cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

SAM 6.2 Beta - Because sometimes you feel like a nut - Part 1

Product Manager

There's been quite a bit of chatter recently surrounding the hotly anticipated release of Network Performance Monitor v11, featuring the entirely new Quality of Experience (QoE) dashboard. At the center of what makes all of this amazing QoE information possible are Packet Analysis Sensors, which can be deployed either to the servers running the business critical applications themselves, or to a dedicated machine connected to a SPAN port which collects the same information completely out-of-band for multiple servers simultaneously. For all intents and purposes, these Packet Analysis Sensors could be considered specialized agents, solely dedicated to the purpose of collecting packet data from the network. But what if these "agents" could be used to monitor other aspects of the servers they were installed on, or leveraged to address many of the complicating factors and limitations associated with agentless monitoring? These were precisely the kind of questions we asked ourselves as we were developing the Packet Analysis Sensors for NPM.


What are these "complicating factors" you might ask? It depends on your environment's architecture. It's quite possible you have numerous uses for an agent today that you're not even aware of yet. Either due to network design obstacles or security requirements and concerns, there are many organizations that have had to make compromises regarding what they monitor, how, and to what extent. This has left blind spots on the network, where some servers or applications simply cannot be monitored to the full extent desired, or not at all in some cases. With the soon-to-be-released beta release of Server & Application Monitor (SAM) 6.2 we take Orion into a brave new world without compromise.


button.png

So what exactly are some of the challenges many of us face when attempting to monitor our server infrastructure and the applications that reside upon them? 


You can't get there from here

Agent Initiated Communication.png

This is a typical colloquialism you might hear when visiting the great state of Maine, but has been adopted by the IT community commonly to refer to situations where there's no route between two network segments. In most cases this is because one or both networks are behind a NAT device such as a firewall, and there's simply no way to get to the private address space behind the NAT without creating port forwarders, 1:1 address translations, or establishing a site-to-site VPN between the two networks.

With the new Agent included in SAM 6.2, these problems are a thing of the past. This new agent supports two different modes of operation. In the scenario on the left, the Agent is functioning in "Agent initiated mode", which means all communications are initiated from the server where the agent is installed. No direct route from the Orion server or additional poller to the monitored host is required. No port forwarding needs to be configured at the remote site, nor do you need a pool of public routable IP addresses at each remote site for 1:1 address translation to each device you wish to monitor behind the NAT.

With the agent installed on the remote Windows host, you can perform essentially all of the same node and application monitoring that you normally would for agentless hosts within your network, across what would otherwise be disconnected networks.

You want me to open what?

Agent Server Initiated.png

Such is the reaction you're likely to receive when you ask the network/firewall admin what ports you need opened to monitor the servers located in the DMZ. As I discussed in one of my early blog posts "Portocalypse - WMI Demystified" the port range WMI uses for agentless communication can be enormous. While this range can be significantly reduced, it does require either manual registry modifications or creation of a custom group policy. A reboot of each server that has its WMI port range modified is also required before the changes will take effect. As if that weren't bad enough, WMI won't cross most NAT devices. If your internal network goes through a NAT to access the DMZ, you're very likely unable to utilize WMI for monitoring any Windows hosts in your DMZ.

To eliminate these issues, the new agent included in this SAM 6.2 beta allows you to operate the agent in a "Server Initiated" mode. In this mode the agent operates over a single port (TCP 17790) similar to "Agent Initiated" mode. The difference in "Server Initiated" mode is that TCP port 17790 is listening on the host where the agent is installed and the Orion server polls information in a similar fashion to SNMP or RPC, instead of having it pushed to the Orion server in "Agent Initiated" mode. Zero ports need to be opened inbound to the internal network from the DMZ, and all communication is done across a single NAT friendly port.

Peekaboo - I see you!

Whether it's the NSA, those willing to perform corporate espionage, or the black hat hacker who hangs out at your local Starbucks, it's important to keep prying eyes from peering into your organizations packets. While SNMPv3 has existed for quite a long time, all versions up to and including Windows 2012 R2 still rely upon the older and less secure SNMPv2, a protocol which provides no encryption or authentication. While Microsoft's WMI protocol addresses the authentication aspects that are sorely lacking in SNMPv2, encryption is different matter altogether. While it's possible to force the use of encryption in the WMI protocol, this is not the default behavior and is seldom ever done. This requires modifications to WMI namespaces to force the use of encryption, a process that must be repeated on each host you wish to manage. Beyond that, your monitoring solution must also work with WMI encryption, something very few solutions on the market today support.


The Agent included in the SAM 6.2 beta has been designed from the ground up with security first and foremost on our mind. To that end, the agent utilizes FIPS compatible 2048 bit TLS encryption to ensure all communication between the Agent and the Orion Poller are fully encrypted and safe from would-be cybercriminals.

How slow can you go?

Not all protocols are created equal. WMI and RPC may be right at home on todays gigabit Ethernet networks, but that is because these protocols were designed almost two decades ago as LAN protocols. These protocols were never designed to traverse bandwidth-contentious WAN links,nor function in high latency environments or across the internet. Attempting to use either of these agentless protocols in these scenarios is very likely to result in frequent polling timeout issues. Roughly translated, this means you are completely blind to what's going on.

The Agent in SAM 6.2 eliminates the issues associated with these protocols by utilizing the standards based HTTPS protocol, which is both bandwidth-efficient and latency-friendly. This means the agent could be used to monitor such extreme scenarios as servers running on a cruise ship or oil platform in the middle of the south pacific from a datacenter in Illinois via a satellite internet link without issue, something that would be otherwise impossible using traditional agentless protocols such as WMI or RPC.

What does this mean for Agentless Monitoring in Orion?

There are still plenty more challenges this new Agent is aimed at addressing that I will cover in a follow-up post. In the meantime, however, you might be wondering what this means for the future of agentless monitoring capabilities that Orion was built upon.

Absolutely nothing! SolarWinds pioneered the industry in agentless monitoring, and remains 100% committed to our "agentless first" approach in everything that we do. SolarWinds will continue to push the boundaries of agentless technologies to the very limit of their capabilities and beyond. We will continue to lead the industry by being at the forefront of new agentless technologies as they emerge, now or at any time in the future.

Agent vs Agentless - The war rages on

The war between agent-based and agentless IT monitoring solutions has gone on as long as there have been things in the environment that needed to be monitored. Agentless monitoring solutions have always had the advantage of not requiring any additional software that needs to be deployed, managed, and maintained throughout the devices lifecycle. There is typically little concern over resource contention on the host being monitored because there is essentially zero footprint on the machine in an agentless configuration. Due to the nature of agentless monitoring solutions, they can be deployed and providing value within a couple of hours in most environments. Agent based monitoring solutions typically require rigorous testing, as well as going through a tedious internal configuration change approval process before any agent software can be deployed into production. Agent deployment is commonly a manual process that requires running the installation locally on each server before they can be monitored. Then there are the security concerns associated with having any piece of software running on a server that could potentially be exploited by a hacker as a means of entry into the system.

If Agentless is so great why did SolarWinds build an Agent?

If the agent vs agentless war has taught us anything, it is that each approach has its own unique advantages and disadvantages. There is no single method that suits all scenarios best or equally. This is why we fundamentally believe that for full coverage, any monitoring solution you choose must provide excellent agentless monitoring capabilities, as well as provide an optional agent for those scenarios where agentless monitoring simply isn't feasible or prudent.

We here at SolarWinds believe that, given our agentless heritage, we are uniquely qualified to understand and address many of the problems that have plagued agent-based monitoring solutions of the past. It is our intent to make agent-based monitoring as simple and painless as agentless monitoring is today.

Ok, so what exactly does this agent monitor anyway?

The agent included in SAM 6.2 will be capable of monitoring virtually everything you can monitor today on a WMI managed node in SAM. This includes, but is not limited to node status (up/down), response time, latency (all with no reliance on ICMP), CPU, Memory, Virtual Memory, Interfaces, Volumes, Hardware Health, Asset Inventory, Hyper-V virtualization, as well as application monitoring. This very same agent can also be utilized as a Packet Analysis Sensor for deep packet inspection if so desired and appropriately licensed. The agent is officially supported on the following Windows operating systems.

  • Windows 2008
  • Windows 2008 R2
  • Windows 2012
  • Windows 2012 R2

While the agent should also work on Windows 2003 and 2003 R2 hosts, these operating systems are not officially supported. Non-Windows based operating systems such as Linux/Unix are also not supported by the agent at this time. If you are at all interested in a Linux/Unix agent for SAM that provides monitoring of Linux/Unix systems and applications, you can vote for this idea here.

Sounds good, but how much is this going to cost me?

The agent software is essentially free. You remain bound by the limits of the license you own regardless of how you're polling that information, either via an agent or agentless. For example, if I own a SAM AL150 license, I can monitor 150 nodes, volumes, and components. This remains true if I'm monitoring those servers with an Agent installed or agentlessly.

Sign me up already

There's still plenty more agent stuff to talk about, including additional scenarios where the agent could be used to overcome common obstacles you might encounter with agentless monitoring. In my follow-up post I will discuss some of those as well as cover the various different agent deployment options and agent management, so stay tuned for more information.

If you're anything like me, you'd much rather try something out yourself then read about it. Fortunately for you this new Agent is included as part of the SAM 6.2 beta, which will be available soon. If you currently own Server & Application Monitor and it's under active maintenance, you can sign-up here. You will then be notified via email when the SAM 6.2 beta is available for download.

41 Comments
Level 8

Would the SAM agent also allow for monitoring using PowerShell?

Product Manager
Product Manager

Yes, PowerShell could be executed locally on the server where the agent is installed without the need to configure WinRM for remote PowerShell execution.

Level 8

Excellent.  Thanks for the quick response. 

Level 9

Interested in the Cost section.

According to this blog, there is no limit on agents that could be installed on servers?

It will roll back to the license, so if one owns an unlimited license one should be able to deploy an unlimited amount of agents (In Theory) without additional licenses?

According to NPM v 11 though, one would have to purchase licenses for these agents?

So if one runs NPMv11 and SAM6.2 one would have unlimited server agents for Packet Analysis?

Would have also liked to see something from the "What we are working on" section called.

  • Application stack integration and visualization (E.g. visual mapping through the entire application stack to help identify root cause of performance and availability issues)
Product Manager
Product Manager

The agent could be installed installed on as many machines as you like, but to leverage any monitoring capabilities provided by the agent you must be licensed accordingly before those feature will work. This is really no different than agentless monitoring in Orion. QoE is licensed separately from the agent, though uses the agent to gather its information. So while while you may be licensed for say 10 QoE Packet Analysis Sensors, you could have 25 agents deployed. This means you would only be able to retrieve QoE data from 10 Packet Analysis Sensors. The other 15 agents deployed would simply be dormant agents or agents utilized for other monitoring capabilities such as node and application monitoring listed above.

If it helps to reduce confusion, no license keys need to be installed on the host where the agent is installed. Whether it's for node/application monitoring or QoE all licensing is centralized on the Orion server. Licenses are only consumed when you enable monitoring of a licensed feature of Orion. Simply having installed/deployed an agent does not consume any licenses.

Level 12

I am really looking forward to the 6.2 release. So thanks for sharing this info Alterego.

Here is an interesting question:

Can the agent be deployed with group policy and be used to discover Windows servers\workstations on a domain in place of using "Network Sonar Discovery" network scans? What I mean is, can we deploy the agent to our Windows servers instead of having to perform the network discovery? Or is network discovery still the way to find new servers and network interfaces for monitoring?

Level 12

I am happy to hear this that agents are based on our current licensing model ... i am very displeased with the QOE 1 free network and 1 free server especially since I am a unlimited license with NPM and NTA

Level 13

So if we do not own the additional server QOE licenses we would still be limited to monitoring 1 server for QOE...

Level 9

fitzy141

I Completely agree with you, we are in the same situation of owning both those licenses.

I feel QOE should have been part of the next release of NTA to be honest and also based on the existing license.

Level 12

Yea I am ok for paying for extra ones if I need them but the ones I do get free , the current license model should have been taken into consideration... NPM/NTA unlimited license should get a few more for free as I already pay a lot for those renewal's and adding the extra pollers ..

Product Manager
Product Manager

NPM v11 includes 10 free Server Packet Analysis Sensors (SPAS) and one free Network Packet Analysis Sensor (NPAS), not one of each as you describe above.

Product Manager
Product Manager

As stated above, NPM v11 includes 10 Server Packet Analysis Sensors (SPAS) or free. Additional SPAS licenses must be licensed.

Product Manager
Product Manager

The agent can be deployed manually, through group policy, or virtually any other 3rd party deployment tool that supports MSI/MST package distribution. The agent can be deployed such that once it registers with the Orion server or additional poller it can automatically become a managed node in Orion. You will however still need to use "List Resources" or Network Sonar to select the individual items you'd like monitored on that particular host.

Level 13


I am assuming we will have the 10 free after 11 goes GA? Im on RC and only have 1...

2014-07-29_15-18-50.jpg

**Looks like NPM 11 has been released.

Level 12

i swear i was told that it would be 1 Network Free and 1 Server Free when the RC was released - I hope that changed since then

Level 13

just updated to NPM 11

2014-07-29_16-21-24.jpg

Level 9

In my case it doesn't really matter if they gave me 1 or 10 free, i have hundreds of application servers that i would have liked to use the QoE feature on.  Since i just convinced management to switch to solarwinds, i can't go back to them asking for even more money to enable a feature that should be included in our unlimited NPM license pack.

Level 12

hey aLTeReGo   can someone explain the sensors and agents .. the ones for SAM and NPM I assume are some what the same ..

What do they write to , do they change any configurations especially the HTTP one ..

Level 17

Sensors install a packet-filter driver (WinPCAP) on the host system to analyze all traffic on a specified interface. The sensors themselves retain aggregated statistics in memory, and communicate via SWIS to the main poller (or assigned additional poller.) There should be no net config change to the host system outside of the filter driver. Here's a quick blog on deployment scenarios: NPM 11 - Packet Analysis Sensor Deployment Considerations
Deployment guide: http://www.solarwinds.com/documentation/Orion/docs/SolarWindsPacketAnalysisSensorDeploymentGuide.pdf

Level 14

So, hypothetically speaking, if one wanted to replicate all of the monitoring done by an NPM instance with the agent, would that be possible?  A client from a previous life would benefit greatly from being able to do agent and agentless monitoring on the same platform.  (They were an MSP and the lack of an agent meant significant challenges with VPN tunnels and NAT magic required)

Product Manager
Product Manager

The Agent monitors only the server that it is installed on. So yes the Agent is an excellent option for MSP's to monitor their customers applications and servers. For network devices in those scenarios the MSP is most typically interested in monitoring the internet facing router, which can normally be accomplished agentlessly via SNMP without worrying about NAT traversal or any crazy port forwarding.

Level 14

Sorry, that was what I was thinking in my head but didn't quite get out into that post.

Of course, that brings up another idea -- additional micro-pollers.  I know there is an issue with selling a primary polling engine than is less than 100 elements but it really kills the options for the SMB market to be monitored (servers, switches, etc.) by MSPs in that space.  A micro poller that functioned as an additional polling engine and could co-locate on an on-premise server would be an interesting option.

Just throwing that one out there.

Level 12

well I specified in my application settings ( web config ) for my site  a New relic setting to monitor solarwinds web  and when the agent got installed or the sensor it removed that setting from  the application settings

Product Manager
Product Manager

Alteration of your web.config file was not a result of installing the agent. This was likely a byproduct of upgrading to NPM v11, as running the Orion Configuration Wizard rebuilds the Orion IIS web site. This process in turn resets the web.config file back to its default configuration.

Level 12

I would disagree with that statement as I was already upgraded to NPM and recently started to play around with the added agents and sensors .. the agent or sensor removed the new relic configuration in the application settings of both my web servers.

Level 12

If we have clients at different sites (networks) using the same IP scheme, will this create issues if there are dupe IP's ?

Level 14

Apparently I am not the only one who things that a micro-poller is a good idea.  (A community of crazy!)

https://thwack.solarwinds.com/ideas/3061-- and it's even been moved to 'What we're working on' too!  W00t!  (Take note Richard Hetherington)

Product Manager
Product Manager

You'll have to say tuned to the series to find out.

Product Manager
Product Manager

We just completed an extensive round of testing and revalidated that neither the SPAS or NPAS effect the IIS web.config file. In fact the PAS/Agent doesn't interact with IIS in anyway based on our filemon and regmon integration. If you are able to reproduce this issue again, please let us know. Also if you have filemon or regmon dumps of any IIS related files being so much as touched (read) by the Agent/PAS we'd like to know.

Level 7

Hi,

From where can I download SAM 6.2?

Best Regards,

Product Manager
Product Manager

If you currently own SAM you can simply sign-up here. You will then receive an email shortly thereafter containing a link where you can download the latest SAM beta.

Level 20

This is HUGE!  I'm really excited for more if this to come out of beta and due to the incredible tight security I have to deal with this like snmp status polling opens up the door to monitoring somethings that were previously out of reach for me!  Thanks for all your work on this aLTeReGo!  Great idea if we're putting the DPI agents out there anyhow why not use them for what limited us before being agentless!!!

Product Manager
Product Manager

The Agent included in SAM 6.2 fully supports overlapping IP address space, so duplicate IP addresses should be no problem. You cannot mix/match agent/agentless with overlapping IP address space using the same poller, but so long as both hosts have some route back to the Orion server and both endpoints are managed via the agent, then duplicate overlapping IPs should work without issue.

Level 20

I have a question no one has asked I don't think... I see what the agent can do with DPI, and extending SAM wmi monitoring out... but could the agent also do icmp???  I do have servers inside some of these restricted areas... my main poller can get to some of them now doing status polling with snmp (icmp isn't allowed across some firewalls at all due to covert channel history)... the question is couldn't you also allow the agent to do icmp polls of nodes too?  This would be great in places with overlapping ip address space or behind more complex NAT like you mentioned.  I really like the information being sent between agent and orion NPM server with FIPS compatible 2048 bit TLS encryption.


It seems to me in many ways this is finally becoming more of a true distributed secure polling architecture now.  The poller is getting smarter and more adaptable.

Product Manager
Product Manager

Much like SNMP managed nodes, how status is polled is configurable. By default status and response time polling occurs through the encrypted Agent communication channel. You can however utilize ICMP in instances where the Orion server can ping the endpoint directly.

Status.png

Level 9

What is the resource footprint of the agent (CPU/Memory)? We have SAM set up using WMI, and for the most part, it works well, but we periodically have issues where WMI goes haywire and starts beating the server up, requiring a restart of the service. I've also noticed that sometimes, WMI just 'doesn't work' for reasons unknown.

Product Manager
Product Manager

The agent typically consumes under 1% CPU (0.24% on average) and between 10-100MB of RAM depending on the number and type of jobs being executed. Bandwidth consumption is ~80% less than that of a WMI managed node.

Level 11

Hi All,

I know that this is an old thread but does anyone know why the list resources would not work (it just sits on waiting) if the agent appears to be installed and working as it should ?

thanks

Hans

Level 13

There are a number of reasons this could be. Have you tried search the Success Center for additional information?

Product Manager
Product Manager

What version of Orion Platform are you running? If you're not running 2017.3 SP3, my recommendation would be to upgrade, as there have been fixes to resolve this issue. As stevenwhunt​ stated, there can many different causes for this issue. If upgrading doesn't resolve the issue, I suggest following the steps outlined in the KB article below.

Unable to List Resources on a Node or Agent - SolarWinds Worldwide, LLC. Help and Support

failing that, I recommend opening a case with support.

Level 11

Hi stevenwhunt​ and aLTeReGo

Thanks for the links I have been looking through the various articles on the forums and not come across anything that has helped as of yet, i'll give the links another go and see what I can find

thanks again

Hans