Enabling SQL ARC Scanning:
SQL data collection for ARC scans is disabled by default, and must be enabled from the ARC config files: 'Movere.Arc4.exe.config' and 'Movere.Arc2.exe.config'. In order to enable SQL data collection for ARC, change the value for CollectSQL from "false" to "true" and re-run the ARC scans to begin collecting SQL ARC data.
Finding SQL Servers with no ARC data in the portal:
You can find SQL Servers that are not reporting ARC data by reviewing the Device\Microsoft\SQL Server\Device-Instance List and using the "Edit Report" icon to add the ARC SQL Scanned column to the view.
Minimum Permissions Required to Access SQL:
If your servers appear to have been ARC scanned, but do not show any SQL ARC data, please confirm that the Movere SQL Service Account you are using to scan SQL meets the minimum permission required to access SQL data.
- Server Roles:
- User Mapping:
- master (db_datareader)
- msdb (db_datareader)
- Connect SQL
- View server state
- View any definition
- Grant: permission to connect to database engine
- Enable: Login
- Secondary SQL access:
- Querying SQL databases housing data from sources such as SCCM, SharePoint, vCenter, VMM etc. requires db_datareader access to the specific database(s).
Scanning SQL with a Domain admin account:
If you are using a domain admin account to access SQL, please note that Movere will not distribute these credentials to the ARC bots for scanning due to security reasons. If you are using a domain admin account to scan SQL, please choose the scanning method Local process + remote (WMI) on the Scanning Method tab of the Console.
- Scanning with a domain admin account will prevent collection of SQL data unless you are running it as a local process. If running as a service, Movere will not propagate the domain admin account, which will result in the bots calling back to the Console to request any other account(s) for SQL scanning. If the bots cannot communicate to the Console, this secondary call will fail.
- Alternatively, you can run the scans using only the dedicated SQL account and a rescan file for SQL servers, running as a local process. You will need to grant the SQL account local admin rights on both the Console and targets devices, and login to the Console device as the SQL account. This will run the scan as a local process as the SQL account to scan the SQL servers without calling back to the Console.
Scanning SQL with a dedicated SQL account:
If you are using a dedicated SQL account, please ensure the servers that are not reporting SQL ARC data can communicate with the Console on port 443 outbound internally. The ARC bots will request secondary credentials for scanning SQL from the Console over port 443 internally, and if this port is blocked or otherwise restricted, the request will fail.
Port 443 Issues:
- Uploading to the cloud will not cause issues with SQL scanning, but it can mask potential issues with port 443 availability since it is possible for Movere to inventory and ARC a device even if port 443 is blocked. Uploading payloads directly to the cloud from the target devices does not require any communication from the targets back to the Console on port 443.
- When scanning SQL, the bots will reach back to the Console internally over port 443 to request SQL credentials. If the bots are unable to communicate back to the Console over port 443 internally due to a restriction, (i.e. blocked port, firewall/proxy, etc.), then you will receive credential errors.
- For inventory scanning, Movere can utilize an upload method where the Console “pulls” the inventory file back in the event port 443 is blocked; this will appear in the service logs as a “Pulling file” message. The inventory payloads are still uploaded, however, which can mask issues with port 443. If you have a log for the inventory scans for these devices, you should see the “Pulling File” message.
- If there are timeout errors in the ArcLogs when attempting to communicate with the Console, as well as missing “Local Scan Started” messages in the service log, that indicates that the target SQL machines cannot communicate back to the Console over port 443, since the “Local Scan Started” message comes from the bots to the Console and is an indication that the target device can communicate back to the Console device.
- If the SQL databases have not been inventoried, it further indicates that the bots cannot communicate back to the Console to request the additional SQL credentials. This could be due to a block on port 443 outbound internally from the target devices, or inbound internally to the Console device.
- This issue does not impact Windows ARC scans when uploading to the cloud is enabled because the bots do not reach back to the Console for Windows credentials as they do for SQL. With the payloads uploading directly, there is no need for the bots to communicate back to the Console internally over port 443.
- With the latest release (v22.214.171.124) Movere automatically pins the certificates to all FQDNs and IP Address(es) of the Console device, and attempts to communicate against the entire list until successful communication is established. You could can see in the logs if the bots attempt to ping the Console against both FQDN and IP Address during the ARC scan, with both attempts fail.
- Please confirm the availability of port 443 on SQL machines, specifically their ability to communicate internally outbound on port 443. Check to see if the Console device can listen internally on port 443. To test port 443, login to one of the impacted servers and use the psping utility to ping the Console device FQDN or IP address over port 443: psping ConsoleDevice:443. If this test fails, you will need to identify the source of the block and resolve accordingly, (i.e. blocked port, network or Windows firewall, etc.). https://docs.microsoft.com/en-us/sysinternals/downloads/psping
If you need to open a Movere service request for issues collecting SQL ARC data, please provide the MovereBotLog and ArcBotLog files from the impacted machines. (These logs will be found locally on the SQL servers themselves, in the Temp folder.)