A few months back we acquired a new product that is going to change the way you manage your IT infrastructure.  For years SolarWinds customers have asked for a mobile solution for monitoring and managing your infrastructure, something better than our attempt at a 'mobile view.'  Given the line of work you're in, how much time and heartache could you have saved if you had just been able to resolve a certain issue from your Android phone or iPad?  How many times have you upset your wife or disappointed your kiddos because you had to promptly leave dinner or the t-ball game to reset a password for an executive who had somehow managed to lock himself out of his laptop?  Those days are now a thing of the past; hello Mobile AdminMobile Admin does so much, there's simply no way I could cover its benefits in a single blog post (it supports over 40 IT management and monitoring tools, and you can find a complete list of features here).  Instead I'll briefly discuss some of the more common use cases it supports, as well as a brief overview of the architecture and how it works.  Let's start with SolarWinds NPM (clearly my selection is objective and free of any bias).


For those of you who don't spend the majority of your day staring at the Orion web console waiting for lights to turn red, you probably rely pretty heavily on alerts.  An issue occurs, you're alerted on it via the rules you've configured, you log into the Orion web console to see what the issue is, then you try to fix it or escalate to the group that can.  Now you can do all of that on your smart phone or tablet from anywhere using Mobile Admin.  I can hear the sighs of disbelief already, but I promise you, it's true, and I'll show you how.



From this screen you can drill down on things like Active Alerts, or Nodes With Problems.  Let's look at the alerts...



From here you can drill down to the details of the alert and the node that generated it...



This view will give you all of the information you're accustomed to seeing on a Node Details view in the Orion web console.  So far Mobile Admin has told us there is a problem on a managed node in Orion, now what?  Mobile Admin actually gives you a number of tools at your disposal to troubleshoot and even correct the problem, all from your mobile device.  You simply open the node in Mobile Admin which will scan the node through a number of different APIs and expose certain troubleshooting features based on the results of the scan.



Here you can see a sample of the tools available.  For this particular problem you may need to run a batch file or execute a script from the command prompt, both of which are possible on your mobile device through Mobile Admin.


So, how does it work?  Mobile Admin functions through a client/server architecture.  The client runs on your mobile device (e.g. iPhone, iPad, Android phones and tablets, Blackberry), and it talks to a Mobile Admin server that typically sits behind your firewall along with the rest of your IT infrastructure.  You simply add the components of your infrastructure you want to monitor or manage as a 'service' in Mobile Admin, all of which can be done from the mobile client once you've got the Mobile Admin server up and running.  Resetting passwords in Active Directory, bouncing virtual machines connected to a vCenter, and moving Exchange mailboxes are all possible through Mobile Admin.  All of the mobile clients are free; you can download the server here and evaluate it for free for 14 days.


In the next blog post I'll cover how to reset passwords through Active Directory.  Until then, download Mobile Admin and check it out for yourselves (you may need it over the long Labor Day weekend)!  Also, enter a chance to win a $250 iTunes gift card by taking our survey here.

Get our latest free tool - hot off the press.

Get the cloud monitoring you need! The Easiest Way to Monitor Servers in the Cloud! • Real-time cloud performance monitoring • Installs in seconds • Troubleshoot cloud-based problems quickly and easily Simple and Smart Cloud Monitoring

While the cloud has simplified the ways you can manage your network, it’s also created new challenges that can leave you feeling in need of a little help. SolarWinds offers the perfect sidekick to help you manage your cloud-based servers. With our Cloud Performance Monitor Powered by CopperEgg, you can troubleshoot cloud-based performance problems quickly and easily by taking advantage of real-time alerting on server, OS, system, and process issues. See a video.

Using Cloud Performance Monitor, you get constant monitoring over server, system, OS and process health for your servers running in the cloud. With that info you can keep your cloud-based servers up and running and your customers happy!

Sign up for it here.

You told us that you were involved in Cisco (or non Cisco) ACL management and needed help.

Check-out all these requests that you posted on thwack, for a better management of Cisco (and non-Cisco) ACL's.

ACL Management


Has anyone integrated the Athena  FirePAC into your Orion NCM?  Need some advice

ACL hits in NPM for Cisco ASA

Re: Cisco ACL Manager







Help has arrived, it's a new product in the SolarWinds portfolio, it's called FSM: Firewall Security Manager.

Here is a more detailed blog post about FSM.


If you have ever banged your head against the wall, after staring at pages of ACL statements, trying to predict what your firewall or router will do, or understand why this traffic does not go through... or actuall does goes through... this product should amaze you.


Let us know of your thoughts

What is Firewall Security Manager (FSM)?


FSM is a new product, now part of the SolarWinds portfolio, which can perform analysis and reporting around security rules that are in your firewall and router configurations.

Even though the product is called “Firewall Security Manager”, it is also very much applicable to the security rules of your routers.

So think of “Firewall” as the function and not the device.

FSM has tremendous value, not only to perform firewall - the device - config analysis, but also does a great job looking at your router’s firewalling features such as ACLs and NATs…


FSM supports the following devices:

• Cisco Security Appliances: PIX, ASA, FWSM, ASA 8.3

• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series

• Juniper firewalls: Netscreen, SSG, ISG

• Check PointTM products: SmartCenter NG/NGX, Security Management R70

• Check PointTM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris


The product can be run standalone, or integrated with SolarWinds Network Configuration Manager (NCM). More on this integration here.

It’s worth mentioning that FSM is a feature rich product, and this blog post covers only the main features of the product.

But before we look at those, let’s talk first about whether it’s for you.


FAQs: Who is Firewall Security Manager (FSM) designed for?

If you are more or less involved in firewalling, FSM is for you, but here is more detail, depending on what situations fits you best:

  • I already own NCM, so why do I need FSM?
  • Firewalling and security really are not my forte, how can FSM help?
  • Security is my bag already, what does FSM buy me?


I already own NCM, so why do I need FSM?

  • You spend time around security statements in your configs, and you find them very hard to read, making them difficult to understand and risky to modify.
  • Security statements in your configs have a long history and/or are modified by several people.

As a result, they are convoluted, redundant and sometimes possibly conflicting.
You need to clean and simplify them, without impacting the traffic.

  • You need security reports to advise you on the current security level of your configs and advise you on how to improve, above and beyond the compliance checks of NCM.
  • NCM is great for helping you roll-out an ACL or NAT change, but does not understand the effect that this change will have on the traffic.
    In addition, the traffic on an end-to-end path is impacted by the combined effect of multiple firewalls and routers, and you need a tool that helps predicting the impact that one or more combined changes can have, from an end-to-end point of view.


Firewalling and security really are not my forte, how can FSM help?

  • You need expert advice on firewalls and routers security so you don’t have to spend time becoming proficient in standards such as NSA, NIST, SANS or PCI or creating firewall compliance checks completely from scratch.
  • You need a safe environment to experiment your changes, try several scenarios, and predict their end-to-end effect BEFORE pushing them live.
    When you are satisfied with the predicted behavior, you want assistance in implementing these changes, and be able to roll back easily in case of problem.


Security is my bag already, what does FSM buy me?

  • Even though you are proficient in this area, security is a complex domain and you’d like a tool that could help double check you work before your deploy to production.
  • Auditors and/or security meetings require frequent reports on your current security levels and creating these report manually is an arduous task you’d love to automate.
  • Your network is complex and you find it difficult to predict the effect of a change in firewall security rules, from an end-to-end perspective.
  • User requests are driving you to make frequent changes to your security objects and you need a simple but effective change management process, allowing your users to request changes via a simple Web interface, which you can then review, implement, test and deploy.


Under the hood: What can Firewall Security Manager (FSM) do?

ACL editor that improves readability

Most of the time, before you do anything, you need to deal with already existing security rules.

A lot of security rules.

So readability is the first thing FSM will help you with.

With FSM, your visibility will upgrade from this type of view (basically text file):

ACL editor raw view.PNG  to this ACL editor Firewall Security Manager view.PNG

Notice the different tabs, which give you clear visibility on your ACLs (Security Rules), NAT Rules, Network Objects…

And if you are still emotionally attached to the long, disorganized and sometimes messy blocs of text in your configs, no worries, they are still there in the Native Configs tab:


ACL editor raw view in FSM tab.PNG

For more, take a look at the on line demo or, as always with SolarWinds product you can download a free evaluation copy here.


Ok, this is cool, but what about the “expertise”, that was discussed at the beginning?

Read the sections below.

Access Control List Cleanup


Let’s take a “simple” example to illustrate how FSM can help in this area:

ACL cleanup raw configuration.PNG

Unless you are doing this 8h per day, it might not jump at you that there are redundant and therefore useless rules in this extract of a PIX firewall config.

Before your head hurts, let’s see below what the FSM Cleanup report advises you to do.

ACL cleanup report extract.PNG

Line 106 is identified as redundant to preceding rule 93, which allows FTP access from all addresses.

Clearly rule 93 will match any packet that rule 106 might match, and so rule 106 never gets triggered.

Consequently it does not contribute to the behavior of the firewall and can be removed.


Was too easy? Let’s take a closer look at line 83 and its interaction with lines 80 and 81.

ACL cleanup report extract shadowed rule.PNG
Are you noticing something? FSM does!
FSM’s Cleanup report tells you that 83 is shadowed by 80 and 81.

Rule 83 is allowing a group of mail services.

It is identified as shadowed by the combination of the two preceding rules 80 and 81.  These two rules will match anything that rule 83 might match and therefore rule 83 does not contribute to the behavior of the firewall and is a candidate for being removed.

This seems like a redundancy case, but rule 83 is actually marked as a "shadowed" rather than "redundant" and this means that the permit action at rule 83 conflicts with the deny actions of rules 80 and 81.

This indicates that there be some intention on the part of the firewall administrator that is not being carried out here.

It turns out that rules 80 and 81 were inserted for a debugging purpose and that purpose is now long past.

The correct action here will be to remove rules 80 and 81, thus restoring the “deny” at rule 83.


Configuration Security Audit

Now that your configurations are cleaned-up and optimized, are they safe? Are there security holes in them?

This is what the FSM Audit report will tell you.

Security Audit reporting.PNG

For example, check C31 indicates that mail services were allowed from the Internet to the internal network.

Since the mail server is on the DMZ, it is disturbing to see mail services allowed into the internal network.

Click Details to understand more about what rules create the C31 security risk.

Security Audit reporting details.PNG

To find out even more about why the combination of these security and transaltion rules create the risk, you can click the rule numbers and understand the full detail, and more importantly, teh recommendation.


Change Management

FSM has many features in this category and it would be too long to describe them all here, so let’s just briefly describe a few:

  • Configuration Diffs highlights all changes in subsequent versions of your configs (FSM keeps the history)
  • Change Advisor has a web interface that allows your network users to submit config change requests. These requests can then be reviewed by network engineers/firewall administrators, implemented, tested before they go live and then, be pushed in production.
  • You even have a Change Modeling environment, that makes copies of your configs in a special context called a “session”, which you can use to prototype any number of changes, without touching your master versions of the configs (those that currently run in the devices).


But let’s focus a bit more on one of the most spectacular change management features of FSM: Packet Tracer!

There are 2 main use cases for packet tracer:

  • You are making a change in your security rules, and you want to be sure that you are not inadvertently breaking connectivity between 2 points of your network.
    Have your configs reviewed by FSM, and get a prediction of whether or not your config changes will do something wrong, before they go in production.
  • Somebody comes to you and asks for help figuring-out why a portion of your network can’t exchange some type of traffic with another area.
    Have FSM look at the end-to-end path between these 2 sites and tell you what happens.


Now that you understand the use cases: here is the only input you need to give Packet Tracer before it can do its magic:

ACL change management virtual packet tracer input.PNG

The result is an assessment of a) whether or not the packets will cross the network between the 2 specified addresses and b) if not: it will tell you why and where they are blocked.

Basically FSM’s Packet Tracer understands how security & translation rules, as well as routing tables and VPNs interact with your packets, and predict connectivity (or lack of).


And it does this, without injecting test packets on the network or sniffing the network.



  • Less config mistakes.
    Ever heard the statistic that 80% of network faults were not HW issues but config changes not properly controlled and understood? Here is a product that will help you in this regards…
  • Faster troubleshooting.




Hopefully you got the point: FSM is a very feature rich product and brings you tons of expertise in the firewalling area (firewall and routers).

It has many other features that we’ll discuss in future blog posts.

In the meantime, you can download a free eval of FSM here, and see by yourself!


Like always with SolarWinds products, it installs super-fast and provides value in less than 1 hour.


NCM integration


If you have read the above, it should be obvious that FSM is a very natural extension of SolarWinds Network Configuration Manager (NCM).

The good news is: they are already integrated (NCM v7.1 recommended)!

  • FSM can get device configurations directly from NCM’s database. No need to duplicate those configs in 2 separate products.
  • FSM can execute changes (e.g. cleanup scripts) on devices via NCM’s scripting feature. You maintain your device credentials in only one product and not 2.


Install both and you really have a best of breed platform to rely on, as far as managing your firewall and router configurations!


Once installed, it takes just a few clicks, before you can get tremendous value from FSM.


Want to try now?


Download the FSM evaluation copy here, you can do all this in less than 30 minutes.


Once the FSM client is started, click on this icon

FSM import button.PNG

Then select the NCM import option, give the NCM URL and admin credential, select your NCM nodes from the list below (don't select those that have type=unknown, and prefer those that have ACLs in their configs)


FSM integration with NCM.PNG


Hit Finish and you will see your FSM Inventory tab (left panel) populated with your firewall and router devices.

Their configs are now in FSM, you are ready to start.

The best way to see what the product can do is eirther to explore or look at the Online demo.


Note that in terms of adjacencies with other SolarWinds products, FSM is also very close to LEM, the Log and Event Manager, so you might be interested in taking a look at LEM too!




Here are the main FSM resources: Online demo, home page, evaluation download, thwack area, prices, HW&SW requirements, FAQs


Release Candidates are fully supported early releases of our products and can be installed in production environments. If you own NCM covered by current maintenance, you can download the installation packages from customer portal. Should you have any questions or comments, do not hesitate to reply to this post or send me e-mail directly.


Better Scalability and Performance

  • One of the most important enhancements this release contains is support for additional polling engines (APE). By deploying APEs one NCM installation can typically handle about 30,000 devices. If you already have APEs for other SolarWinds products (e.g. NPM), you can leverage them for NCM, too.
  • Not only scalability but also performance has been improved in this version; especially customers with large installations should notice better performance of inventory and Web UI. Example: if you click on a drill-down chart on the NCM Summary page, you can see that the details are now organized in a table that supports paging, which performs well with long lists of devices:
    NCM Backed up vs. Non-backed up devices


Improved Database Maintenance

Database purge and cleanup activities have been improved to avoid performance degradation over time, due to clogging of the database and disk directories with downloaded configurations.


NCM Settings in Web UI

We have made some progress with migrating funcionality from Win32 to Web UI. For example, the Settings page is now accessible through Web, which is another step in eliminating the need for NCM users to have access to the NCM server, i.e. better support for corporate user policies:

NCM Settings

Configuration Download and Upload for MikroTik, Alaxala, and Apresia

All of these devices are now supported natively. Alaxala and Apresia are especially popular in Japanese market.

SolarWinds NCM Support for MikroTik Alaxala Apresia

New Juniper Inventory Report

With this report it is much easier to inventory your Juniper devices:

NCM Juniper Report

In order to make the report work, be sure that it is enabled in the Node Inventory Settings:

NCM Enable Juniper Inventory

Wizard for Real Time Change Detection

This feature is now easier to configure as there is a small wizard available in NCM settings:
NCM Real Time Change Detection Wizard

Config Change Templates Enhancements for ACL Manipulation

The scripting language of Config Change Templates has been extended with a few string manipulation functions. These enhancements are particularly useful for IP address manipulation in access control lists:
NCM Config Change Template Enhancements

Patch Manager now patches Windows Server 2012 and Windows 8 systems.


Today, August 24, 2012, Microsoft posted an update for WSUS, KB2734608, that enhances WSUS (when installed on Windows Server 2003/2008/2008R2) to provide the ability to patch Windows 8 and Windows Server 2012 systems. With this update, it is no longer necessary to deploy a WSUS-on-Win2012 server to patch Windows 8 or Windows Server 2012 systems.


About The Update

After applying KB2734608 to your WSUS server, you will be able to use Patch Manager to deploy Microsoft and third-party updates to Windows 8 and Windows Server 2012 client systems. In addition, all of the previous fixes from KB2720211 are included, particularly the new Windows Update Agent v7.6.7600.256 and the update to create 2048-bit publishing certificates. If you have not yet installed KB2720211, there is no need to install that older update, you can simply install KB2734608.


Installing The Update

Like KB2720211, there are special considerations for installing this update to your WSUS server, and a review of the Microsoft KB article and a full system backup are highly encouraged prior to installing this update. Be sure to install KB2734608 to any Patch Manager servers, as you will also need to update all instances of the WSUS Administration Console, as well.


Post-Installation Considerations

Finally, as with KB2720211, be sure to create a new WSUS Publishing Certificate and distribute to your client systems before installing KB2661254, which is available now via the Microsoft Download Center, and will be distributed to WSUS in October, 2012. For more information about the WSUS Publishing Certificate requirements, please see

·         Update Patch Manager and WSUS before you apply Microsoft KB2661254

·         3rd Party Updates with WSUS & Local Publishing


How To Get the Update

The KB2734608 update is not currently available for deployment using WSUS, so you will need to download it from the Microsoft Download Center. [x86] [x64]


For more information on WSUS updates, administrative tips and patch management best practices, check out PatchZone.org

For more information about Patch Manager, please visit the Patch Manager page on the SolarWinds website.

Please join us for a webinar later today covering how you can fix almost any IT problem with the device you always have in your hand.


In this 60 minute webcast we will cover:

• How Mobile Admin can save you time and improve on-the-job flexibility.
• How to manage over 40 key IT technologies including SolarWinds Orion, Exchange, Active Directory, Windows Server, and more from your mobile device.
• Get details about how simple it is to deploy Mobile Admin across the company for all end-user devices:    iPhone, Android, iPad, Blackberry.
• Learn about Mobile Admin’s sophisticated security features.
• Ask questions about your specific requirements!


Register here:

Tuesday August 21 11:00am – 12:00pm CDT

I look forward to seeing you there!


We are nearing the Release Candidate stage of Toolset 10.9, so I wanted to share with folks some of the things we have done in this release, but also solicit customers who have Engineers Toolset with active maintenance for their help in testing out some new things we added.

Our Roots

Toolset is how SolarWinds started and over the years, we have added more and more tools to where we now have over 50 tools engineers can use in troubleshooting issues.  While this is great, unless I know exactly what I need and where it is, sometimes finding the right tool to troubleshoot a problem can be difficult. 

Launch Pad – the Next Generation

With this in mind we have expanded on a concept we introduced a while back called the Launch Pad, but this one is on steroids.  Some things you will notice right off the bat are a Google-like search to help guide you in finding the right tool to solve the problem you are currently working.

Second is organization.  As you see on the left hand side with the folders, these are customizable and you can even create your own folders and organize which tools are in them in a way that makes sense to you and how you work.

This leads me to the third and one of my favorite things about the new Launch Pad - the ability to import other tools.  Ex. If you own DameWare MRC or use PuTTY or any other tool outside of toolset, you can import or link them to the Launch Pad, which includes entering a description (which is then exposed to the search described above) and adding them to the folders. 

The new Launch Pad should be your one stop shop for all your tools based troubleshooting needs, whether the tool comes from SolarWinds, is Open Source, or you purchased from another vendor.


Toolset 10.9.png


But wait, there’s more…..

For many years, many of the older tools only worked with Cisco. Which back in the late 90’s made sense, but this is a different world today.  With this being said, we have expanded device support for many of our tools to other Cisco OS’s but also Juniper, which was the most highly requested vendor.  Going forward we plan to add more based on your demand.

Great, how can I try this out?

This is where my request for assistance comes in.  As we approach our release candidate phase, we would love feedback on the new  Launch Pad, but also those of you out there who have Juniper or Cisco Nexus gear, we would love to have you participate in the RC and give us feedback and ensure the broadest support against all the various OS versions and models these vendors offer.  While we have a nice lab, we cannot own every device Juniper releases as much as I would love to have them all. Below is a list of the tools by vendor we added support for.

Juniper Support (JunOS)

  • Interface Monitors
  • CPU monitoring
  • Memory Monitoring
  • Router CPU Load
  • Advanced CPU Load
  • Netflow Realtime
  • Switch Port Mapper
  • IP Network Browser
  • Neighbor Map


Nexus Support

  • Interface Monitors
  • CPU Monitors
  • Memory Monitors
  • Router CPU Load
  • Advanced CPU Load

These are many of the main things coming in Toolset 10.9 besides bug fixes.  If you are a customer on active maintenance and are interested in installing the RC when we release it, please let me know by signing up here.

Please join us for a webinar later today covering some useful tips and tricks for remote support using DameWare 8.0.  This webinar will offer you a demonstration of the two new features in Version 8.0 – CHAT and SCREENSHOT – as well as a series of small “how-to” demos that will cover the following:


  • Troubleshooting without logging in to user’s computer
  • Viewing event logs remotely
  • Starting the command line for quick fixes
  • Restarting services or reboot from your own desk
  • Exporting software inventory and easily check versions


Thursday August 16 11:00am – 12:00pm CDT

Register here: Remote Support Tips & Tricks with DameWare Version 8.0


I look forward to seeing you there!



Patch Manager Architecture – Deploying Application & Management Role Servers


This is part two of a two part article discussing scenarios for implementing additional Patch Manager servers. In part one of this article I described some of the common scenarios for using additional Patch Manager Automation Role servers that may be beneficial to your environment. In this part I will discuss scenarios for using additional Application Role and Management Role servers.

Again, I would like to emphasize the fact that because Patch Manager is licensed by the number of managed nodes in your organization, there are no additional Patch Manager licensing costs associated with implementing additional Patch Manager servers.


As previously discussed, the Application Role is the component of Patch Manager that interfaces with the console user. The Management Role is the component of Patch Manager that stores inventory data and oversees the delegation of task execution events to the Automation Role servers. . A Management Role server hosts a Management Group, which is defined by one or more of one of the following: a workgroup, an Active Directory domain, a WSUS server.


Why implement additional Application Role servers?

Implementing additional Application Role servers is done to provide redundancy or additional load capacity for console connections, or to create isolated sandboxes in which a console user manages an environment. An Application Role server has its own credentials, user profiles, and security roles.


Why implement additional Management Role servers?

Implementing additional Management Role servers is done to physically segregate the Patch Manager data into multiple data stores. Multiple data stores might be appropriate where segments of an organization have data sensitivity or confidentiality concerns about their managed systems, or where reporting is typically done at a more granular level, perhaps by department or site.


Scenario 1: Using an Application Role server to manage console connections

A scenario where multiple application servers would be appropriate is when managing a large number of Patch Manager console users, or where high-availability requirements exist. In a High Availability (HA) scenario, there would be three Application Role servers implemented:

  • The primary server (PAS) is not used for console connections, but only as a control system for the Patch Manager environment. It should be backed up regularly.
  • At least two Secondary Application Role servers (SAS) would be implemented. These servers primarily handle console connections and task management. Consoles can be split across the servers for rudimentary load balancing and individual console users would connect to the alternate server if their home server was offline, or the servers can be designated as an active/standby pair, and the consoles would only connect to the standby server if the active server is offline and immediate access is required.


This HA scenario can scale to as many Application Role servers as are required. Theoretically, each console user could have their own dedicated Application Role server installed on their personal systems.


Scenario 2: Using a Management Role server to segregate patch and asset data

One use for an additional Management Role server is to physically segregate the patch data collected from the WSUS server from the asset inventory data collected from the Managed Computer Inventory (WMI) task. This might be done for performance reasons, providing better report generation from smaller databases, or because an organization has a large dataset and does not want to invest in a licensed instance of SQL Server.


For some environments, the 10GB database size limitation of SQL Server 2008 R2 Express Edition may not be sufficient for both WSUS (patch) data and WMI (inventory) data. The primary Patch Manager server can be used to hold the data for the WSUS inventory, and a second Management Role server can be configured with a management group just for managing domain and asset inventory data collected via WMI. This implementation would look something like this:


Because the data is physically segregated, this significantly reduces the size of the database that must be accessed for generating reports. Patch management reports come from the database server containing patch data, and asset management reports come from the database server containing asset inventory data. The smaller datasets will result in faster rendering of reports.


Finally, security controls can also be applied in this scenario, so users who should only have access to patch data, can be physically and logically isolated from the asset inventory data, or vice versa, and users who need access to both can still have full access.


Scenario 3: Using an Application and Management Role server in a testing lab

One scenario in which an additional Application and Management Role server might be implemented is for an installation of Patch Manager in a testing lab. Many organizations test patches before deployment in a lab setting. Configuring an additional Patch Manager server in the lab allows that environment to be completely isolated from the production environment.


In this particular lab scenario, we are able to implement a second Management Role server, as our lab environment operates in a subdomain of the primary domain. We will define a separate Management Group for this subdomain and the WSUS server in our lab, so that we can physically isolate any inventory data we might choose to collect, as well as manage all task execution completely within the lab environment.


This scenario might also apply to a special business unit that has confidentiality considerations, or even to a perimeter network (DMZ), where communication into the primary network is not possible and all management resources must also be on the DMZ.


Deploying additional Application Role servers or Management Role servers can provide enhancements to your Patch Manager infrastructure in the areas of redundancy, load-balancing, data distribution, and improved report performance.


For more information about Patch Manager Automation Role servers, and advanced deployment scenarios, please see the Patch Manager Deployment Guide. For general product information, please visit the Patch Manager page on the SolarWinds website.

Troubleshooting and monitoring your VoIP calls has never been easier!


Today is a big day for all who were waiting for a solution that will resolve VoIP quality and connection troubleshooting problems in their business. SolarWinds has just released VoIP & Network Quality Manager 4.0! This product is an evolution of SolarWinds IPSLA Manager and it adds support for real VoIP calls troubleshooting and monitoring.


If you are an existing IP SLA Manager customer under active maintenance, you can enjoy all of the new features of VNQM for no additional cost (you just need to update your license key within your customer portal. For those that would like to try out VNQM, you can download a free fully functional 30-day evaulation version. You should start your download now and in the meantime let’s take a closer look to all new features that it brings.

Those who were watching our “What we are working on” probably know what the new features are but for the others here is a list of the new functionality:

  • VoIP calls troubleshooting based on CDR and CMR data.
  • Multi-criteria filtering/searching and sorting based on Call Details Record (CDR) and Call Management Records (CMR) data e.g. “show me calls with the same reason code, same extension pattern, same time frame, same geography or termination reason code”.
  • Automatic association of real VoIP calls with IPSLA operations in order to provide details about the call path and participating network hardware devices.
  • Added support for Cisco Call Manager version 7.x and 8.x
  • Better support for creating TCP operations in firewalled environment. This is mainly related to the case where you are trying to set up an IP SLA operation between an internal router and external device where traffic is going through a firewall.

How to troubleshoot my VoIP?


You don’t need to waste your time and collect CDR data manually from your call managers or even use non-intuitive and complicated vendor software in order to figure out where your problem is. VNQM 4.0 does everything for you! It’s a matter of few clicks to understand who was impacted by poor call quality connection or what switch or router causes problems.

See how easy it is with VoIP & Network Quality Manager:

Step #1 – Spend your time watching VoIP only when necessary!


SummaryPage.pngAs an IT admin/VoIP Engineer you are so busy all the day so why spend your time watching for something that is not a problem?

VNQM brings VoIP summary pages and real-time CDR based alerts in order to notify you if something bad is happening within your VoIP network.


Step #2 – Find exactly what are you looking for!


Even if you have access to CDR/CMR data, it’s not easy to get information that would help you with a call troubleshooting. Those who have tried to do this know what I’m talking about. CDR files contain so much data and it may you take hours to find some clue that will help you. Even worse, CDR files don’t contain information about Region (location) so how do you know what sites facing troubles with calls? Does it means you need to spend hours checking logs, call managers and CDR files – especially in case when your boss says: “Fix it now!”?


Well if you are using VoIP & Network quality and Manager, then NO! VNQM 4.0 provides a comprehensive VoIP search solution. You can not only search by phone extension, IP address or call time but you can also search the calls by the region they are coming out from, or going to! This is extremely useful to find a right pattern and quickly figure out what happened, when it happened, and who is impacted by this issue.


In order to help you troubleshoot even more efficiently, we have pre-defined set of “Call Termination Causes” and “Redirect Reasons” so you don’t need to check Cisco admin guides to understand numeric codes!

You can do a search for failed calls or for calls just with a call quality issue (MOS, latency, jitter or Packet Loss).

The results of your search are displayed immediately below your search condition so no there is no “back & forth” effect when you are tracking VoIP calls issues.

Step #3 – Fix what needs to be fixed!


No “try & wait” approach! Just fix what needs to be fixed. After when you found your problematic call or pattern simply go to the call detail page and see what happened:


Using this page you will quickly see why the call failed, what CDR qualities metrics were or what call manager was involved when connecting the call. You can also see the call signaling flow and see all participants of a particular call and see call topology (normal call, conference call, etc.).

Now here is the great part. How do you see a call path? Easily, just create an IPSLA path operation that will be automatically displayed as part of call detail page depending on origin/destination regions. Regions are defined on call managers and VNQM offers you to pair your IPSLA capable device with CCM Region. IPSLA path operations can show you network devices that were involved in the communication between call origin and destination. It shows you network quality metrics like round trip time or latency also.


Now you can drill into more details about hardware device performance, availability and quality data as well as understand if this is device that causing VoIP issues.


As you can see, finding the switch or router that “produces choppy voice” was never easier! Now it’s just a question of a few minutes to check out this device and configure it properly. Or you can use NPM to get more details about such device.

And by the way, unlike its previous version (IP SLA Manager), VoIP & Network Quality Manager can run either integrated to NPM or standalone.

Once you identify network element you may use NCM to change CBQoS policies and prioritize traffic or you may use NTA and see Netflow data to block traffic that consumes too much bandwidth. Or you can just modify your routing tables and dedicate just one and best path for your site to site connection.


Step #4 – Let technology work for you!


OK, so now when you have fixed all the problems, how do you prevent them from happening again?

Let’s utilize Cisco IPSLA technology and your Cisco IOS devices to produce VoIP traffic and continuously monitor your sites. This will help you to see potential problems before users start complaining. You can use VNQM alerting to send emails or SMS when you have problems.



Stay tuned for more

As always, WE ARE LISTENING! And I can tell you that our DEV, QA and Designers teams are already working on next most wanted and useful features of VNQM based on the RC feedback we got from our community.

You can always share your ideas on our Thwack forum or even better – create an idea/feature request on our Ideation site. Also, you can talk to me directly!


You may find the “What do you need to know about call manager” blog post useful for an even faster setup of VNQM. This article contains additional technical information about Call Managers and their configurations.


Your VoIP & Network Quality Manager download should be finished so go ahead and install it. Installation will be finished in a few minutes.




We are currently working on Virtualization Manager 5.1 and beyond.  Some of the items we hope to deliver:

  •   Expanded support for Hyper-V, including support for Hyper-V v3
  •   Support for VMware 5.1
  •   Enhanced support for VDI infrastructures
  •   Simplified configuration for Hyper-V


PLEASE NOTE: We are working on these items based on this priority order, but this is NOT a commitment that all of these enhancements will make the next release.  We are working on a number of other smaller features in parallel.   If you have comments or questions on any of these items (e.g. how would it work?) or would like to be included in a preview demo, please let us know!


If you don't see what you are looking for here, you can always add your idea(s) and vote on features in our The specified item was not found. forum.

The wait is finally over. SolarWinds Server & Application Monitor 5.2 Release Candidate is now available to all existing SAM customers under active maintenance. Simply sign up here to get your hands on the bits.


In my previous blog posts I covered several major new features included as part the SAM 5.2 release. These features include native support for monitoring Microsoft® Hyper-V from Orion's Virtualization tab alongside existing VMware® assets. In the same blog, I also covered the new Application Template Editor. This new editor is not only much faster and easier to use, it also features multi-edit for mass component monitor configuration changes. Later, I posted another tease that highlighted the new chart resources, which now include warning and critical thresholds as well as a new trend line to provide context to the information being collected and displayed. Lastly, I touched on the new Event Log Message Details resource. This new resource enhances the existing Windows Event Log Monitor by providing the full detail of the matching Windows Event Log Messages within the Component Details view, as well as allowing this information to be included as part of an alert..


Microsoft Hyper-V Host DetailsMulti-Edit Template EditorNew Chart ResourcesEvent Log Message Details
Hyper-V Host.pngTemplate Editor.pngSAM 5.2 New Charts.pngWindows Event Log Details.png

Now some might say these features alone more than constitute a respectable release, but there's still plenty more cool new features jam packed into the SAM 5.2 RC.


Hardware Health Summary Resource

Hardware Health Overview.png

The SAM 5.0 release introduced server hardware health monitoring for Dell PowerEdge, HP Proliant, and IBM X-Series servers. But one thing that was missing in that release was a simple way of rolling all that information up into a single, easy to digest view. In SAM 5.2 we sought to rectify that issue by including a new Hardware Health Overview resource that can be found on the Summary Home view. At a glance, this new resource allows you to see any server hardware issues and quickly drill down to see precisely what the issue is. This is remarkably similar to how you currently use the Application Health Overview resource.


In this release we also included numerous improvements to server hardware health monitoring. The most notable improvement is the increased support for additional hardware components; specifically, IBM's MegaRAID Controllers, and Dell PERC Array Controller batteries. We also made improvements to our HP Power Supply and Memory Module monitoring for newer Proliant servers.


LSI MegaRAID.png


Real Time Process Explorer Enhancements

The Real-Time Process Explorer (RTPE), also introduced in SAM 5.0, provides the ability for Systems Administrators to get a real time perspective on how server resources are being utilized and quickly isolate rogue processes.


We took feedback from numerous customers during our usability studies, then incorporated these features into the SAM 5.2 release. These features include two new optional fields of information that can be displayed in the RTPE which display the username and command line arguments for all running process.


By including the Username with other pertinent information displayed in the RTPE window, administrators of multi-user systems such as Citrix® and Terminal Services can easily identify, not only the application consuming excessive resources, but also the user who's running that application.


With the inclusion of the processes command line arguments administrators can for example, quickly isolate which of multiple instances of Apache's httpd, or Java is leaking memory, or has become a runaway process.


There's still plenty of other new features I haven't yet touched on, but I welcome and encourage all existing APM/SAM customers under active maintenance to sign up now to download the SAM 5.2 Release Candidate. Please note that release candidates are fully supported and can be used in your production environment.



SAM Level 1 Customer Training

During this 60 minute training session we’ll cover:  

  • The basics of application and server monitoring
  • Templates, monitored applications and applying monitoring technologies
  • Detailed hardware monitoring and real time process monitoring
  • Optimizing SAM features

    This session is most beneficial to new users of SolarWinds SAM


Release Candidates are fully supported early releases of our products and can be installed in production environments. If you own UDT, you can download the installation packages from customer portal. Should you have any questions or comments, do not hesitate to reply to this post or send me e-mail directly.


One of the most important improvements this release contains is support for connection information in controller-based wireless networks where "thin" access points (AP) are deployed. Thin APs have been preferred in larger environments where many APs must be deployed and network logic thus can be concentrated in fewer devices (controllers). This is a big difference to UDT 2.0 where only "thick" access points can be polled for information.The new wireless capabilities are illustrated below.


Other major improvement of this release relates to back end performance.The database schema has been optimized, which means e.g. separate tables for current and historical data are used. This optimization resulted in e.g. faster searching and faster rendering of certain resources (in the endpoint details page, for example). These performance improvements should be noticed especially by customers with large-scale networks storing a lot of historical data.

Note: When upgrading from previous versions, the performance of UDT will probably be lower for some time after the upgrade. This is caused by data migration to the new database schema. The progress is indicated in the notification banner on the Orion website.


Wireless Support Overview


  1. New resources -- Top 10 Access Points by Current # of Endpoints and Top 10 SSIDs by Current # of Endpoints. The Device Watch List resource is also WiFi-enabled.
  2. Endpoint Details page -- visual indication of the fact that the enpoint is connected to wireless.
  3. Access Point Details page -- which endpoints are connected and what SSIDs are being broadcast
  4. SSID Details page -- what access points this SSID is being broadcast on, which endpoints are connected

Patch Manager has some very rich capabilities for scalability that are quite often not utilized. In part one of this article I’m going to describe some of the common scenarios for using additional Patch Manager Automation Role servers that may be beneficial to your environment. In part two I will discuss scenarios for using additional Application Role and Management Role servers.


As a starting point I would like to emphasize the fact that because Patch Manager is licensed by managed nodes, there are no additional Patch Manager licensing costs associated with implementing additional Patch Manager servers.


Let’s do a quick overview of the three roles that exist in a Patch Manager environment. The Automation Role is the component of Patch Manager that initiates communications sessions and manages the task execution on a specific target system. The Application Role is the component of Patch Manager that interfaces with the console user. The Management Role is the component of Patch Manager that stores inventory data and oversees the delegation of task execution events to the Automation Role servers. A Management Role server hosts a Management Group, which is defined by one or more of the following: a workgroup, an Active Directory domain, a WSUS server.


When the initial Patch Manager server is installed, all three roles are installed automatically and they share an instance of SQL Server. A simple block diagram of the relationship between the various components of a Patch Manager server looks like this:



Let’s start with the most common additional server scenario – adding an extra Automation Role server. Automation Role servers are used to initiate the RPC/WMI connections to a managed system, so more Automation Role servers means more clients can be targeted in a task simultaneously, and Automation Role servers closer to the client means RPC/WMI does not have to be transported across WAN connections. Also note that each additional instance of a Patch Manager server (regardless of the roles selected for installation) requires its own instance of SQL Server.


Scenario 1: Using an Automation Role server to manage a dedicated target

We’re going to look at two scenarios involving additional Automation Role servers. The first scenario is deploying an Automation Role server to manage a specific device. One typical scenario is managing the primary Patch Manager server. There are certain types of actions that a Patch Manager server cannot perform on itself – most notably, being able to do a pre-installation reboot in an Update Management task. A second Automation Role server can be used to manage all tasks performed TO the server hosting Patch Manager.



Generally speaking, an Automation Role server would be a dedicated system, but in this particular scenario because this Automation Role server has a very light-duty, special purpose intent (managing only one system), it’s also possible to install this Automation Role on a desktop machine – perhaps the desktop where you’ve installed your Patch Manager console – or even on the WSUS server.


Automation Server Routing Rules

Patch Manager uses a feature called Automation Server Routing Rules to help manage the distribution of tasks to the appropriate Automation Role server. In the absence of any rules, each Automation Role server is a member of a single pool, and tasks are assigned to an Automation Role server based on resource availability on those servers. Generally, however, an Automation Role server is deployed for one or more specific reasons, and an Automation Server Routing Rule allows for the enforcement of that reason.


Creating Automation Server Routing Rules for Scenario 1

In our first scenario, we would create a rule that says “For any task targeted to the Patch Manager server, execute it on the secondary Automation Role server, but if that server is offline, then execute it on the primary server.


Automation Server Routing Rules are created from the tab of that name, on the management group node of the console where the rules should be applied. In most implementations this will be the Managed Enterprise node of the console.


The Automation Server Routing Rule for our first scenario, where we are managing a single machine, would be configured like this:


In this example, our secondary Automation Role server, named TR-AUTO, is configured to handle all tasks for, and only tasks for, the primary Patch Manager server, named TR-EP. If TR-AUTO is unable to handle the task, TR-EP will attempt to run the task itself.



To create this rule we perform three steps:

  1. Define an Automation Server Routing Rule – Computer Rule for TR-EP.
  2. Assign TR-AUTO as the Automation Server to handle those tasks.
  3. Uncheck the Absolute Rule to allow any other Automation Role server to execute the task; since the primary server is the only other Patch Manager server, it will get the task.


Scenario 2: Using additional Automation Role servers for load-sharing

A second scenario for additional Automation Role servers is to offload work from the primary server. You would do this if the primary server is unable to complete tasks in the desired time interval because number of managed systems in the local network is exceeding the capacity of the primary server. This diagram shows a second Automation Role server configured in a pool with the primary server to provide additional capacity.




You would also do this if you have geographically distributed systems, and do not want to maintain RPC/WMI sessions across your Wide Area Network (WAN), or the capacity of the primary server is not sufficient to manage local systems and remote systems.





You can also build pools of Automation Role servers for very large networks, or to have redundancy.


Creating Automation Server Routing Rules for Scenario 2

In our second scenario, we might typically manage that distribution by IP subnet with a rule that says, “For any task targeted to IP Subnet, execute it on the Automation Role server that is located in the subnet, but if that server is offline, don’t perform the task.”


If we deploy multiple Automation Role servers in a subnet, we can explicitly list those individual Automation Role servers and build a sub-pool to handle those tasks by building a rule that says “For any task targeted to IP Subnet, execute it on any of these Automation Role servers that are located in the subnet, but if all of those servers are offline, don’t perform the task.” This allows us to guarantee that tasks are only initiated from local servers, and not across the WAN.


The Automation Server Routing Rule for our second example, and assuming the subnet has multiple Automation Role servers, would be configured like this:


In this example, our additional Automation Role servers, named TR-AUTO and TR-APP, are configured to handle any tasks for any system in the subnet, and if both servers are unavailable, then the task will fail to execute.


To create this rule we perform four steps:

  1. Define an Automation Server Routing Rule – Subnet Rule for
  2. Assign TR-AUTO as an Automation Role server to handle those tasks.
  3. Add TR-APP as an additional Automation Role server to handle those tasks.
  4. Check the Absolute Rule to prevent any other Automation Role server from executing that task.


Automation Role servers can be deployed in a myriad of ways to manage where data communications are initiated from, to provide scalable resources to manage more clients or reduce the time it takes to complete a task. Automation Server Routing Rules can be defined to manage tasks for individual computers or IP subnets, as we’ve seen here, but can also be defined for Active Directory domains, organizational units, or workgroups, as well as an individual WSUS server (for only WSUS Administration tasks) or a Configuration Manager Site Server (for retrieval of Configuration Manager client data).


For more information about Patch Manager Automation Role servers, and advanced deployment scenarios, please see the Patch Manager Deployment Guide. For general product information, please visit the Patch Manager page on the SolarWinds website.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.