Tranquil IT Forum

Hello,

I installed Wapt in cspn-toe mode. I don't have access to the server's web page (error 401) - but from what I've read on the forum, this is normal in cspn-toe mode. I successfully retrieved the agent .exe.

I would like to deploy this agent via GPO. However, it asks me to copy/paste the hash and other parameters from the server's web page: https://www.wapt.fr/fr/doc/wapt-deploy-agent.html#. How can I retrieve this hash and other parameters without using the web page? Perhaps I missed something in the documentation for GPO deployment when using cspn-toe mode.

I have the Discovery version 2.6.1.
The server is installed on Debian 13.
The console is installed on a Windows 11 VM.

Thank you for your help and have a good day,

Mélyne

Hi Mélyne,

CSPN mode isn't supported in the discovery version. So you need to stay in normal mode (which already includes a fair amount of security to guarantee the integrity of your deployments).

However, it's true that there are some missing details in the documentation. Regarding the agent hash, when the agent is created, it's placed on the machine of the administrator who generated it, and you just need to perform a SHA256 hash using any tool available on that machine (7-Zip, etc.).

Best regards,

Denis

Hi again Mélyne,

I'd like to add that the CSPN-TOE mode, as its name suggests, is based on the TOE (Target of Evaluation) of the CSPN certification for WAPT. The CSPN is a time-constrained/budget-constrained certification. Therefore, some features are not covered by the TOE, such as WADS, WaptWUA, secondary repositories, etc.

So, unless you're in an environment with strict security requirements, it's not recommended to install in CSPN-TOE mode. If you properly implement all the WAPT security features, you'll already have a very secure environment (valid HTTPS certificate, Kerberos authentication for initial workstation registration, Kerberos authentication for administrators, signature key by adminsys, etc.).

Best regards,

Denis

Hello,

Thank you so much for your feedback! It's much clearer now.

I've reinstalled it in standard mode. Still in discovery mode for the moment, at least during this testing phase. I chose Kerberos authentication.
Manually installing the agent on Windows client machines works, but it's impossible via GPO, whether through a scheduled task or a startup script. The GPO deploys correctly. But the client PC doesn't appear in the console, as if the deployment isn't starting. Could Kerberos authentication be the problem? Should I choose a different authentication method in discovery mode for GPO deployment to work?

Thank you (if I should start this thread elsewhere, please let me know; it's true that my message would probably be better suited to the Agent/Console section now).

Best regards,

Mélyne

Hello Mélyne,

Kerberos mode is not available in Discovery.
If you are in the testing phase, you can request a temporary license for a few workstations from the sales department.

Regards,

Hubert