View your network from 10 feet or 10,000 feet

Computer Associates (CA) Unicenter TNG (short for The Next Generation) is big. Really big. Mind-bogglingly big. But Unicenter's size stands to reason because it can manage an entire enterprise. Unfortunately, a complete review of every Unicenter feature could fill more than 50 pages. So to keep this article within reasonable limits, let's look at just those features new to the TNG release.

In late 1995, Windows NT Magazine did a first-look review of a prerelease version of Unicenter for Windows NT (see John Enck, "The Unicenter of the Universe," October 1995). CA has been shipping the NT version of its final product for more than a year (after several years in the UNIX, AS/400, and Novell markets), and we recently received the latest version--Unicenter TNG--for review in the Windows NT Magazine Lab.

TNG is a suite of interrelated modules. Each module addresses a different aspect of end-to-end enterprise and systems management: The WorldView user interface includes 2D and 3D network maps, object browsers, and discovery wizards; the Enterprise Managers include applets for managing event logs, actions, users, and so on; a software development kit (SDK) lets you develop custom interfaces and integrate third-party management applications; and new agent software enables everything from remote administration to asset tracking. You can add modules for software distribution, advanced Help desk, remote control, and other enterprise tasks.

Like all information handling systems, TNG creates a lot of data. The product houses this data in a repository using Microsoft's SQL Server or CA's OpenIngres. CA refers to the information within a repository as a management domain (not to be confused with NT domains). You can run TNG and SQL Server (preferably version 6.5) on the same system or have a dedicated database server on your network. The latter option can be handy if you have multiple TNG administrators. You can distribute your management load by creating multiple small repositories across your enterprise (only one per SQL Server). You can then use Simple Network Management Protocol (SNMP) traps to notify you when TNG identifies a fault for any of the events in these management domains (for more information on SNMP, see the sidebar, "Understanding SNMP."

You have manual control over data objects in a repository. For example, you can manually set an object to critical status to inform other administrators that you are managing that object, or you can have TNG automatically generate an event--and log it--to notify users of the service interruption. Objects automatically return to normal status after you correct the fault, or you can manually intervene and set the object to normal after you finish managing a resource.

Getting Started
TNG covers various aspects of system and network management, inventory control, workload scheduling, backups, security, user management, and remote control/Help desk for any SNMP-enabled device (e.g., computers, printers, routers, and managed hubs). The ultimate goal of TNG and every other NT enterprise management tool is to provide single-seat administration so you can use your network to analyze and fix almost any system-related problem (except for changing physical hardware components) without having to leave your desk. CA positions TNG as the do-everything, end-to-end enterprise management solution (i.e., if you have TNG, you shouldn't need anything else). Unfortunately, no one package delivers full single-seat administration. You have to pick two or three, or perhaps more, solutions that work together with minimal hassle to provide everything you need across your enterprise.

TNG integrates with other systems management products such as Microsoft's Systems Management Server (SMS) through SNMP. Although many people used to view TNG and SMS as competing products, they now consider TNG and SMS to be complementary. SMS adds to TNG's features by providing enterprise desktop management tools, such as software distribution and NT user management--for information on SMS, see Tim Daniels, "SMS 1.2,".

If you are planning a large-scale TNG installation, CA will typically assist you on an on-site consulting basis. You don't have to use CA's services, but they can be helpful when you configure and customize your management system and train your administrators. The software is easy to install, although the basic pieces involve several steps (all server components run as NT services). However, the program is monolithic enough that moving to an online production mode takes effort.

What you install (and what you pay for) depends on the size of your network and what you hope to accomplish with TNG. If you want basic management, you need to install TNG's server components on the SQL Server and management system and SNMP service and agents on all servers and workstations you want to manage. This basic level of installation gives you all of TNG's main functions, such as event notification, backup, and security. For more complex operations, such as remote control and remote systems management, you need to install optional agent software on every system you want to manage, regardless of whether these machines use NT, Windows 95, Windows 3.x, UNIX, Novell, Mac, or other operating systems.

The GUI
CA sent its solution pre-installed with a beta version of TNG on an Intergraph TDZ-410 (dual 200MHz Pentium Pro with 128MB RAM and a RealiZm graphics card--for information on this workstation, see my review in "NT Graphics Workstations Roundup," February 1997). We subsequently reinstalled this workstation with the full release version of TNG. So why did CA ship such a powerful system to play the role of a console? One of TNG's claims to fame is its GUI, which you see in Screen 1. The GUI can function almost completely in 3D using OpenGL. With such complicated realtime graphics (animated fly-bys of your network, world navigation, system drill-downs, etc.), having a system with an OpenGL-accelerated graphics card really helps-- you don't need a management console with this much power, but this setup made for a nice demo.

Viewing the World in 3D
TNG, with its new 3D WorldView metaphor and GUI, focuses on fault tracking and notification and event management. When an event arises, the situation generates an action such as an administrative alert. This action, in turn, will generate a trouble ticket, which should lead to problem resolution.

You can view a 3D world map and keep an eye out for red balls (no kidding) to appear over an asset, indicating a critical problem, as you see in Screen 2. The more likely scenario is that you will receive an administrative alert (email, page, console message, etc.) sending you looking for the red ball. After you find it, you drill down to the problem by clicking the objects where the alert appears. When you select the object, TNG zooms in to your local network, to a subnet (if you have one), to the problem system, to inside the computer where you can see installed devices (NICs, hard disks, etc.) and software. If you place the cursor over an object, TNG opens a small dialog box that tells you the object's identification and status. If you click the object with your mouse, TNG will zoom in on the object, unless you are at the lowest level (in this case, TNG will beep at you). If you right-click the object, you see a menu where you can select operations such as open details and ping. You can also administer the object by changing parameters, installing software (if you have the module), and so forth.

Viewing the World in 2D
Screen 3, shows TNG's 2D GUI, which perhaps gives you more instantaneous information than viewing your enterprise in 3D. Flying around the world to investigate various objects is fun, but it can be time consuming--free time is a luxury most administrators don't have.

The 2D WorldView has two operational modes: run and design. Run mode lets you perform standard operations such as opening and viewing objects, viewing your network topology, and gathering performance and functional data. Design mode lets you customize your views. Here is where TNG's new interface is impressive.

Customizing the GUI
CA's new approach to enterprise management is business process views (BPVs), logical groupings of objects that relate to specific aspects of your company, such as accounting or Internet services. A BPV can include any kind of object, managed or unmanaged, anywhere in your enterprise--across a LAN, WAN, dial-up, or other connection--that you either locate manually or have TNG track down automatically. By grouping devices, you can manage a process without having to worry about other unnecessary objects. For example, if an Internet server goes down, you don't have to hunt around for it. Instead, your Internet Services view will turn red so you can go directly to the fault (shown with a red ball in 3D or a red server icon in 2D) without drilling down through extraneous hierarchies.

The 2D and 3D views are fully customizable--you can create geographic maps and layouts such as floor plans (using bitmaps and AutoCAD .dxf files), where you can precisely place network objects. To do this customization, you use a drag-and-drop interface. TNG immediately replicates changes from one view to the other (e.g., from 2D to 3D).

TNG also provides a Topology Browser and Control Panel for managing views. The Topology Browser is an NT Explorer-type view of your managed objects and network that lets you use a BPV or expanded tree view to go directly to a problem object. You can have instant access in the 2D or 3D interface or watch the interface fly you there. The Control Panel is a simple way to track where you are and where you've been on your network. A history file lets you go to specific problem areas that you've already visited.

Managing Your Repositories
TNG's new WorldView provides several tools for managing your repository, including Create Repository, Class Browser, Class Wizard, Object Browser, and Schema Builder. Create Repository provides a simple front end to SQL Server. You can use it as an alternative to the SQL Enterprise Manager to generate a new repository or reconfigure an existing one. In addition, this tool lets you insert sample data into a new repository to test a setup before a final product rollout. The repository import and export function lets you easily move data (such as maps, objects, and recorded data) between systems. One script file duplicates the data (providing a basic backup method), and another script inserts the data into an existing repository and reports any conflicts with previous data. You can also import or export only specific objects.

The Class Browser, as you see in Screen 4, lets you view existing classes (a list of properties for an object with static and dynamic attributes). The Class Wizard lets you create new classes and modify previously defined classes. Among the attributes you can create and assign are icons for the 2D and 3D views, parent/child relationships, and status indicators. TNG uses a single-inheritance scheme, so objects can inherit attributes from only one class, but objects can contain multiple objects of any classes.

The Object Browser gives you a tree view of every object you have defined, with associated class properties, in your repository. You can access each object in this view just as if you were in the 2D or 3D map, so you can right-click on the object and select Go there to zoom in on a particular object, or you can bring up the Object Viewer. Screen 5 shows the Object Viewer, which you access by right-clicking an object in the 2D view or 3D view and selecting Object View. This view gives you all available Management Information Base (MIB) data for that object from the SNMP agent and data from the repository. If you type in enough information in the Object Viewer (if you know it off the top of your head), it will take you directly to the object.

In addition, the Object Viewer can display dynamic SNMP data, which lets you create graphical views such as disk and memory usage and packets per second from a router. Using Object Linking and Embedding (OLE), you can launch an instance of MS Excel to graph realtime data, or use TNG's built-in methods. By setting thresholds and alarms, you can post warnings to the NT Event Log and generate events or SNMP traps as administrative alerts.

The Schema Builder lets you define what MIBs Object Viewer uses. It also lets you compile new MIBs for use by SNMP and TNG agent software. You simply create a text file of MIB file names, and Object Viewer will use the file.

TNG's Security and NT's Security
TNG's security is built around assets, which can be users, files, I/O devices, and databases (anything listed in your repository) and policy rules. The agent technology manages these assets through security rules. TNG uses specific software to manage databases (such as SQL Server and Oracle Workgroup Server on NT) and various objects on other systems, spanning everything from Win95 to an IBM 3090.

You define user accounts and passwords in TNG so users can have specific access permissions to assets. This approach is similar to NT's security except that instead of using access control lists (ACLs), TNG uses policy rules-based security. Policy rules are if-then statements that a security evaluator such as a file system filter governs by checking all accesses (including calendar-based access rights).

Users log on to TNG the same way they log on to NT, which provides simultaneous sign-on (i.e., you don't have to log on to your NT domain and then to TNG). TNG's and NT's domain security models are not completely integrated, but TNG can pass user and group changes to your NT Security Accounts Manager (SAM) database. If you make changes to NT, you will have to re-import your accounts database into TNG.

TNG's User Profile Synchronization replicates changes that you make to a user's profile (e.g., a user's ID, name, password, status, and usage calendars). The User Profile Synchronization takes the changes and passes them to other systems in a station group (a TNG object that enumerates what target machines TNG needs to update when you make a security change). This approach lets TNG operate across any kind of system or platform that it can manage and lets you control the security policies of all enterprise systems (e.g., NT, NetWare, VMS, UNIX) from one station.

TNG operates as the top layer of security. The software passes all accesses from NT to TNG and checks them against TNG's policy rules, so you have to define all assets in TNG to protect them. Setting up specific permissions for assets lets TNG enforce security policies across various operating systems, but this ability introduces an inherent weakness. Although TNG-defined users can't violate NT's security and NT users can't violate TNG's security, you must use TNG to define access rights to managed objects; otherwise, only NT's system security protects the objects. In short, you have to maintain two complete and separate security systems or include all system and data files, users, and so on, under TNG's security umbrella. Fortunately, TNG ships with a command to automatically import all NT user accounts, but not ACLs, into TNG to simplify administration.

As an alternative, and to handle possible holes in a supplemental security system, TNG offers two security modes, allow and deny, with full-access auditing. Allow mode lets TNG protect only what you want it to (in a hierarchical fashion)--you have to specify what assets fall under TNG's security policies, and everything else is left open or covered by the host operating system. If you use naming conventions, existing policy statements cover any new objects that you add to the hierarchy. Deny mode protects everything (all TNG and non-TNG objects) on the system unless you specify otherwise. In this mode, the software checks every access against TNG's security. If no policy exists to permit the access request, TNG automatically denies access.

TNG provides enforcement modes that operate under allow mode. You can define different enforcement modes for different systems and users. The first mode is fail, which denies an access request if the request violates defined security policies. Warn mode tells the user that the access request violates the security policies, but warn mode still grants access. Quiet mode lets you define a user who is immune to TNG's security policies, but must still follow the host operating system's security policies. You can also specify enforcement actions for TNG to take after violations occur. Such actions are to cancel the request and deny access; cancel the request, deny access, and log the user off the server; cancel the request, deny access, log the user off the server, and suspend the user from logging back on to the system. You can audit all these events for future analysis. Together, the auditing feature and the enforcement modes are very useful for testing a TNG rollout in a production environment without affecting any user's normal operation.

Agent Technology
Another new component to TNG is an SDK for integrating and developing new TNG-aware applications. CA has exposed APIs so you can create agents for custom proprietary applications or situations not already in TNG, while still using your standard repository, security policies, and management routines.

TNG is open and extensible, so you can customize it to fit your enterprise environment, and customization is certainly key with TNG. It has many features right out of the box, but you still need to integrate it and match it to your existing network and applications. With standard development tools such as Visual C++, you can even build an object browser.

Testing TNG
I tested TNG in a multiprotocol, multidomain network with several types of network devices, such as routers, printers, NT servers and workstations, and NetWare servers. To begin, I used TNG's Autodiscovery Wizard, which automates the search for your managed devices (with support for TCP/IP, IPX/SPX, DECnet, and SNA), builds the initial topology of your network, and enters it into your repository. I used this tool to analyze the Windows NT Magazine Lab and the surrounding corporate network.

The wizard offers several methods for discovery: an IP ping sweep, Address Resolution Protocol (ARP) cache (TNG queries the ARP tables in the routers it finds and continues searching from there), or fast ARP (TNG just uploads the ARP tables). Each method has its uses, but the IP ping sweep provides the most detail. This method pings every address you define in a range, asks the devices it finds whether they are SNMP enabled, gathers a small amount of MIB data, and enters this information into the repository to build the topology view.

TNG's Discovery Monitor tool tells you the status of a running autodiscovery, how many objects it found, and how long it took. You can control how many levels deep the scan goes (a subnet is the finest granularity available) and how many attached networks it discovers. TNG places all devices it discovers in an IP network group with one representative icon at the top layer of the 2D and 3D views. After the autodiscovery fills the repository, CA's Domain Manager software lets you set domain polling times, intervals, and types, which govern the repository and fault notification frequency.

I found a few problems with TNG. For example, it has no undo function, and object deletes are not recursive. If you delete a top-layer object, such as the whole IP subnet or BPV, TNG doesn't remove the underlying objects. Also, the release of TNG I evaluated did not support Dynamic Host Configuration Protocol (DHCP) autodiscovery. As the DHCP server shuffles IP addresses, TNG doesn't update the repository accordingly. This lack of synchronization causes conflicts with addresses pointing to the wrong managed devices. CA reports that patches are available from the company's Web site to fix the cascade delete and to add DHCP support for autodiscovery.

While I was autodiscovering devices, I noticed that TNG does not use LANManager communications layers, so on a first pass, it won't tell you about or respect NT domains. To include domains in your TNG security model, you have to start using TNG's security management features.

End-to-End
The final question is whether you can deploy TNG as a complete, standalone enterprise management system for NT. Well, not yet. CA reports that it will be adding more modules and tighter integration with NT in the next two releases (the first release is due out by the end of this year). Right now, TNG lacks some features, so you have to add other packages to your administration plan. At a minimum, you need to consider adding TNG's optional modules, such as software distribution and advanced Help desk for complete enterprise control.

Other features missing from TNG include built-in remote NT system administration and hooks (except for those in NT's native tools) for new Desktop Management Interface (DMI) standards (although you can access this data via a Management Information Format--MIF--to MIB converter) or system/network performance monitoring. As a result, TNG is not well suited to network design or capacity planning. You need to carefully plan your security strategy with TNG. If you don't, you can introduce new security holes. TNG also lacks file administration capabilities that are directly integrated with its WorldView interface-- you still have to use NT's standard tools, rather than having one point of administration.

Despite its shortfalls, TNG is a powerful enterprise management environment. It can be difficult to grasp at first, but once you learn your way around the GUI, the system is very logical.

CA offers two options for TNG support. The first is a basic phone support and bug fixes service contract that costs 15 percent of the current TNG price (regardless of what you paid for TNG when you purchased it) per year. The other service contract includes full phone support, fixes, and upgrades for the time you have the contract and costs 19 percent of the current TNG price per year. You must sign up for one of these two service contracts when you license your copy of TNG. Any large enterprise considering a rollout of TNG will want to make sure to put a program in place for 24*7 support, with a guaranteed resolution time, such as four-hour response. These services are available, so build them into your management solution. You will find numerous Help files and an online-books utility on the distribution CD-ROM that you can easily distribute to your administrators.

TNG is not for everybody, and its deployment requires planning and customization. However, if you run a large-scale, complex, heterogeneous network, TNG is well worth the effort and cost.

Unicenter TNG
Computer Associates * 516-342-5224 or 888-864-2368
Web: http://www.cai.com
Price: $2500 (base)