Secure communications

WakeUp supports encryption for the packets used for communications between the WakeUp Server and agents. You can choose the level of security at installation.

• Full – all communications are encrypted and any unencrypted packets are ignored. If used then all WakeUp Servers and agents must used this option.
• Partial – both encrypted and unencrypted communications are allowed by the server. This can be a useful half-way solution to a fully encrypted configuration that caters for the scenario where you are upgrading an existing WakeUp installation to use encryption and you do not want to re-install every single component in one go. Unencrypted packets sent by the previous version clients can be used by the server. However, the upgraded server will only send out encrypted packets and therefore previous-version clients cannot be used as Primary or Alternate Agents
• None – all packets are unencrypted

Alternatively you can enable FIPS-compliant encryption, but this is used for all communication between agents and WakeUp Server, and between agents and NightWatchman Management Center. If used, then all NightWatchman and WakeUp components must have FIPS enabled.

Dedicated Agent mode

This mode is not generally recommended as it does not support Last Man Standing, wake state reporting or NightWatchman auto-shutdown – it is only for backward compatibility. In this mode, a single machine on each remote subnet is identified as an agent. The WakeUp Server communicates only with this agent and it means that the dedicated agent machine must remain on at all times in order to be able to process server communications.

In order to reduce the size of the agent package, run the installation on the nominated dedicated agent with a Tachyon client installation command-line with the AGENTTO and REPORTINGSERVER parameters. AGENTTO specifies the FQDN or NetBIOS name for the server where WakeUp Server is installed and REPORTINGSERVER specifies the FQDN or NetBIOS name for the server where the NightWatchman Management Center Web service is installed. There are other parameters you can set at installation.

No other action is required as the agent automatically registers with the controlling Primary Site once the service starts. It is also possible to install an alternate dedicated agent to provide redundancy if one of the agents needs to be taken offline. Simply install it using the command-line above.

Although you can configure a second host as dedicated agent on a subnet, the last dedicated agent host to start up on that subnet becomes the primary agent for that subnet. There is no alternate agent under these conditions and therefore no Last Man Standing feature.

Non-administrator account requirements

Users with local administrator rights on the server automatically have the ability to send wake-ups or make changes in the WakeUp console, either locally or remotely. In order for a non-administrator to send wake-ups or make changes to the WakeUp Server, their account requires full permissions on the WakeUp Server WMI namespace and for remote access, remote DCOM rights.

The WakeUp Server installation automatically configures the necessary WMI and DCOM rights for the AD account or group specified in the NightWatchman Management Center Configuration installer screen (Apply WMI Namespace). Installation automatically grants WMIACCOUNT full permissions on the root\N1E namespace and adds it to the Distributed COM Users local group.

As best practice, we recommend that you create an AD group for all the accounts that need to use WakeUp Server, who are not already local administrators of the server, and specify this group as WMIACCOUNT during installation. Typically, this AD group will contain the following AD accounts and groups:

• The service account for the NightWatchman Management Center console service, if using NightWatchman Management Centea with or without Web WakeUp
• Configuration Manager administrator accounts and groups, if using remote Configuration Manager consoles with WakeUp extensions
• WakeUp Server administrators and operators, if using remote WakeUp Server consoles

In addition to WMIACCOUNT, other accounts and groups can be manually granted remote administration rights to the WakeUp Server by granting full rights on the N1E namespace and adding the same accounts and groups to the Distributed COM Users local group on the server. We provide a free tool called WmiConfigPerms which is available on our website.

To add an additional AD group or local groups such as SMS Admins to the N1E namespace, use:

WmiConfigPerms.exe /A:ADD /N Root\N1E /M "<domain>\<group>":"EXEC_METHODS|FULL_WRITE|ENABLE_ACCOUNT|REMOTE_ENABLE" /R

Configuration Manager administrative users

Configuration Manager administrator accounts and groups are all members of the SMS Admins local group on the server. Its membership is automatically managed from the Configuration Manager Console when creating and deleting administrative users. It is possible to specify WMIACCOUNT as SMS Admins, and the installer will grant this local group full WMI rights on the N1E namespace. This enables all Configuration Manager administrators to send wake-ups using WakeUp extensions and also make changes in the WakeUp Server console.

However, if SMS Admins is specified, the WakeUp Server installer adds this local group to the Distributed COM Users local group. Nesting of local groups is not technically supported, and SMS Admins can be safely left or removed. The SMS Admins group is created and configured with remote WMI and DCOM rights during the installation of the Configuration Manager Site role SMS Provider, therefore there is no requirement for it or its members to also be members of the Distributed COM Users local group.

By default, the Distributed COM Users local group has COM Security that allows local and remote access, launch and activation.  If the default rights have been modified, it may be necessary to manually configure DCOM security using dcomcnfg.exe to grant remote access, launch and activation rights to WMIACCOUNT and other WakeUp Server administrator accounts.