Thursday, December 8, 2011

Saving time & headaches by saving Bandwidth

The MAX agent is deployed independently, and lives its life very happily that way: no matter where it is (on the Internet), it goes on its merry way sending information to your dashboard so you can always know about and maintain its health & well-being.  With the features enabled, these machines will get all updates wherever they are.

But what about when I have several machines connected to a single Internet connection?  (Well, we're supporting businesses, so that's most all of the clients isn't it?)

So, "out of the box," MAX would have each and every machine request and download features installers, patches, signatures themselves from the cloud.  Even with the variance in check-in times from machine to machine, this can start filling up that pipe, making it appear that your service is "slowing down" your client's computers.

So what can be done to ensure this situation doesn't happen?  GFI MAX has a directly-integrated feature called a Site Concentrator.  As with many of the features in your dashboard, this feature applies to and is configured at each individual site.  (The name kinda implies that, doesn't it?)  Typically, this corresponds to a contiguous Local Area Network, but doesn't necessarily have to be.  The only requirement is that the Site Concentrator be accessible over its configured port from other machines within the dashboard site.

A Site Concentrator will act as a download or cache proxy for all requests from other systems within the dashboard site.  The downloads in question are:
  • All feature installers
  • Patches
  • Anti-virus signatures
Site Concentrator Dialogue
Configuration is simple: simply select the site you wish to enable a concentrator for, and select Edit Site from the Edit menu.  The Site Concentrator is enabled on the third tab.  Select a server agent from the site from the pull-down menu, and specify the port you wish to use and an alternate path to save the information if you'd like.  By default, a "patches" folder will be created under the Monitoring Agent folder if you don't specify one.  Any path you specify will be created if it doesn't already.
Cache path selection

Tip/Note: The patches / cache folder won't ever get much more than a few gigabytes in size, but you may want to move it to another drive just to avoid having a backup run on the folder.
Cache Drive selection

Any and all machines in the dashboard site will request these items directly from the SC and disseminate appropriately.  Only one copy of a patch or update will be downloaded for the entire site.  The Site Concentrator is self-cleaning, so in 30 days or less after download, the patches, etc. will be removed from the cache path automatically. 
Tip/Note: Only Server Agents can act as a site concentrator.  However, none of the features that utilize the Site Concentrator need be installed on the server agent computer.  That is to say, one could use an "old" workstation computer, install the server agent on it with only the barest of monitoring checks (it would be good to ensure the machine is alive, wouldn't it?) and set it as the concentrator.

No configuration changes are necessary on any agent within the dashboard site.  As a matter of fact, if you need to move the site concentrator for any reason (e.g. server maintenance during a patch window), all you have to do is select another server from the list, and all systems will be updated automatically as they check in to the dashboard!

Note: if you have a proxy server already set up for your client - and thus have it configured in your installation/ deployment of the Advanced Monitoring Agent, you cannot use a Site Concentrator.  The truth is, though, you 3rd party proxy will act as a type of cache server anyway.


  1. What happens if site concentrator isn't available due to downtime or laptops that roam off and on site? Will agent roll over to the internet?

    1. Great question. No answer :(

    2. Oops! Thanks Marco & SO SORRY!!!!!! At least it didn't take me too long to see the question though, right? :O

      The answer is - YES, systems will fail-over to the Internet to download if the concentrator isn't available.*

      *OK there is ONE exception that is noted here:

      Coming soon, however, this will be taken care of by our VIPRE Engineering brethren.

  2. I'm doing some testing on a trial of Max. I setup my SBS server (SBS 2011) as my site concentrator. Left the default concentrator port of 8123. After a little while and some tests regarding patching, there are files in the site concentrator folder that I setup on the server, that is working as expected. When doing a few other tests, I ended up logging into the server and then into the Max agent to look around, it was version 9.3.1 at first, but it happens on 9.4.0rc too. On the agent settings tab I saw the "connection settings" tab and that the proxy server settings were set, as this article describes. It was set to my local server loopback IP of When I click the "test connection" button there is a long delay and then it finally says 'ERROR: Invalid response from server!" If I uncheck the use proxy then the connection reports "Connection OK." I tried putting in my server host name, fails, tried the IP of the server network adapter, fails. I tested this both from the server itself and from a client PC that is pointing to my server's host name for its proxy setup. That fails with the same error. I've disabled the firewall on both the client PC and server, test still fails. I've done a netstat -a on the server and confirmed it is listening on all interfaces, on port 8123. So, are my client PCs actually using this site concentrator at all or are they timing out and then just going out directly to Max via the Internet for any patches or updates? Does this test not work if the proxy is just a site concentrator and not an actual proxy / gateway to the Internet? I'd like to verify my client PCs can actually connect to the concentrator and then I can turn the firewall back on my server and just open relevant ports hopefully.

    1. This looks & sounds like a firewall/port blocking issue, but there are several different places in SBS environments where it could be. Even with your testing, I couldn't point at any one place without doing general communication tests (telnet/tracert/wire shark/etc.) And that's why GFI has a Tech Support team :). If you truly have a problem with the communication, they'll be able to help you track it down.

      In general, you shouldn't have to do any configuration of the Agent itself: all that is taken care of for you by simply indicating the Site Concentrator server in the dashboard. All agents get their proxy settings configured from there. Please remember the notes about Site Concentrators found in the Help file. (No other proxy's, etc.)

      If you want to test a workstation is getting the patches from the server, stop the SC's service on the server, delete the contents of the concentrator folder, & restart the service. On the workstation, either wait for the next patch schedule or select "Install Patches Now" from the dashboard.

  3. I have a pretty basic setup and know SBS 2011 very well, not really sure where else it could be blocked. I have the Windows firewall totally turned off and have an unfiltered connection via a Netgear router out to the Internet. Very simple, no other proxy systems at all, this is my home network actually. I guess my question is, if you have a site concentrator setup and you click the "test connection" button on the agent on the concentrator system or a PC using the site concentrator...does the test work or do you get an error too?

    1. It should connect just fine - SC's thru the localhost address and other agents as long as the name can be resolved. (there ARE exceptions that might occur [laptops come to mind]) - contact your rep and/or tech support for better/more details. this isn't really the place ;)