WakeUp supports encryption for the packets used for communications between the WakeUp Server and agents. You can choose the level of security at installation.
Alternatively you can enable FIPS-compliant encryption, but this is used for all communication between agents and WakeUp Server, and between agents and NightWatchman Management Center. If used, then all NightWatchman and WakeUp components must have FIPS enabled.
This is the recommended installation mode providing the most flexibility and functionality. Install the WakeUp agent on all target computers in your environment.
The features that come with this configuration are:
|When using multi-agent mode, deploy the 1E Wakeup agent module in the Tachyon Agent to all systems in the environment. While technically each subnet requires only one system with the Wakeup agent powered on and running, delays and unexpected failures can occur when attempting to wake-up collections of machines where not all the systems have the WakeUp agent installed.|
This mode is not generally recommended as it does not support Last Man Standing, wake state reporting or NightWatchman auto-shutdown – it is only for backward compatibility. In this mode, a single machine on each remote subnet is identified as an agent. The WakeUp Server communicates only with this agent and it means that the dedicated agent machine must remain on at all times in order to be able to process server communications.
In order to reduce the size of the agent package, run the installation on the nominated dedicated agent with a Tachyon client installation command-line with the AGENTTO and REPORTINGSERVER parameters. AGENTTO specifies the FQDN or NetBIOS name for the server where WakeUp Server is installed and REPORTINGSERVER specifies the FQDN or NetBIOS name for the server where the NightWatchman Management Center Web service is installed. There are other parameters you can set at installation.
No other action is required as the agent automatically registers with the controlling Primary Site once the service starts. It is also possible to install an alternate dedicated agent to provide redundancy if one of the agents needs to be taken offline. Simply install it using the command-line above.
Although you can configure a second host as dedicated agent on a subnet, the last dedicated agent host to start up on that subnet becomes the primary agent for that subnet. There is no alternate agent under these conditions and therefore no Last Man Standing feature.
If you integrate with Configuration Manager, the WakeUp Server must be installed on all Primary Sites. Although it is possible, we do not recommend installing the WakeUp Server on the Central Administration Site (CAS) as it provides no advantage because the CAS does not have any clients reporting to it directly. WakeUp Server will monitor Configuration Manager for pending advertisements and send out wake up requests before they are due. You can also right-click on a collection of machines or a single machine to wake it up immediately.
Configuration Manager acceleration provides the option of combining a wake up with a Policy Refresh, so that any machines already awake will process the advertisement at the same time. You can also perform Policy Refresh without wake up.
You will need the following:
Users with local administrator rights on the server automatically have the ability to send wake-ups or make changes in the WakeUp console, either locally or remotely. In order for a non-administrator to send wake-ups or make changes to the WakeUp Server, their account requires full permissions on the WakeUp Server WMI namespace and for remote access, remote DCOM rights.
The WakeUp Server installation automatically configures the necessary WMI and DCOM rights for the AD account or group specified in the NightWatchman Management Center Configuration installer screen (Apply WMI Namespace). Installation automatically grants WMIACCOUNT full permissions on the root\N1E namespace and adds it to the Distributed COM Users local group.
As best practice, we recommend that you create an AD group for all the accounts that need to use WakeUp Server, who are not already local administrators of the server, and specify this group as WMIACCOUNT during installation. Typically, this AD group will contain the following AD accounts and groups:
In addition to WMIACCOUNT, other accounts and groups can be manually granted remote administration rights to the WakeUp Server by granting full rights on the N1E namespace and adding the same accounts and groups to the Distributed COM Users local group on the server. We provide a free tool called
WmiConfigPerms which is available on our website.
To add an additional AD group or local groups such as SMS Admins to the N1E namespace, use:
WmiConfigPerms.exe /A:ADD /N Root\N1E /M "<domain>\<group>":"EXEC_METHODS|FULL_WRITE|ENABLE_ACCOUNT|REMOTE_ENABLE" /R
Configuration Manager administrator accounts and groups are all members of the SMS Admins local group on the server. Its membership is automatically managed from the Configuration Manager Console when creating and deleting administrative users. It is possible to specify WMIACCOUNT as SMS Admins, and the installer will grant this local group full WMI rights on the N1E namespace. This enables all Configuration Manager administrators to send wake-ups using WakeUp extensions and also make changes in the WakeUp Server console.
However, if SMS Admins is specified, the WakeUp Server installer adds this local group to the Distributed COM Users local group. Nesting of local groups is not technically supported, and SMS Admins can be safely left or removed. The SMS Admins group is created and configured with remote WMI and DCOM rights during the installation of the Configuration Manager Site role SMS Provider, therefore there is no requirement for it or its members to also be members of the Distributed COM Users local group.
By default, the Distributed COM Users local group has COM Security that allows local and remote access, launch and activation. If the default rights have been modified, it may be necessary to manually configure DCOM security using
dcomcnfg.exe to grant remote access, launch and activation rights to WMIACCOUNT and other WakeUp Server administrator accounts.
The Web WakeUp architecture illustrates how its components interact with each other and other objects in your network. Web WakeUp uses:
The Web WakeUp website and the NightWatchman Console service may be located on different servers as long as the Web WakeUp application pool has access to the network. You must carry out post-installation configuration on both the Web WakeUp website and the NightWatchman Console service computer.