Follow

Enterprise Agent Push Requirements

Created by: Shawn Jenkins
Created date:
Last Updated date:

Introduction

The following discusses the requirements on the Examiner and Target to be able to successfully push the Enterprise Agent from Enterprise, Lab, FTK, or eDiscovery.

 

Requirements

AD Enterprise/Lab/FTK Examiner:

  • Verify the Agent and Modules paths under Tools > Configure Agent Push (see this)
  • Verify the Certificate paths in Enterprise Configuration
  • Verify the Agent certificates have not expired
  • Confirm user has the 'Push new agent' permission in AccessData Management Server (ADMS)
  • Verify the Examiner machine can ping the target node
  • Verify the Windows account credentials specified when pushing the Agent have full Administrator permissions to the target Node (verify this by attempting to browse to \\<TargetNode>\admin$)
  • Ensure the Examiner machine is on the same domain as the target Node
  • Verify you are specifying the target by machine name or IP, not UNC path

eDiscovery Examiner:

  • Verify the Site Server is online via the Site Server Console
  • Verify the Agent and Modules folders have been created in the Site Server Results Directory
  • Verify the Certificate paths in Site Server Configuration
  • Verify the Agent certificates have not expired
  • Verify the target node IP is included in the "Manage Subnet Address" CIDR blocks in Site Server Configuration
  • Verify the Site Server machine can ping the target node
  • Verify the Windows account credentials specified under Agent Credentials have full Administrator permissions to the target Node (verify this by attempting to browse to \\<TargetNode>\admin$)
  • Verify you are specifying the target by machine name or IP, not UNC path

Target Node:

  • Verify the target doesn't already have an existing Agent installed
  • Verify TCP ports 135, 445, and 3999 are open (also open UDP 137 if using machine name instead of IP and 54555 if using Agent periodic check-in with eDiscovery)
  • Verify SSL traffic is allowed over port 3999
  • Verify WMI communication is allowed
  • Disable remote UAC to enable the admin$ share
  • Disable Antivirus/malware scanning software on target Node
  • Disable "Simple File Sharing" on the target Node
  • Verify the Windows %TEMP% and/or %TMP% locations are not full on the target Node
  • Delete any old copies of "AccessData Agent.msi" sitting in the target's %TEMP% and/or %TMP% locations
  • See if the Agent can even be installed manually
  • If the target is running whole disk encryption, you may need to set the Agent to use folder storage instead of protected storage

 

Notes

Port Usage
135 - Windows Messenger Service, used by WMI during Agent push
137 - Windows Naming Service, used to resolve machine names
445 - SMB File Sharing, used by WMI during Agent push
3999 - Agent communication port
54555 - Agent check-in port (eDiscovery Only)

If you are unable to secure the necessary port, protocol, or credential requirements, you may find it preferable to either manually install the agent or have your IT department deploy it as an SCCM package.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk