Environment
Change Guardian for Windows 2.0 SP1
Change Guardian for Windows 2.0 SP2
Security Manager 6.5
Security Manager 6.5 SP1
Situation
Resolution
In order to resolve this issue, please follow these steps:
- Open the Configuration Wizard from the Control Center Console
- Launch the Change Guardian for Windows configuration
- Go to the Configure Change Guardian for Windows Filters
- Remove the Filter(s) that are using computer restrictions for the SM Computer Rule groups containing the DMZ Agents
- Close the CGW Wizard and apply the changes now
- Remove the SM Computer Rule group containing the DMZ agents from the Development Console
- Force the Configuration Changes
- Perform a Scan all managed Agents
- Wait for the Unmanaged DMZ Agent(s) to get a 21240
- Verify that the DMZ SM Agents are no longer members of the deleted Computer Rule Group
- Verify that the Local Registry on the DMZ SM agents does NOT contain the Deleted CGW Filter
- Create a New SM Computer Rule Group
- Add the new SM Computer Rule Group to the Change Guardian Processing Rule Group
- Manually include the Unmanaged SM DMZ Agent(s)
- Apply the New SM Computer Rule group to the All of the Change Guardian for Windows Processing Rule Group and Sub Groups
- Force the Configuration change from the Dev Console
- Do a Managed Agent Scan
- Wait for the Agents to get a 21240 Windows Event as well as populate the new computer rule group
- Re-Create the Filter Group in the CGW Configuration Wizard
- Apply the changes now
- Force the changes from the Dev Console
- Scan All Managed Agents
- Wait for the Agents to get the 21240
- Now the filter rules should be working.
Cause
CGW uses mainly Active Directory resources to connect to SM Agnets (managed or unmanaged). Because of this, CGW cannot add or search for machine workgroups machine directly.
The first time SM Agents are added into an SM Computer Group which is then added to the CGW configuration (for any reason), CGW can recognize that some of the SM Agents are workgroups member machines. CGW then looks for them as workgroup machines. After the initial configuration, CGW sometimes assumes the SM Agents are part of a domain. When CGW sees the SM Agents as domian memebers, CGW can't locate them. This will occur even if the agents are added to the SM computer group.
Additional Information
If the 21240 does not come through after a short period of time (15 - 30 mins) the SM Agent service on the SM DMZ Agent(s) might need to be restarted.