Endpoint Central Architecture

 

ManageEngine's Endpoint Central is a web-based application for desktop administration and management. This application enables administrators to manage computers effectively, from a central point. It comprises features like Software Deployment, Patch Management, Service-pack Installation, Asset Management, OS Deployment, Remote Control, Configurations, System Tools, Active Directory Reports and User Logon Reports.

Architecture

This document on LAN architecture will explain the following,

Components

The LAN architecture of Endpoint Central comprises the following components:

  • Server
  • Agent
  • Patch Database
  • Web Console
  • Active Directory
  • Third-party notification services

This section includes detailed information about the components of the Endpoint Central architecture. Refer to Figure 1: LAN Architecture of Endpoint Central.

Server

The Endpoint Central server is located in the customer's site. For example, the customer's head office. This server enables the completion of various desktop-management tasks to help administrators manage computers in the company's network effectively. Some of the tasks include the following:

  • Installing the agent in computers in the customer's network
  • Deploying configurations
  • Scanning for inventory and patches
  • Generating reports. For example, reports related to Active Directory infrastructure components

It is recommended to not switch off the Endpoint Central Server at all. It should be switched on constantly to complete various desktop-management tasks on a daily basis. All the desktop-management tasks can be completed using product console.

Endpoint Central LAN Architecture

Figure 1: LAN Architecture of Endpoint Central

Agent

The Endpoint Central agent is a lightweight software application that is installed in computers which are managed using Endpoint Central. It is installed automatically in the computers in a LAN. It helps to complete various tasks that are initiated in the Endpoint Central server. For example, if you want to uninstall a software application from a computer in your network, you can make the required settings for this task in the Endpoint Central server. The agent replicates these settings and ensures that the task is completed effectively.

The agent also updates the Endpoint Central server with the status of configurations that are deployed. It checks the Endpoint Central server periodically for instructions related to tasks and completes the same. The agent contacts the server when the following actions take place:

User-specific Configurations

  • Users log on
  • 90-minute refresh interval

Computer-specific Configurations

  • Computers are started
  • 90-minute refresh interval

Patch Database

The patch database is a portal on the ManageEngine Web site. It hosts the latest vulnerability database that is published after patches have been tested. The Endpoint Central server synchronizes this information periodically and scans the computers in the network to determine which patches are missing. The patches that are missing are installed in the computers that are missing them.

The communication between the Endpoint Central server and the patch database takes place either through a proxy server or through a direct connection to the Internet. The required patches are downloaded from the respective vendors' Web sites and stored in the Endpoint Central server before deploying them to computers in the network. The agents copy the required patch binaries from the Endpoint Central server.

Web Console

The Web console of the product provides a central point from where an administrator can manage all the tasks that are related to desktop management. This console can be accessed from anywhere. For example, it can be accessed through a LAN, WAN and from home using the Internet or a VPN. Separate client installations are not required to access the Web console.

Active Directory

In an Active Directory-based domain setup, the Endpoint Central server gathers data from the Active Directory to generate the reports for the following:

  • Sites
  • Domains
  • Organizational Units (OUs)
  • Groups
  • Computers

This enables administrators to access all the information that is stored by the Active Directory.

Third-party notification services

Third-party notification services are platforms that provide notification and messaging capabilities on behalf of other applications or services. In the context of Endpoint Central, they serve as intermediaries between the server and the recipients (end users) when push notifications need to be sent out. The third-party notification services used by Endpoint Central are

  • Android - Firebase CLoud Messaging (FCM)
  • Windows - Windows Notification Service (WNS)
  • iOS - Apple Push Notification services (APNs)

Ports used by Endpoint Central

Note: The ports mentioned under 'Server' must be enabled at all times irrespective of your license edition. Refer the ports required for specific modules and enable them as per your requirement.

Note: Ports 135,139 and 445 should also be kept open and inbound on both agent and server (and distribution server, if applicable) for pushing agent installation.

Agent

Securing LAN agents and server communication 

To secure the LAN network managed by Endpoint Central follow the below recommendations:

  1. Enable secure Agent-Server communication by going to Admin tab --> Agent settings --> Enable Secured communication.
  2. For secure remote control connection, enable secure communication for web socket and file transfer port by going to Tools --> Remote Control --> Settings --> Port Settings --> Enable Use secure connection.