Guide to successful Network Glue deployment
Follow the below checklists (as required) to configure your network and ensure that you receive optimal results from the Network Glue Collector scan.
1.0 Configuration Checklists
1.1 SNMP Requirements
You will need to activate and configure SNMP on your network devices and add the respective SNMP community strings to Network Glue during the Network Glue Collector setup. This is necessary for the Collector to gather the most information possible about your devices and for the hierarchy of your network to be represented correctly. Configure your network’s SNMP devices compatible with SNMP v1 or v2c as follows:
- Ensure SNMP is activated on the network devices to be assessed by the Network Glue Collector.
- Set the device’s SNMP community strings so that they provide “read-only” access at minimum.
- Test your SNMP-enabled device’s read access, including basic device profile information such as system name, system description, or system uptime.
NOTE There are many third-party tools available from vendor websites you can use for testing. An example is snmpwalk. An example of an snmpwalk command is snmpwalk -v1 -c public 10.10.1.50. For more information about the use of snmpwalk with specific SNMP-enabled network devices, please contact the manufacturer of the device.
You must complete SNMP configuration based on the hardware you have on your network. Below is a list of instructions for the most common network solutions used by our partners:
- Meraki
- Cisco
- HP
- Fortinet
- SonicWall
- Sophos
- Datto Networking
- Dell
- Ubiquiti (navigate to Settings > Services > SNMP)
- TP-Link (navigate to http://tplinkwifi.net > Advanced > System Tools > SNMP Settings)
Tip! Enabling SNMP can prove a useful troubleshooting method. In the Network Glue device matching page, the SNMP column shows whether SNMP is enabled or disabled for each network device. As you work towards a solution, toggle the various SNMP settings and check if your changes were successful.
NOTE Network Glue uses a vendor-agnostic method by using standard OIDs to collect SNMP data. So,the SNMP will only work if a manufacturer makes the data available on the standard OIDs that we use. If some manufacturers of network devices do not make the required data available over SNMP, these devices may not be fully supported at this time.
1.2 Domain-Based Network Configuration Requirements
For a domain-based network, enable:
- Forward DNS lookup.
- Reverse DNS lookup.
- ICMP for all endpoints (ICMP is used to identify active computer endpoints and devices on the network).
1.3 Firewall Rules
- Check your firewall settings to ensure SNMP traffic is not blocked. If blocked, it will hinder the discovery of device names, MAC addresses, etc.
- Ping the device from the Network Glue Collector host machine and see if the device responds. If not, this can indicate its firewall is blocking access, or network ACLs may be preventing traffic.
1.4 Windows Domain Network Environments
Complete this checklist based on one of these three scenarios:
- If AD is enabled but AD GPO is not configured, then you need to configure WMI, ICMP, and remote registry for each endpoint.
- If AD is enabled and AD GPO is configured, then you need to configure WMI, ICMP, and remote registry one time.
- If AD is not enabled and AD GPO is not possible, then you need to configure WMI, ICMP, and remote registry for every device.
Configure your network’s domain controller, computer endpoints, and network user access rights as follows:
1.4.1 GPO (Group Policy Object) configuration for Windows Firewall (inbound rules)
- Allow WMI (Windows Management Instrumentation) service to operate through Windows Firewall. This includes the following rules:
- Windows Management Instrumentation (ASync-In).
- Windows Management Instrumentation (WMI-In).
- Windows Management Instrumentation (DCOM-In). Please note that the Active Directory user utilized in the Network Glue Collector setup needs access privileges to use Windows DCOM.
- Allow remote registry to operate through Windows Firewall on the computer endpoint.
- Allow ICMP (Internet control message protocol) to operate through Windows Firewall on the computer endpoint. ICMP requests are used to detect active computers on the network for scanning purposes.
1.4.2 GPO configuration for Windows services
- For WMI, set the startup type to “Automatic”.
- For remote registry, set the startup type to “Automatic”.
- For remote procedure call, set the startup type to “Automatic”.
1.4.3 Computer endpoint port availability
- Ensure that ports 135 and 445 are available for use with WMI and remote registry.
1.4.4 Third-party computer endpoint firewalls
- Ensure that third-party firewalls are disabled or configured similarly to Windows Firewall installed on computer endpoints as per this checklist.
2.0 Installation Checklists
2.1 Network Glue Collector
- Install the Collector on a device that is within the IP ranges that you want to scan to ensure it can discover all possible devices.
- Install the Collector on a server, rather than a workstation. If the Collector is installed on a workstation, the discovery process may stop running if the workstation is turned off or sent to sleep.
- If the Collector is installed on a virtual machine, change the virtual machine network settings (i.e. NAT mode) to bridge mode, ensuring that the Collector is on the same subnet as the range being scanned.
NOTE Network Glue scans the IP ranges of all available devices. If there are more than 600 devices in the range specified, an error message will be displayed and your network diagram will not load. If you have more than 600 devices on your network, you can install additional collectors per subnet to identify all of your devices. Network Glue allows you to install an unlimited number of collectors.
NOTE The collector run log can be found at the following location on the server where collector is installed: "C:\Program Files (x86)\Network Glue\Collector\bin\log" and may be helpful for troubleshooting.
2.2 Multiple Subnets
- Install the Network Glue Collector on each subnet where possible to discover all the devices within each subnet.
NOTE While the Collector can scan multiple subnets, the level of detail on the information may vary.