cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
0
Helpful
0
Replies

Cisco Secure Endpoint Horizon Environment Duplicates in Console

brent.marceaux
Level 1
Level 1

Greetings to all,

I am having a situation in which I am getting computer duplicates in the Cisco Secure Endpoint Console.  I am well aware that there is a special procedure for prepping a golden image, setting up identity persistence and using scripts as per the Cisco document here:  https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217557-cisco-secure-endpoint-guide-to-identity.html#toc-hId--1145359230

I spent hours to get this working initially in my Horizon (7) Test/Production Pools and I do have it working correctly (my question/problem will come down below).  My process was:  1) Install connector in gold image using /goldenimage 1 flag.  2) Run Setup Script provided by Cisco in document above.  3) Power down golden image. 4) Verify golden image did not check in and create a computer in the console for itself.  (It did not because the /goldenimage 1 flag tells the client not to start).  5) Snapshot the gold image and use it to recompose the Horizon Pool.  6)  Run the Startup Scripts (provided by Cisco in document above) on all of the VM's that are spun up by the Horizon Process from the gold image referred to in step 1.  There is a parameter in the Horizon pool in which you can call a script.  I'm using that to call a script that runs the Startup Script.

As I said, this all works well and all my non-persistent vm's (200 +) are spun up for weeks and weeks without one duplicate in the console.  I verify this by going into the console repeatedly and see no duplicates, Identity Persistence is working as intended.  Just as a frame of reference, the machines that are spun up and reflected in the console are named LMEPRODXXX, i.e. LMEPROD001, LMEPRO002, etc.

My problems started next:

I have another Updated Horizon 8 Environment in which I need to create pools of matching gold image based vm's and I cloned my gold image referenced above, brought it over to the new Horizon 8 environment and made a few needed modifications to get it spun up on the new version 8 pools.  When making these changes, I did not touch anything related to the Cisco Endpoint Connector on the cloned gold image.  After spinning everything up and recomposing the pools, everything was working fine, I checked the console and my 10 machine test pool had no duplicates.  This pool had machines spinning up and in console in the form of TMSPRODXXX, i.e.  TMSPROD001, TMSPROD002, etc.  all the way to 010.

Life is still good, no duplicates in two pool, many many reboots, all is good.  Horizon 8 pool is running the same secure endpoint policy as the Horizon 7  because remember I did not touch the connector client on the second gold image that was cloned and brought over to the 8 environment.

So, now seeing that I have a need to separate the two policies I "duplicate" [policy 1] that both of these pools were using to [policy 2].  I then download the connector for policy 2 with intention of putting it on my Horizon 8 gold image.  I step through the below process on second gold in Horizon 8 environment:

1) Uninstall connector, choose "No" option at the end so it will delete everything locally.  2) Reboot  3) Install newly downloaded connector for policy 2 (with /goldenimage 1 flag).  4) Delete all of the other items related to the script that the setup script previously executed (like environment variable & creating task schedule entry).  5)Re-run the setup script to let everything get created again to make sure everything matches and is in there.  6)Shut gold down.  7) Verify gold name is not in the console (it won't because it never started up yet due to flag. Recompose pool with same script designations on Horizon processes.

From this point as machines started populating and I started logging into the TMSPRODXXX machines, after logging out the machine rebuilds itself with the Horizon processes and comes back on the network.  They start checking into the console and they start creating duplicates.  Each time I log into a new TMSPRODXXX machine and log out, another duplicate with that name appears.  It would appear that since I touched it by uninstalling and re-installing, the check-identity persistence process is broken in some regard.

It would appear to me that the new GUID coming in with the same hostname is not replacing the old GUID on the same hostname.

Now, I tried various things like uninstalling and re-installing, and even going back to the original policy and original version that I brought it over with.  Nothing has worked to stop the duplicates.  It would appear that once I touched it, it is hosed.

For this reason I am scared to touch my first gold in the 7 environment to upgrade the connector in thoughts that it would do the same thing.

Has anyone experienced anything like this?  Must be in a Horizon environment with non-persistent vm's using instant clones.

I have a TAC case opened which is going on about 3 weeks with no progress.  Any ideas would be appreciated.  The only thing I'm thinking that could be related to the gold would be any residuals left over from the uninstall process.  Or, something that is happening when the new machine talks to the console?  The console is not recognizing that the machine is coming in from a policy that has Identity Persistence enabled on it?

Thanks,

Brent

 

0 Replies 0