Skip to main content

Choosing the Best Management Connection

This section describes the relative merits of agentless and agent-based management connections. The management connection can be chosen independently for each host.

Agentless Management Connection

Key Manager establishes secure connections to hosts for performing management actions. Unix and z/OS hosts support agentless management.

Advantages

  • You do not need to install agent software on agentless hosts.
  • Can be used to manage network appliances (such as routers and network-storage devices) that cannot be equipped with an agent.
  • Connections are established on demand, so management operations on can be performed right

Disadvantages

  • Credentials for accessing agentless servers must be stored in the Key Manager Database, or on HSM.
  • Connections are initiated by Key Manager Servers, which imposes load on the servers.

Agent-Based Management Connection

Agent-Based hosts periodically establish secure connections to Key Manager Servers. Unix and Windows hosts support agent-based management.

Advantages

  • The Key Manager agent is firewall-friendly by only connecting to the management server.
  • All Key Manager agent connections are opened from the agent to the management server: the management server does not require any credentials for logging in to the managed host.

Disadvantages

  • The Key Manager agent must be installed and maintained on the host.
  • The Key Manager agent only contacts the management server at scheduled intervals. Actions requested for agent-based hosts are not performed until the next scheduled connection.

Offline Scan

Execute a script on the host to gather scan data. Supported on Unix hosts.

Advantages

  • Scan without needing to set up a management account on target hosts.
  • Faster to set up in some network environments: You can quickly discover a host before deciding if it needs agentless or agent-based management.

Disadvantages

  • Only supports host discovery.
  • A script must be manually run on the target host. Scan data must then be manually imported to Key Manager.