Administer > SA Agents in the public cloud

SA Agents in the public cloud

This section provides information about SA Agents in the public cloud, how to set up and deploy a Satellite for Amazon Web Services (AWS), and how to manage your cloud instances with
SA Agents.

For this implementation, we assume you have HPE SA up and running. Each component must be verified to work individually and within HPE SA. If you do not have HPE SA deployed, see the Server Automation Install section.

Using SA to agent-manage servers in private and public clouds enables SA power and functionality in each cloud instance. We recommend deploying and using a satellite, because cloud instances that are hosted by cloud service providers are similar to servers at a remote site.

A satellite installation typically consists of, at minimum, a satellite gateway and a software repository cache and allows you to fully manage servers at a remote facility. The software repository cache contains local copies of software packages to be installed on managed servers in the satellite, while the satellite gateway handles communication with the primary core.

An agent-managed instance can communicate with an SA Satellite to run patching, software management, application configuration, audit, and remediation. You can optionally install the OS provisioning boot server and media server on the Satellite host to support remote OS provisioning and reprovisioning.

SA Agents in the public cloud implementation

The implementation described in this section consists of an SA Core within the corporate firewall that is connected to an SA Satellite on an AWS instance. We recommend using the Amazon Virtual Private Cloud (VPC) networking service, which enables you to provision a private, isolated section of the AWS cloud where you can launch AWS resources in a virtual network.

Environment

The scenario uses VPC with a single private subnet and a virtual private gateway to enable communication with the network over an IPsec VPN tunnel. There is no Internet gateway. This scenario can be used to extend a network into the cloud without exposing a network to the Internet. A Satellite is connected directly to the SA Core, and the Core is connected to AWS (see figure below). Cloud Provider: AWS.

Managing instances through a satellite

This section describes prerequisites and steps needed to agent-manage instances through a Satellite.

  1. Establish a Connection to AWS from Your Network
  2. Install a Satellite on an AWS Instance
  3. Install SA Agents on Instances

Establishing a connection to AWS from the network

  1. Create and configure the Amazon VPC as described here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html
  1. Open the required SA ports in the VPC’s default security group.

Inbound ports

Outbound ports

-

22 (SSH) to copy the Satellite distribution to the cloud.

1002 for SA Agent communication.

1002 for SA Agent communication.

-

1003 and 1006 for the Software Repository Cache.

2001 for the SA Satellite to communicate with the SA Core.

2001 for the SA Satellite to communicate with the SA Core.

3003 for the SA Satellite gateway installer.

-

-

4040 for the gateway used by the Software Repository Cache.

  1. Create a VPN connection between the VPC and your local network.

For information about VPNs that can be used to secure the connection and how to configure the virtual private gateway, see the Amazon Virtual Private Cloud Network Administrator Guide.

Installing a satellite on an AWS instance

  1. Create an AWS instance on which you can install the Satellite.
  2. In this implementation, Red Hat Enterprise Linux (RHEL) 6.4x86_64 is used. For other supported platforms, see the Server Automation Support and Compatibility Matrix.
  3. Configure the iptables firewall to open the SA ports listed in Table 1.
  4. Copy the Satellite distribution to the Satellite server in AWS.
  5. Run Satellite prerequisite checks, and fix any issues.
  6. Copy the certificate and CDF file from the Core server to the Satellite server.
  7. Run the Satellite installer.
  8. Enable the SA Agent Installer on the Satellite by adding the following to the root user’s path:
  • OpenSSH client
  • telnet client (standard client that ships with Linux)
  • rlogin (standard login that ships with Linux)

For more information about SA Satellite installation and deployment, see the Server Automation Inst Install section

Install SA Agents on instances

For details about SA Agent installation, see the Server Automation Use section.

For Linux instances, enable SSH password authentication and root login. For Windows instances, enable NETBIOS over TCP/IP.

The Satellite server needs to communicate to instances through the SA Agent Installer. To do this, for example, you may need to configure or disable the iptables firewall (in Linux) or the Windows Firewall.

  1. Configure the firewall as needed for your instance.
  2. Log in to the SA Client.
  3. Navigate to SA Agent Installation, and select the Satellite from the “Scan In” drop-down list.

  1. Scan in your private IP address range to discover agentless servers.
  2. Right-click each server on which you want to install SA Agent, and run the Agent Installer.

You are now ready to leverage SA in the public cloud. You can use the SA Documentation Library to find the latest version of the guides for your version of SA on the HPE Software Support Online (HPE Passport required).