Endpoint Central Architecture

 

ManageEngine Endpoint Central is a Web-based application for desktop administration and management. This application enables administrators to manage computers effectively, from a central point. It comprises features like Software Deployment, Patch Management, Service-pack Installation, Asset Management, Remote Control, Configurations, System Tools, Active Directory Reports and User Logon Reports.

Endpoint Central supports the managing of computers in a distributed setup like branch or remote offices (WAN) and for mobile users, for example sales persons who are constantly on the move.

Architecture

This document on WAN architecture will explain the following,

Endpoint Central WAN Architecture

Figure 1: WAN Architecture of Endpoint Central

Components

The WAN architecture of Endpoint Central comprises the following components

  • Server
  • Distribution Server
  • Agent
  • Web Console
  • Third-party notification service

This section includes detailed information about the components of the Endpoint Central architecture. Refer to Figure 1: WAN Architecture of Endpoint Central.

Server

Endpoint Central Server has to be installed in your LAN (say, the head office) and has to be configured as an EDGE device. This means that the designated port (default being 8020 and is configurable) should be accessible through the Internet. You need to adopt necessary security standards to harden the OS where the Endpoint Central Server is installed.  Agents from all the remote locations report to this Endpoint Central Server.

The Server acts as a container to store the configuration details and, upon request, provide the instructions to the agents. It is advised to keep the Endpoint Central server always running to carry out the day-to-day Desktop Management activities.

Distribution Server

Endpoint Central Distribution Server is light-weight software that is installed in one of the computers in the Branch Offices. This agent will communicate with the Endpoint Central Server to pull the information for all the computers in that branch. The agents that reside in the branch office computers will contact the Distribution Server to get the information available to them and process the requests.

  • Low bandwidth utilization as only one agent will contact the Server periodically
  • Pulls the configuration details, software packages, patches to be installed, etc., from the Endpoint Central Server and makes it available for the rest of the computers in the branch.
  • Supports secured mode of communication (SSL/HTTPS) with the Server.
  • Distribution Server installation is one-time and subsequent upgrades will be automatically performed.

Agent

The Endpoint Central agent is a lightweight software application that is installed in computers which are managed using Endpoint Central. This agent helps to complete various tasks that are initiated in the Endpoint Central server. For example, if you want to change the wallpaper in the computers in a branch office, you can make the required settings for this task in the Endpoint Central server. The agent replicates these settings and ensures that the task is completed effectively.

Agents can be installed either manually or using a logon script in all the branch-office computers that are being managed using Endpoint Central. This task is a one-time task. Upgradation of agents is done automatically. Endpoint Central offers two options to help administrators manage computers across a WAN. The option that you choose depends on the number of computers you are going to manage at your remote office. The options available, enable you to use either of the following:

  • Distribution servers and WAN agents: It is recommended that you use this option if you are managing more than 10 computers in a remote office.
  • WAN agents only: It is recommended that you use this option if you are managing less than 10 computers in a remote office.

Web Console

The Web console of Endpoint Central provides a central point from where an administrator can manage all the tasks that are related to desktop management. This console can be accessed from anywhere. For example, it can be accessed through a LAN, WAN and from home using the Internet or a VPN. Separate client installations are not required to access the Web console.

Third-party notification service

Third-party notification services are platforms that provide notification and messaging capabilities on behalf of other applications or services. In the context of Endpoint Central, they serve as intermediaries between the server and the recipients (end users) when push notifications need to be sent out. The third-party notification services used by Endpoint Central are

  • Android - Firebase CLoud Messaging (FCM)
  • Windows - Windows Notification Service (WNS)
  • iOS - Apple Push Notification services (APNs)

Ports used by Endpoint Central

Note: The ports mentioned under 'Server' must be enabled at all times irrespective of your license edition. Refer the ports required for specific modules and enable them as per your requirement.

Note:Ports 135,139 and 445 should also be kept open and inbound on both agent and server (and distribution server, if applicable) for pushing agent installation.

Advantages

The advantages of using the WAN architecture of Endpoint Central include the following:

  • Affordable, simple and quick solution for desktop management requirements
  • Utilizes low bandwidth
  • Enables network-neutral desktop management
  • Utilizes the same infrastructure for VPN connections. No separate VPN infrastructure is required
  • Ensures that communication between the server and agents is secured
  • Manages computers centrally using a single Web console

Securing WAN agents and server communication

To secure the WAN network managed by Endpoint Central follow the below recommendations:

  1. Enable secured roaming agents (WAN agents)  - server communication while creating remote office by going to Admin-> Scope of Management -> Remote Offices -> Add/ Modify Remote office -> Communication Details -> Enable Secured Communications (HTTPS)
  2. For secure remote control connection, enable secure communication for web socket and file transfer port by going to Tools --> Remote Control --> Settings --> Port Settings --> Enable Use secure connection.
  3. Secure communications of mobile/roaming users using Secure Gateway. Refer this document for more details.
  4. Configure same FQDN for LAN and WAN agents to minimize bandwidth consumption. Refer this document for more details.