = 1 

2. In the config_en.inc file, set up your username and password in the variables $sms_dbuser and $sms_dbpass. These corresponds to the user name and password configured on the Epo SQL server.

3. Set sms_dbalias and sms_db in the mysql opennac.config table

update config set value='sms_alias' where name='sms_dbalias';
update config set value='sms_db' where name='sms_db'; 

Here sms_alias is the alias you declared in your freetds.conf file and sms_db is the database that holds the information regarding the McAfee antivirus.

4. Enable the Epo module in FreeNAC:

update config set value='true' where name='sms_enabled';

If such a field doesn't exist in your config table, create it as follows:

insert into config set type='boolean', name='sms_enabled', value='true', comment='Enable or disable the SMS module';

This flag also enables SMS related features in the FreeNAC Windows GUI.

Operations

Configure the MS-SMS module in the config table.

• lastseen_sms: set to 'true' to enable the SMS module.
• lastseen_sms_notify: set to 'true' to enable Email alerts
• sms_device: Text to display in the email alert when an SMS-known end-device connects to the LAN.
• lastseen_sms_restart: set to 'true' to restart the switch port when an SMS-known end-device connects to the LAN.
• lastseen_sms_vlan: Which vlan (index number) is to be assgned to SMS-known end-devices

These can be assigned in the FreeNAC Windows GUI under Administration->config

Synchronization

Run the sync script from /opt/nac/bin

 ./sms_getinfo

and watch syslog. It could take some time to complete. If everything went fine, you should see in syslog a message like the following:

Dec 19 09:23:47 freenac sms_getinfo[16087]: SMS synchronization was successful.

Now that your nac_sms_1 table is populated, you need to restart postconnect in order to load your policy and the changes you made to the SMS config variables.

/etc/init.d/postconnect restart 

Add an entry in cron to perform the synchronization automatically according to your needs.

0 2 * * 1       /opt/nac/bin/sms_getinfo