Mixing Domain and IP Range Scans

Jabez_ · ‎07-20-2022

Hi - i'm just finishing up a large enterprise Lansweeper deployment with about 40k windows assets and about 100k assets total. Due to the sheer size of the implementation, we have split scanning across 9 Lansweeper Scanning servers, each is configured with a range of IP's that keeps scanning as local as possible and also provides a way to divide the network into 5-7k Windows assets chunks, so a single Lansweeper scanning server isn't overwhelmed and we stay within the recommended scanning limit per Scanning server.

The main AD Domain contains about 25k Windows assets split among 5 Scanning servers. Some Scanners are used for datacenter networks, VPN IP address pools and endpoint networks.

These 25k Windows assets have been divided up to use IP Range Scanning per server, however I notice a few issues with this setup, such as new or unknown networks flying beneath the radar. Also some assets naturally won't be connected during scanning periods and will be missed. For example late night or infrequent workers connected over VPN.

To address this I've tried to combine the real time Domain Scans with the IP Range scans, the problem with this configuration is that the designated Domain Scanning Server collects more and more Windows assets very quickly and can easily overwhelm itself (a jump from 4.5k windows assets to 18k windows assets shortly after enabling Domain Scan)

To correct this mess I have to manually re-assign Domain Scan discovered Windows assets back to their designated IP Range Scanning servers, a long a tedious process of rebalancing assets to 4 other Scanning Servers.

Is there a better way partition up a large AD domain into balanced Lansweeper Scanners while also having real-time logon monitoring informed by Windows DC logon events, without having to rebalance assets manually? Or are these types of scans coexisting problematic in a large environment?

Guilhem_Fr · ‎08-26-2022

Hello,

I have exactly the same problems ‌😉‌

Range IP vs AD Scans in a complex network architecture is questionable.

Assets reassigned to different Scan Servers by ??

The descriptions of "physical address" and "logical dynamic address" is also a very complex question (for me).

But Lansweeper is a very powerful product, for the question of scanserver resources, on my side I have no problem with perfs only the first time the IP Range/AD asset is detected, after that the perfs no longer pose a problem problem. (Asset Radar/Scheduled scans/Scan only new windows (IP range) can be optimized)

And for the ranges / IP Locations, we scan with fairly wide ranges (without desert anyway lol), but for the IP locations a fine cutting is necessary.
For the moment, excel generates the list of Ip locations to import (in the right format) by combining columns that correspond to our company criteria (Site, vlan ide, vlan name, vlan type, etc.)

Work in progress...

Guilhem

Jabez_ · ‎07-29-2022

Thanks for the detailed reply. We wanted to get away from having to manage yet another agent on endpoint systems so we've opted for now just to use centralized scanning. For VPN users we use a dedicated scanner that operates during prime logon hours to capture as many assets as possible in a timely manner.

When doing the analysis to divide the networks into scan ranges, i tried to 'right size' the IP Scan subnets so they arn't overly large. There is push back from our security team to scan more broadly but i've mentioned to them that it will impact scan times and potentially jam up the scanning servers with too many assets.

I believe the intention behind scanning broadly is because we really don't have a great handle on all of our network subnets and sites. I suspect the better solution will be to discover what we have and then develop and process to have our Network team inform Lansweeper admins when new subnets are added/removed/changed and not rely on overly large broad IP scans.

It seems like by enabling the Domain Scan once a week/month we can use this as a discovery or sorts, at least for sites that have domain joined windows assets. Eventually as the other dedicated IP Range scanners perform their scans they will automatically re-assign the assets to themselves leaving a remainder that needs to be sorted through to identify unknown sites and such. Its not ideal but it kinda works.

I'll take a look into the reports you mentioned to try to identify problematic assets.

We have many sites as well, i think i've configured about 1500 asset groups corresponding to physical sites and not all of them are in a continuous IP range....its been a lot of work to even get this far!

LSEngineer2007 · ‎07-28-2022

We have around 250,000 assets, 15 separate domains, over 200 locations with over 3,000 IP ranges....I feel your pain. We only have 5 scan servers but that will soon double. I don't have a solution for you, just some tips or things to try.

You could install LS Agents for your WFH folks, create a schedule for the agents that scans the computer multiple times a day (maybe every 5 or 6 hours) so you don't have to worry about when they are working or not. The agent will send the last scan to the relay server once a day. Even if they don't connect to VPN, you can still get the scans.

With agents on the computers and all IP ranges being scanned, you could disable AD scanning and monitor to see if you are missing anything. Remember you can also choose specific OUs and sites to scan versus all of AD.

For IP ranges, make sure you aren't scanning large ranges that are not in use. I know this is common sense but still worth mentioning. For example, let's say that you have ranges at 192.168.0.0 - 192.168.5.255 and 192.168.20.0 - 192.168.25.255. Make those 2 separate scanning ranges, don't make them 1 range like this 192.168.0.0 - 192.168.25.255. I 've seen it where someone would add the entire range 192.168.0.0/16, just to capture a handful of ranges that are actually in use.

Check your server logs for each scan server to see if there are any major issues.

Check your scanning queues to see if scanning is being hung up on a single asset.

Run the "IP Location - Scanning Success" report (I believe that is a canned report) to see how many assets are on each range, how many are successfully scanned and how many failed. You can also see which ranges aren't getting any hits and use that information to clean up IP Locations and the corresponding IP Scanning Targets. Last, you can also see how many are Undefined. Click on the Undefined uplink to see which assets and the IP address for each and use that information to create scanning targets for the missing ranges.

Another way to determine which IP ranges you might be missing. Go to the IP Location menu (Configuration > Asset Groups), click on Import from AD. You don't have to import them if you don't want to but it allows you to at least see all of the ranges that AD is seeing and you can compare that to your actual scanning targets. Run this canned report to get a report of all of your scanning targets. "Scanning: IP range scanning targets" Again, I believe that is also a canned report but you can get them both from the Report library.

I hope something on this list is useful to you, good luck.

Keith

MOALansweeper · ‎08-01-2022

LSEngineer2007, If you don't mind sharing, I am curious what kind of resources (CPU/RAM) your scanning servers have?

LSEngineer2007 · ‎08-02-2022

AWS Model: r5.xlarge

32 GB RAM

Intel Xeon Platinum 8259CL CPU @ 2.50GHz

Keith

Mixing Domain and IP Range Scans

New to Lansweeper?

Try Lansweeper For Free