This article provides information, recommendations, and the best practices for various LanGuard Deployment Scenarios and guides you on how to choose the right one for your environment.
GFI LanGuard deployment configuration depends on the number of computers and devices you want to monitor as well as the traffic load on your network. Additionally, geographical location, multi-domain scenarios, network environment, and many other variables can require certain adjustments to your setup.
The most common scenarios and options are covered in the Deployment Scenarios section of the LanGuard Product manual. It provides a general overview of the deployment scenarios to choose from.
Consider the following questions to determine the best options and the deployment configuration for your specific environment.
- How many machines will you be scanning?
Depending on the number of machines you plan to scan, you will need to adjust your deployment according to the System Requirements - the hardware requirements are higher for a larger number of machines.
- Do you need to provide reporting access to anyone outside of the IT department?
If you need to have multiple departments/users accessing reporting information gathered by LanGuard, you have to deploy the Central Management Server. Otherwise, you may skip installing the Central Management Server because it will just use extra resources for features that you do not need.
- Do you have multiple geographic locations with separate networks?
For environments with geographically distributed networks there are two recommended ways to set up LanGuard:
Use Relay agents - they will cache patches and ensure that each file is only transmitted once from the GFI LanAguard server to the remote location.
Alternatively, you can install a separate instance of LanGuard for each location and centralize the reporting via the Central Management Server. Please note that you will need to have access to each instance of LanGuard to manage each location, so this solution is more common for environments that have multiple HQ locations. The same license key can be used for each LanGuard instance, the number of licenses used on each LanGuard instance will be added together.
- What security restrictions do you have in place in the environment?
Every environment is configured differently, including individual settings and specific security requirements. Hence, make sure to review the following article and configure your environment accordingly: Required Settings to Scan a Machine and Successfully Install Missing Patches Using GFI LanGuard.
LanGuard can be operated successfully in highly secured environments, just keep in mind that when LanGuard is installed on a highly secure network that does not have access to the internet, it still should be upgraded regularly. Refer to the Upgrading GFI LanGuard 12 in a Secure Network and Updating GFI LanGuard in a Secure Network for the corresponding procedures.
- Do you have a single domain or multiple domains? Are there machines in workgroups outside of the main domain?
In environments with multiple domains or devices in various workgroups, LanGuard is still able to manage scanning and remediation on each domain by using Alternative Credentials. Please follow the detailed instructions in the article Best Practices for Account Permissions to configure your environment.
- Is there a specific scanning window?
If you have a small number of machines and only plan to perform scans over weekends, you can settle for the Agent-less environment. However, in most cases, we recommend deploying Agents on the machines that meet a minimum set of system requirements to reduce network bandwidth utilization and scan time. In the Agent-less mode, the GFI LanGuard server performs audits over the network; in the Agent mode, audits are done using resources of the scanned machine, and only the resulting XML file is transferred over the network.
- Do you perform network scans at night?
If you plan to scan your network at night, you need to consider one of the following options:
- Computers need to stay turned on at night.
- Wake-on-Lan needs to be configured in the environment.
Make sure to consider the variables that make your environment unique and select the appropriate configuration and settings for your specific setup. The best way to ensure the basic functionality is to Verify Required Network Connectivity and Security Permissions for GFI LanGuard Operations.
- Recommended Settings for Best Performance in GFI LanGuard
- Recommendations for Performing Scans over a Slow Network Connection
- Best Practices for Account Permissions
- Required Settings to Scan a Machine and Successfully Install Missing Patches Using GFI Languard
- Verifying Required Network Connectivity and Security Permissions for GFI LanGuard Operations