JP4504680B2 - Apparatus and method for creating, distributing and enforcing policy advice and monitoring policy compliance in the management of a network of computing devices - Google Patents

Description

  The present invention relates to a network management technique. More particularly, the present invention relates to an apparatus and method for issuing, distributing and enforcing policies for the management of a large network of computing devices.

Enterprise information technology (IT) administrators everywhere face the difficult task of managing software and hardware on dozens, hundreds, and thousands of machines in their territory. With many incompatibilities, patches, and policy advice being announced on a daily basis, this task goes far beyond mere acquisition / purchase and installation. Simply recognizing all the situations that can lead to problems with hardware and software products used in the enterprise requires work beyond professionalism. Moreover, more troublesome work is added to deal with such a situation in response to user complaints and complaints. In this way, IT managers must anticipate what will happen in the enterprise and make plans to address that situation before it can lead to major problems. This allows IT managers to be aware of hardware and software configurations within a particular intranet and to track policy advice, updates, incompatibilities, and patches associated with that particular company, There is an urgent need for technologies that allow those policy advice, updates, and patches to be applied to specific equipment within the enterprise.

  Donoho et al., In US Pat. No. 6,256,664, discloses a technique that allows new communication processes to be provided by a collection of computers and associated communication infrastructure. In this process, an information provider can broadcast information to a population of consumers of information. Information can be targeted to consumers who have a precisely defined need for information. Such targeting to a specific consumer can be based on information that cannot be accessed by other communication protocols. This is because, for example, in other protocols, each person who can be a recipient for this targeting needs to reveal sensitive information, or in another protocol, it is received for this targeting. It is necessary for each potential person to reveal information that can be obtained after extensive calculations using data available only if there is a detailed knowledge of the consumer's computer, the contents of the computer, and the local environment. Because there is.

  This process enables an effective solution to various problems in modern life, such as automated technical support for modern computers. For technical support applications, the disclosed invention is accurate for a specific computer with a specific combination of hardware, software, system settings, data, and local environment within a large population of consumers. To enable users of those computers to be provided with appropriate measures to correct problems that are known to affect the computer in such situations.

  FIG. 1 shows a communication system for relevance messaging by computer according to the prior art. The user instructs an advice reader running on his computer 101 to subscribe to the three advice provider sites 103-105. The corresponding advice is captured in the user's computer in the form of a digital document, where an advice reader examines the advice document for relevance. These digital documents are referred to as advice documents. Transfer from the Internet 102 to the computer is completely unidirectional. Information about the user's machine is not returned to the advice provider. Advice is typically written in the following three parts: (1) a relevance language that is evaluated by an advice reader to determine the relevance of the advice. Relevance clause, (2) message body to provide descriptive information to the advice consumer about the relevant conditions, the reason for engaging with the advice consumer, and the recommended action And (3) action buttons that allow the advice consumer to perform automatic execution of recommended actions.

In the consumer setting, it is acceptable for the computer user to be involved in controlling the process to recognize what problems exist and apply the measures, while in the enterprise setting, the computer end user Often the management process by is not preferred. Instead, computers are managed centrally, and system administrators are often responsible for keeping the configuration valid and avoiding enterprise-wide problems.

  What is desired is to provide centralized advice management in a large network of computers.

  What is further desired is that such a technique provides a management interface that can display relevant advice documents for all computers in the network and supply the proposed actions to all relevant computers. Is to be provided.

What is also desired is that such a management interface allows a system administrator to manage the advice provider site subscription, monitor the status of the actions provided, and the status of the computers in the network. It becomes possible to monitor.

  What is further desired is that such techniques can be automatically applied to the management tasks required to correct machine problems that may be affected before these problems occur.

U.S. Patent 6,256,664

A system and method for centralized advice management in a large network, where a number of distributed clients are running on registered computers, the distributed clients collecting advice documents, and A method is provided for reporting relevance to a central server. System administrators can view relevant messages through the management interface, and can provide suggested actions to distributed clients where actions are performed and advice document solutions Applies.

In a preferred embodiment of the present invention, a centralized advice management system is disclosed that includes a plurality of distributed clients, a central server, a central database, and a management interface. The distributed client collects advice documents from multiple advice provider sites and reports the relevance of the advice documents to the central server. The system administrator can view the details of the associated advice document and provide the proposed action to the distributed client of the associated computer. In this distributed client, actions are performed and the solution provided by the advice document is applied.

  In another equally preferred embodiment, a centralized advice management system comprising a plurality of distributed clients, a mirror server, a central server, a central database, and a management interface A system is disclosed.

  In another equally preferred embodiment, a centralized advice management system having a distributed client, the distributed client collecting advice documents, authenticating the advice documents, and evaluating the relevance of the advice documents Register the computer with the central server, report relevance to the central server, listen for messages from the central server, collect actions provided by the central server, and A centralized advice management system is disclosed having various components that perform functions such as performing actions.

In another equally preferred embodiment, a method for providing centralized advice management for a large computer network is disclosed. The method includes the following steps.
The distributed client on the computer registers with a central server.
The system administrator subscribing the advice provider site to a registered computer.
The distributed client collects advice documents from subscribed advice provider servers;
The distributed client reports relevance to the central server.
The system administrator viewing the associated advice document using a management interface;

The system administrator provides the distributed client with an action suggested by the advice document;

The distributed client performs the provided action to apply the solution of the advice document.

  The method may further comprise managing a subscription of an advice provider site by the distributed client. The method may further comprise monitoring the status of the delivered action. Alternatively, the method may further comprise the step of monitoring the status of registered computers.

(Centralized advice management system)
FIG. 2 is a block diagram illustrating an advice management system in a large computer network, according to one preferred embodiment of the present invention. The centralized advice management system includes a plurality of distributed clients 201 to 203, a central server 222, a central database 223, and a management interface 224.

  A distributed client is installed on every machine managed under this system. Each of the distributed clients accesses a plurality of advice provider sites 211-213 through the Internet 221, and receives a series of advice documents that specify known problematic conditions. The client also monitors the configuration and status of the computer on which it is installed to see if any of the predefined conditions have occurred, and when such conditions occur, the central server Send a message to 222. The distributed client periodically communicates with the central server 222 according to a number of predefined interactions and obtains messages from the central server 222 that specify the computer modification actions that the distributed client needs to perform. Can do. Typically, distributed clients operate independently without direct intervention from computer end users.

The central server 222 has a set of applications that interact with each other, such as a Web server, a CGI-BIN application, and a database server. This central server coordinates the relaying of information to / from individual computers, the storage and retrieval of information about individual computers, and the presentation of information to system administrators . Typically, the central server components operate independently without direct intervention from the administrator . In medium deployments, this server process is hosted by a single server. In large-scale deployments, it may be useful to divide this server into processes that run on separate servers, or divide the network into several administrative subdomains.

  Central database 223 stores data about individual computers, data about advice documents that are actually monitored, and data about history and action status. Central server interaction mainly affects this database, which is typically a standard Microsoft product (based on MSDE or SQL Server database engines).

The management interface 224 is an application that constitutes the only visible part of the management system in normal operation. This management interface provides system administrators with an overview of the status of computers in the network, identifies any computers that may indicate a particular problem or condition, and identifies those computers or parts of them Order to take action to correct The management interface 224 can operate on any machine that has network access to the central server 222.

  FIG. 3 is a block diagram illustrating an advice management system in a large computer network according to another preferred embodiment of the present invention. This system includes a plurality of distributed clients 301-303, a mirror server 304, a central server 322, a central database 323, and a management interface 324.

  A distributed client is installed on every machine managed under the system of the present invention. Each of the distributed clients 301 to 303 accesses the mirror server 304 and collects advice messages. A distributed client also monitors the configuration and status of the computer on which it is installed to determine if any of the predefined conditions have occurred, and when such a condition has occurred. Send a message to the central server 322. The distributed client periodically communicates with the central server 322 according to a number of predefined interactions and obtains messages from the central server 322 that specify the actions that the distributed client needs to perform to modify the computer. be able to. Typically, distributed clients operate independently without direct intervention from computer end users.

  The mirror server 304 collects advice messages from a plurality of advice provider sites 311 to 313 through the Internet 321 and receives a series of advice documents that specify known problematic conditions.

The central server 322 is a set of applications that interact with each other, such as a Web server, a CGI-BIN application, and a database server. The central server coordinates the relaying of information to / from individual computers, the storage and retrieval of information about individual computers, and the presentation of information to system administrators .

  Central database 323 stores data about individual computers, data about advice documents that are actually monitored, and data about history and action status. Central server interaction mainly affects this database, which is typically a standard Microsoft product (based on MSDE or SQL Server database engines).

The management interface 324 is an application that constitutes the only visible part of the management system in normal operation. This management interface basically gives the system administrator an overview of the status of the computers in the network, identifies any computers that may indicate a particular problem or condition, and identifies those computers or one of them. Instruct the Department to take action to correct the situation.

(Distributed client)
Distributed clients are installed on all machines managed under the advice management system. A distributed client is responsible for collecting advice documents, reviewing the configuration of the machine on which it is running, and determining whether any advice document is relevant to the configuration of that computer. . The distributed client communicates the status of relevance to the central server and executes the action commanded from the management interface. Despite its capabilities and complexity, a distributed client is typically a small application of, for example, about 2 MB, with a load that cannot be perceived by a managed computer, and that consumes network resources. It is intended to be rarely used, secure and reliable, and essentially requires no management (eg, no actual end-user or on-site management is actually required).

図4は、本発明の別の好ましい実施例による分散型クライアント400の主な機能を示すブロック図である。これらの機能には、アドバイスドキュメントの収集401、アドバイスドキュメントの認証402、関連性の評価403、登録404、報告405、リスン406、アクションの収集407、アクションの実行 408が含まれる。 The distributed client has eight functions in the advice management system according to the present invention. These functions are summarized in Table 1.
(Table 1) Functions of distributed clients

FIG. 4 is a block diagram illustrating the main functions of the distributed client 400 according to another preferred embodiment of the present invention. These functions include advice document collection 401, advice document authentication 402, relevance evaluation 403, registration 404, report 405, listen 406, action collection 407, and action execution 408.

Collecting advice documents 401
A system administrator uses a management interface to subscribe computers in the organization to various advice provider sites. It is the job of the distributed client to connect to these sites regularly and synchronize their local advice content with the content on the site. To do this, the distributed client examines each site's masthead file. The masthead file is maintained in the folder where the distributed client is installed on the computer. The distributed client extracts the URL where the content is placed from this masthead file. Then, if there is new advice content, use HTTP command.

Message authentication 402
The decentralized client checks whether the advice content is authentic, i.e., digitally signed by the true owner of the advice provider site.

Relevance rating 403
The distributed client analyzes the advice documents and recognizes which aspects of the computer configuration need to be evaluated to determine the relevance of these advice documents. The distributed client then scans the computer's configuration to determine if the actual configuration matches the relevance phrase. It is important to note that this scan is performed periodically, so that the relevance assessment results change as the system configuration changes.

Registration 404
The computer on which the distributed client is running need not be limited to being always on, or always in one place, or always in one virtual LAN. In order to accommodate such dynamic behavior, this management system requires the central server to recognize itself when the distributed client is running and ready to communicate. This process is called registration. The management system assigns to the distributed client a unique computer ID for identifying itself during communication.

Report 405
When the distributed client detects that any advice is relevant, it reports to the central server that a relevant event has occurred. The distributed client identifies the relevant advice and its computer ID.

Listen 406
The distributed client listens for messages sent from the central server (by default on port 6603). These messages can include a computer ID from the registration process or a specific process request such as a “collect immediate action” request as described below.

Collect Action 407
When receiving information from the distributed client that indicates an event that the association is true, the system administrator confirms the recommended action in the management interface in response thereto. If the administrator decides to communicate this action, an action request is placed at the action site. The distributed client periodically collects action requests from this action site and, in some cases, can collect requests outside the normal schedule in response to instructions from the central server.

Take Action 408
Upon receiving the authenticated action request, the distributed client performs the requested action.

It should be noted that the distributed client includes steps for registration, reporting, listening, and collection actions beyond the consumer's procedural scope. These steps reflect the needs and desires of system administrators in enterprise settings.

(Management interface)
FIG. 5 is a block diagram illustrating the main functions of the management interface 500 according to another preferred embodiment of the present invention. The management interface 500 is a visible component of the management system and is used by system administrators to maintain computers throughout the enterprise. The main functions include subscription management 501, advice message display 502, action supply 503, action monitoring 504, and computer status monitoring 505.

Manage Subscriptions 501
The advice management system accesses advice content created by a content provider outside the company, for example, a hardware or software supplier, and retrieves it from the advice provider site into the company.

The advice management system can subscribe to several predefined sites during initial setup. In order to access advice provider sites other than those that are set up automatically, the system administrator must initiate a subscription for those sites.

There are currently two ways to start subscribing to an advice provider site. The first method is to provide recommendations for corporate advice provider sites that match computers within the enterprise through advice documents distributed from sites that are already subscribed. In this case, the system administrator can initiate a subscription by simply double clicking on the appropriate action link in the body of the advice message.

  The second way to start a subscription requires a more conceptual understanding. In general, in order to initiate a subscription, the advice provider site's masthead file must be obtained from the intended content provider and the file must be properly published to the management interface. is there. Like the central server's masthead file, the advice provider site's masthead file contains information about the URL of the server and the frequency of operation of the site, and this file is digitally signed. However, this masthead file, unlike the central server masthead file, is signed by the content provider organization and not by the enterprise.

If a system administrator is aware of an advice provider site that provides content for distributed clients and wants to subscrib the management system to use that content, the system administrator can download via a web browser Through the masthead file. In general, well-known websites or content provider websites have web pages that contain hyperlinks to masthead files. By double-clicking this link, the masthead file is downloaded from the site to the computer running the web browser.

At this point, the administrator is ready to initiate a subscription using the management interface. The administrator then selects the computers in the enterprise that want to subscribe to the advice provider site. An administrator can subscribe the site to all distributed clients or to some of the distributed clients based on machine characteristics. The administrator can select how often the distributed client should consult the advice provider site and collect new advice documents. This frequency is typically synchronized daily, but other options are available.

Subscriptions to advice provider sites by distributed clients can be modified through the management interface along with the frequency of advice collection. If the subscription is not useful, the system administrator can also cancel the subscription by removing the advice provider site from the list of subscribed sites.

View advice document 502
When the advice document is relevant somewhere on the network, summary information about these messages can be viewed using the management interface. The summary information includes (1) the advice name and numeric advice ID, both assigned to the advice message by the author of the advice, (2) the advice provider site from which the advice originated, and (3) the message is related The number of computers in the network.

Administrators can also use the management interface to view detailed information about the message, which typically includes a list of related computers, a description of the problem in English, and an automatic solution. Including actions to provide.

Action supply 503
When the administrator chooses to implement the proposed action, he is given several options for providing the action. Specifically, an action target, an action message, an action schedule, and execution control are included.

Action target specifies the computer on which the action is deployed. The administrator can choose to serve all computers on the corporate network, or all related computers, or computers that are manually selected.

  Action messages require that there be an active user when the action is performed to alert the user with the specified message and to provide specific interaction with the display of the message . The user can see the details of the proposed action and can cancel the proposed action.

In the action schedule, the administrator can control the date and time that the supplied action is executed on the target computer. The administrator can also specify a validity period and impose a limit on the duration of the action.

With execution control, the administrator can control the status of the action after execution, the retry of the action, and the specific task after the action.

After specifying these options, the administrator enters the signing password and deploys the action.

Action monitoring 504
After the actions are scheduled, the central server attempts to tell these computers that the action is waiting for individual computers. Ideally, a distributed client collects and executes action information from an action server. In practice, some computers may have been powered off at the time they were communicated, and some computers may be moving, so at least some actions may not be performed immediately .

Using the management interface, the status of the delivered action can be confirmed as pending, executing, successfully completed, or failed. The administrator can also browse various options specified by the administrator when the action is supplied as detailed information of the supplied action. The administrator can also stop actions that have been previously provided but not yet completed.

Computer status monitoring505
The advice management system is typically deployed as a collective preventive maintenance tool, but also has several functions that allow the analysis and display of computer configuration information. In practice, the management interface issues a query on a very wide range of characteristics configured by the administrator to computers in the corporate network and provides real-time responses about the selected characteristics to all machines in the region. Can be obtained from. Administrators can use relevance languages to write expressions that can specify a fairly wide range of software and hardware characteristics on a machine, and evaluate those expressions on computers in the corporate network. Can be instructed to return the resulting value.

The following example shows how the computer characteristic “OS” is actually generated by the relevance phrase.
Name of operating system &""& release of operating system &""& build number of operating system as string
This expression means that this property is actually a concatenation of three information strings generated by the appropriate relevance expression and separated by a space.

Administrators add new computer characteristics to the central database by specifying the name of the new characteristic, entering the appropriate relevance clause, and creating an expression that each distributed client evaluates on a regular basis Can be specified as: This can be very useful. This is because the formula can access not only hardware characteristics, but also registration entries and even data in specific files on the end user's computer.

  After the new property is added, the distributed client in the region automatically calculates the value of the corresponding relevance formula and returns it to the central database.

The management interface can access a list of all computers on the network. Administrators can view the retrieved characteristics as well as subscription, relevance, related history, or action information for each particular computer. The subscription information includes the advice provider site to which the computer is subscribed. The relevance information includes a list of advice messages currently associated with the computer. Related history information includes a list of all advice messages that have previously been associated with the computer. The action information includes a list of all actions that have been supplied to the computer in the past.

  FIG. 6 is a flowchart illustrating a communication method 600 for providing centralized advice management for a large computer network, according to one embodiment of the present invention. An exemplary embodiment of the method includes the following steps.

Step 601: A distributed client running on each computer registers with a central server.
Step 602: An administrator subscribes a plurality of advice provider sites to a computer using a management interface.
Step 603: A distributed client running on each computer collects advice documents from the advice provider site.
Step 604: A distributed client running on each computer reports relevant advice documents to the central server.
Step 605: The administrator views the details of the associated message.
Step 606: The administrator deploys the action to the distributed client associated with the advice.
Step 607: The distributed client that receives the action performs the action and follows the advice.

In another equally preferred embodiment, the method further comprises the steps shown in FIG. 6A.
Step 620: The administrator monitors the status of actions provided to each computer.

In another equally preferred embodiment, the method further comprises the steps shown in FIG. 6B.
Step 640: The administrator monitors the status of each computer.

In another equally preferred embodiment, the method further comprises the steps shown in FIG. 6C.
Step 660: The administrator manages the advice provider site subscription by each of the computers in the network.

(Client / server communication)
There are several modes of communication between a distributed client and various servers such as an advice provider server, a mirror server, a registration server, a reporting server, and an action server.

  The advice provider server is a Web server that provides a subscription to an advice provider site. These may be local to the corporate network or outside the network if direct access to the external web is possible.

  Many companies do not have direct web access. Instead, a proxy server is used. In many cases, proxies require password level authentication. In such a company, in order to embody this system, it is necessary to install and execute a mirror server. This also provides bandwidth management benefits.

  The registration server is a component of the central server and processes registration requests from distributed clients and server / client communication requests from other components of the central server.

  The reporting server is also a component of the central server, which processes reports of relevant events from individual computers and passes them to the central database.

  The action server is also a component of the central server and receives action requests from the management interface and passes them to the individual distributed clients.

  Although these components are described separately in this document, they are often physically hosted on a single machine. However, it is worth keeping in mind that the system can be easily reconfigured, for example, so that the mirror server, reporting server, and action server are each on its own server box. This ability to break down the system can be an important feature for scalability both in terms of network bandwidth usage and the number of computers supported in a single supply, and also for administrative partitioning. Can be useful.

  For the advice provider site URL, the distributed client looks in the masthead file located in the installation folder. All other servers are accessed through a URL recorded in the central server's masthead file located in the registry. These masthead files are all under the control of the management interface.

  Modes of communication between distributed clients and these servers include advice collection traffic, registration traffic, reporting traffic, and action traffic.

  When mirroring is not available, the distributed client accesses each advice provider server directly using HTTP. Mirroring first requires a directory list that tells distributed clients what content is available on the site. The distributed client requests all new content, and the advice provider server sends one advice digest containing all requested content. The typical size of such a message is only about 2 kilobytes per piece of advice.

  When mirroring is enabled, distributed clients access content directly from a particular advice provider site by accessing the mirror server directly using HTTP and by (virtual) direct access over the Internet. Request. If the mirror server is inside the LAN, this saves internet access fees and improves security. In networks where computers are not allowed to access the Internet directly without password authentication, mirroring needs to be enabled.

  The distributed client uses HTTP to send the computer ID and supplemental information before the distributed client to the registration server. The distributed client sends its previous computer ID and supplementary information to the registration server via HTTP. The registration server responds by sending a UDP message to the distributed client (by default to port 6603) indicating the new client's new computer ID and supplemental information.

  A distributed client sends a simple text file to the reporting server using an HTTP POST operation. This text file contains a list of all changes in relevance status on that computer since the previous relevance assessment in a clear format.

  The distributed client collects action requests that are explicitly addressed to it from the advice provider server using an HTTP request that includes a computer ID.

  Because client / server traffic is routed through a URL, reconfigure any or all HTTP requests to be HTTPS requests, or use HTTP port numbers other than the default ports 80 and 81 It is possible to reconstruct the URL.

  In this system, a distributed client initiates most of the communication. Distributed clients maintain a schedule that is controlled by parameters in the masthead file. For example, the advice provider site's masthead file contains the recommended frequency of collection for that site, and the central server's masthead file contains the recommended frequency of registration and action collection.

There are exceptions, however. The central server can send a UDP message to a particular distributed client via the reporting server telling the distributed client to collect actions immediately or to collect advice documents immediately. In addition, the management interface allows the system administrator to override the site provider's subscription policy on the advice provider site, for example, to increase or decrease the frequency of collection, or to collect at a specific time of day. Can be constrained to be done only.

  If there is no network connection, the distributed client simply runs the evaluation loop again to see if there are any relevant advice messages in the current advice pool on that computer. At the end of the loop, if any advice document is relevant at that time, the distributed client attempts to communicate the relevance to the reporting server.

(Message authentication)
The management system authenticates specific messages using a secure public key infrastructure (PKI) signature mechanism based on digital cryptography. In practice, PKI technology is deployed to protect the integrity of both advice content and action content.

The site creator digitally signs communications from the advice provider site to the distributed client. This signature must match the site's masthead file that was placed in the distributed client's installation folder when the system administrator subscribed the site to the distributed client.

  The action server digitally signs all messages. Therefore, if signature verification fails on the distributed client side, the message is ignored and discarded. This signature must match the masthead file at the action site that was placed in the Windows registry when the distributed client was installed.

  In order to transmit an action request from the central server to the distributed client, the person who operates the management interface must input the signature password. This requirement is designed to prevent unauthorized users from communicating inappropriate actions using the management interface.

  Since the role played by PKI and signing passwords is important, it is very important to protect public / private key pairs and passwords, and to only inform them to certain trusted persons.

(Action function)
The distributed client performs actions on the computer at the request of the management interface operator. These actions can be process management issues such as changing the advice provider site to which the computer is subscribed, or system administrative tasks such as changing the clock on the computer to match the central server clock. These actions can also download and install files. Such an action is specified by an action scripting language, and in this language, an action that affects the computer can be specified.
・ Files: Delete, move, or copy specific files ・ Registry: Set or delete registry entries ・ Commands: DOS commands, Visual Basic commands, or Java (registered trademark) Script commands Execute DLLs (DLLs): Delete, add or commit various DLL modules

Actions that provide process management can also be specified.
• Advice Ops: Deleting, closing, or recovering advice messages • Site Ops: Subscribing or unsubscribing to advice provider sites • Gather Ops: Changing collection schedule or immediate Mandatory collection / Evaluation: Immediate evaluation of the relevance of advice documents

As a scripting language, this language includes a flow control function that allows conditional execution.
Continue if {condition}: Continue if the condition is true.
Pause while {condition}: Do not continue until the condition becomes false.

The action scripting language further provides various user interface tools that allow the distributed client to interact with the user. For example, browseto opens a browser window at the specified URL. In many implementations of the advice management system, the system administrator does not want the user to be involved in the process, but this is especially because it can accurately specify a computer with certain attributes. It is easy to imagine a situation where such involvement is useful.

  Furthermore, actions can be based on relevance so that actions are only applied on a particular computer if they are still relevant at the moment they are considered for execution. This avoids the problem of correcting problems that no longer exist on the machine when an action request is received to correct the problem.

  An action can be scheduled so that the action applies only to a specific computer at a specific time of day (local time). As a result, regardless of the definition of the time zone of “night”, it becomes possible to execute an action after everyone has returned home at night.

  In short, distributed clients provide a powerful set of actions where detailed scheduling conditions are applied and the persistence of relevance is considered.

(Considering network traffic)
The embodiment described above is designed to be a responsive and lightweight client / server process that displays the network status to the system administrator in units of up to one minute, while at the same time host computer performance. And keep network traffic low. To understand how this is achieved, the following factors need to be considered:

  First, the advice management system reacts only to changes in the state of the computer. All processing is intended to report only how the current relevance differs from the relevance in the previous evaluation loop. Most of the time, distributed clients do not report anything to the server because there are so few relevance events that occur every day. In fact, if there are no relevant events in the day, the only interaction would be registration, collection of hourly actions, and collection of one or two advices per subscribed site . The total network traffic associated with that day's registration and action collection is only a few kilobytes.

  Secondly, the advice collection process likewise reacts only to changes in the status of the advice provider site, so all processing aims to report only new advice documents that have not been previously downloaded by distributed clients. And If there are no new messages a day, the total network traffic associated with collecting advice for the day is only a few kilobytes.

  Third, in the method described, the overhead, ie the total bandwidth consumption when there is no problem that needs to be addressed, is an absolute minimum and the computer operates with intermittent dial-up connections. Even the case is negligible.

  Fourth, the method described above is equally efficient when there are problems to deal with. Individual messages are very compact, advice messages are typically less than 2 kilobytes in size, registration requests are less than 200 bytes, registration responses are less than 400 bytes, and relevance reports are less than 2 kilobytes. Further, the advice provider server uses data compression where possible, such as both standard text compression algorithms and client-side capture procedures.

  Fifth, in large organizations where a certain percentage of network bandwidth savings can be a significant benefit, to avoid the need for each distributed client to access the public Internet and download all content over the Internet, It would be worthwhile to use mirroring with extra effort / cost.

  In summary, in most enterprise environments, the bandwidth usage per distributed client using the method described above is the existing bandwidth usage for processes such as email, web browsing, web-based data entry, etc. Compared to ignorable.

(Security considerations)
Distributed clients must consider their security because they can change the configuration of the computer on which they are running, such as deleting and updating files.

  The distributed client only reports to the reporting server and accepts only action requests from the action server. It is not easy to tamper with the URLs that specify these servers. This is because these URLs are contained in a masthead file that is digitally signed and inherently anti-counterfeit. Furthermore, the content from these servers is digitally signed, and thus it is also inherently anti-counterfeit. These factors suggest that IP spoofing attacks or DNS spoofing attacks are probably not effective. Corporate networks with firewalls and other security measures are probably much more secure.

  Although not considered necessary, increasing the security of the communication process between the distributed client and the central server is possible by several well-known precautions, which are outlined only in this document. The present invention encompasses two strategies.

The first strategy is to close public access. This prevents direct interaction between the distributed client and the public Internet. System administrators have several options: The system administrator can operate the mirror server so that individual distributed clients do not need to access the public Internet. Alternatively, the system administrator can rewrite the URLs in the central server's masthead file and the advice provider site's masthead file so that the URL uses a port number that is not widely known, Alternatively, firewall ports corresponding to a series of newly assigned distributed client port numbers can be blocked.

The second strategy is secure public access. This strategy can use the public Internet, but it can make access more secure by ensuring the confidentiality and security of the actual connection as well as the authenticity of documents delivered over the Internet. it can. System administrators can rewrite URLs in the central server's masthead file to use HTTPS instead of HTTP. In that case, all transactions between the distributed client and the central server are digitally encrypted and thus protected in the same way that recent electronic commerce transactions are protected.

  Although the present invention has been described herein with reference to preferred embodiments, those skilled in the art will recognize that the application described herein does not depart from the spirit and scope of the present invention. It will be readily understood that it can be replaced by an application.

  Accordingly, the invention is only limited by the appended claims.

FIG. 2 is a block diagram illustrating a communication system for relevance messaging by a computer. 1 is a block diagram illustrating a typical advice management system in a large-scale computer network according to the present invention. FIG. It is a block diagram which shows another advice management system in a large-scale network by this invention. It is a block diagram which shows the main functions of the distributed client by this invention. It is a block diagram which shows the main functions of the management interface by this invention. 6 is a flowchart illustrating a method 600 for providing centralized advice management according to the present invention. 6 is a flowchart illustrating additional steps of a method 600 according to the present invention. 4 is a flowchart illustrating another step of method 600 according to the present invention. 4 is a flowchart illustrating another step of method 600 according to the present invention.

Explanation of symbols

101 User's computer
102 Internet
103 ~ 105 Advice provider site
201-203 Distributed client
211-213 Advice provider site
221 Internet
222 Central server
223 Central database
224 Management interface
301-303 distributed clients
304 mirror server
311-313 Advice provider site
321 Internet
322 Central server
323 Central database
324 Management Interface
400 distributed clients
401 Collecting advice documents
402 Advice Document Authentication
403 Relevance Evaluation
404 registration
405 Report
406 Listen
407 Action Collection
408 Take Action
500 management interface
501 Manage Subscription
502 Display advice message
503 Action Supply
504 Action Monitoring
505 Monitor computer status

Claims (15)

A system for creating, distributing and enforcing policy advice documents and monitoring policy compliance in network management of computing devices,
A device on which the management interface application is executed;
A general-purpose language for formally expressing inquiries about the status of computer devices;
A protocol for delivering inquiries through the network;
A central server linked to a central database,
The device executes the management interface application that accesses the central server,
The central server for coordinating information from and relaying information to and from individual computer devices stores and retrieves information about individual computer devices;
And provide information to the system administrator via the management interface application,
A registration server that handles registration requests from distributed clients;
A reporting server that processes reports of related events from individual client computers and passes the reports to the central database;
Receives an action request from a device on which the management interface application is executed,
And an action server that presents the action request to each distributed client,
A central server having
A plurality of distributed clients, each running on a networked computing device;
In a system having
Any of the distributed client refers to the advice provider site to obtain the new advice document from a plurality of advice providers site to new advice document synchronizes with the local advice document of the distributed client if, And,
A system in which the management interface application communicates a report from the distributed client to a system administrator. A distributed client of a computer in a management system for creating, distributing and enforcing policy advice documents in network management of computing devices and monitoring policy compliance ,
A device on which the management interface application is executed executes the management interface application accessing a central server connected to a central database ;
The central server for coordinating information from and relaying information to and from individual computer devices stores and retrieves information about individual computer devices;
And providing the information to the system administrator via the management interface application,
The central server
A registration server that handles registration requests from distributed clients;
Process related event reports from individual client computers,
And a report server passes the report to the central database,
Receive action request from the device to which the management interface application is run, and has an action server presenting the action request to the individual distributed client, and
The distributed client
・ Means for collecting advice documents from multiple advice provider sites;
Means for determining the relevance of the advice document to the computer running the distributed client;
A means for reporting to the central server connected to the central database that a relevance event has occurred;
And means for collecting the action request from, the central server,
The a, in a distributed client,
The distributed client collects advice documents from the plurality of advice provider sites by means of collecting advice documents; and
The distributed client determines the relevance of the advice document by the means for determining relevance; and
The distributed client can report relevant advice documents by means of reporting,
A distributed client for computers . And means for collecting the action request from the central server,
Means for executing the action request ;
The computer distributed client of claim 2 , further comprising:
The distributed client retrieves the action from the central server by the means for collecting; and
Perform the action using the means for performing,
A distributed client for computers . Each of these advice documents
A relevance phrase written in a formal description language to specify criteria for determining when the advice document is relevant;
A message to provide descriptive information describing the advice document;
An action request that provides a solution;
The distributed client of the computer of claim 3 , comprising: 4. The distributed client of a computer of claim 3 , wherein the action request is applied only when it is determined that the advice document is associated with the computer . As the action request may be executed when the computationally verifiable conditions are met, it is possible to constrain the action request, distributed client of claim 3 of the computer. 4. The distributed client of the computer of claim 3 , wherein the action request is digitally signed when deployed from a management interface application. The action request is
Delete, move, or copy specific files,
Setting or deleting registration entries,
Execute script commands,
Remove, add, or commit various DLL modules,
Deleting, closing or recovering advice documents,
Subscribe or unsubscribe to the advice provider site,
Change collection schedule or force immediate collection, and
Ensuring immediate assessment of relevance of advice documents,
The distributed client of the computer of claim 3 , wherein the distributed client is one of the groups having: A client computer in a management system for creating, distributing and enforcing policy advice and monitoring policy compliance in network management of computing devices ,
It is connected to a central database, a central server for adjusting the relay information to information from individual computers and each computer may store information about each computer and searching and accessing the central server A central server that provides such information to a system administrator using a management interface application that functions on a computer ,
The central server
A registration server that handles registration requests from client computers;
Handle reports of relevant events from individual client computers, and
A reporting server for passing the report to the central database;
An action server that receives an action request from the system administrator via the management interface application and presents the action request to each client computer ;
I have a,
The client computer
・ Means for collecting advice documents from multiple advice provider sites;
A means for determining the relevance of the advice document to the computer;
A means for reporting to the central server connected to the central database that a relevance event has occurred;
Means for collecting the action request from the central server;
Have
The client computer collects advice documents from the plurality of advice provider sites by the means for collecting advice documents; and
The client computer, the means for determining the relevance, to determine the relevance of the advice document, and,
The client computer can report relevant advice documents by means of reporting,
Client computer. A means for collecting action requests from a central server;
Means for executing the action request ;
The client computer of claim 9 further comprising:
The client computer retrieves the action from the central server by the means for collecting; and
Perform the action using the means for performing,
Client computer. Each of these advice documents
A relevance phrase written in a formal description language to specify criteria for determining when the advice document is relevant;
A message to provide descriptive information describing the advice document;
An action request that provides a solution;
The client computer of claim 10 , comprising: Only when the said advice document is associated with the computer is determined, the action requests are applied, the client computer of claim 10. Computationally as the action request may be executed when the verifiable conditions are met, it is possible to constrain the action request, the client computer of claim 10. The client computer of claim 10 , wherein the action request is digitally signed when deployed from a management interface application. The action request is
Delete, move, or copy specific files,
Setting or deleting registration entries,
Execute script commands,
Remove, add, or commit various DLL modules,
Deleting, closing or recovering advice documents,
Subscribe or unsubscribe to the advice provider site,
Change collection schedule or force immediate collection, and
Ensuring immediate assessment of relevance of advice documents,
The client computer of claim 10 , wherein the client computer is any of the groups having:

Images