Introduction

The following discusses the requirements on the Examiner and Target to be able to successfully push the Enterprise Agent from Enterprise or FTK Central.

 

Requirements

AD Enterprise Examiner:

  • Verify the Agent and Modules paths under Tools > Configure Agent Push (see AD Enterprise can't push modules)
  • Verify the Certificate paths in Enterprise Configuration
  • Verify the Agent certificates have not expired
  • Confirm user has the 'Push new agent' permission in AccessData Management Server (only Enterprise 6.3 and older)
  • Verify the Examiner machine can ping the target node
  • Verify the Windows account credentials specified when pushing the Agent have full Administrator permissions to the target Node (verify this by attempting to browse to \\<ComputerName>\admin$)
  • Verify you are specifying the target by machine name or IP, not UNC path

FTK Central:

  • Verify the Site Server is online via the Site Server Console (under System Management)
  • Verify the Agent and Modules folders have been created in the Site Server Results Directory
  • Verify the Certificate paths in Site Server Configuration
  • Verify the Agent certificates have not expired
  • Verify the target node IP is included in the "Manage Subnet Address" CIDR blocks in Site Server Configuration
  • Verify the Site Server machine can ping the target node
  • Verify the Windows account credentials specified under Agent Credentials (under System Management > Manage Credentials) has full Administrator permissions to the target Node
  • Verify you are specifying the target by machine name or IP, not UNC path

Target Node:

  • Verify the target doesn't already have an existing Agent installed
  • Verify TCP ports 135, 445, and 3999 are open (also open UDP 137 if using machine name instead of IP and 54555 if using Agent periodic check-in with eDiscovery)
  • Verify SSL traffic is allowed over port 3999
  • Verify WMI communication is allowed
  • Disable remote UAC to enable the admin$ share
  • Disable Antivirus/malware scanning software on target Node
  • Disable "Simple File Sharing" on the target Node
  • Verify the Windows %TEMP% and/or %TMP% locations are not full on the target Node
  • Delete any old copies of "AccessData Agent.msi" sitting in the target's %TEMP% and/or %TMP% locations
  • See if the Agent can even be installed manually
  • If the target is running whole disk encryption, you may need to set the Agent to use folder storage instead of protected storage

 

Notes

Ports Usage:

  • 135 - Windows Messenger Service, used by WMI during Agent push
  • 137 - Windows Naming Service, used to resolve machine names
  • 445 - SMB File Sharing, used by WMI during Agent push
  • 3999 - Agent communication port
  • 54555 - Agent check-in port (eDiscovery Only)

If you are unable to secure the necessary port, protocol, or credential requirements, you may find it preferable to either manually install the agent or have your IT department deploy it as an SCCM package.