OT-BASE Asset Discovery

Installation and first steps

Platform requirements
OT-BASE Asset Discovery runs on Windows 7 or higher. If Windows 7 is your hosting
platform, the following requirements must also be met:

 SP1 installed
 KB3033929 installed (Driver signature support for Npcap)
 KB2533623 or monthly KB4457144 installed (Python multiprocessing support)
 Microsoft Visual C++ 2015 Redistributable installed (api-ms-win-crt-runtime-
l1-1-0.dll needed)

The software has a small footprint and usually runs in parallel with engineering
applications etc. without problems. Note though that resource requirements depend
on what you will discover. If it's only one or two small subnets with several dozen
devices each you will barely notice CPU and memory consumption by Asset
Discovery. If you are, on the other hand, probing multiple switch management
networks with a couple thousand switches, you will probably want to set up a
dedicated computer.

Install the software

Execute the installation package and click your way through the installation options.
Noteworthy items:

 OT-BASE Asset Discovery supports the collection of your data flow via
Netflow and SFlow. These data sources are not required for device discovery,
but they add a lot of value if your switches support them. If that is the case you
may want to check that your switches use the standard ports as set as defaults
in the configuration software.
 OT-BASE Asset Discovery supports remote configuration management via a
REST API. The REST API interface uses TCP port 443 (HTTPS) by default.
Make sure that this port is not in use by another software on your target
machine already. If yes you may want to change the port for OT-BASE to
something different.

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -1-
Run the software and log on
When executing OT-BASE Asset Discovery, what you actually see is the configuration
client. The real work is done behind the scenes by a Windows service. This makes
sure that scheduled asset discoveries are executed even without somebody being
logged on to the PC.

The default credentials for logon are admin/langner.

After successful logon you will automatically see all directly accessible networks in the
discovery table. You can add additional (remote) networks by selecting the first/root
entry in the table, which refers to the discovery node itself, and using right-click. In
the context menu click on "Add remote network".

Preparing for your first probe

Decide on which network you want to probe first for a test run. Usually that is a test
network where you have some sample OT devices installed. However you could also
probe an IT network, or your home network.

For this network (and for any other network that you want to probe later) you need to
activate the protocols that you want to use for the probing. This is done by selecting
the network in the discovery table with left click and then enable all the protocols that
you intend to use in the right pane. If you want to keep it simple, set both "Discover
IP Addresses" and "Discover endpoint configuration" to "Enable".

If you want to fine-tune the probing strategy, select "Customize", which allows you to
select and de-select individual protocols. A comprehensive description about these
protocols can be found at https://support.langner.com/hc/en-
us/articles/360021923231-Configuring-network-settings-properly.

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -2-
Whatever your settings are, don't forget to click on "Set" to save them.

Setting access credentials for endpoints

For some protocols, particularly for WinRM and WMI, you need to specify access
credentials. This can be done at three different places:

 At the node level as a default for all networks and all devices
 At the network level as a default for all devices in that network
 Individually for a particular device.

Usually it gets you a long way if you set default credentials at the node level and then
care about any outliers at lower levels. In order to set global defaults, select the node
entry (at the top of the discovery table) and work your way through the credential
dialogs:

Running your first probe

Ok, you are now ready to run your first probe.

Select the network that you want to probe and do a right-click to open the context
menu. Click on "Probe and refresh current network".

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -3-
OT-BASE Asset Discovery will now probe the network and show you discovery
results in realtime. The object table will start to fill up with detected devices, and
depending on discovery progress you will see additional devices details such as host
name and device type.

Inspecting probing results

For properly discovered devices you can see additional device details if you select a
device and check the device details pane.

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -4-
Note that you can see additional details by checking other topics from the device
details drop-down menu. For example, "Software" will show you the installed
firmware version for an OT device, or OS/Applications/Patches for a Windows PC.
"Data Flow" will list any data flow that was collected for this device via
Netflow/SFlow.

Finally, if an OT device sits in a chassie with additional modules on the backplane, you
will usually be able to see those modules by clicking on the "+" sign in the object table
(similar to RSLinx).

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -5-
There may even be more information about attached field buses that you can expand,
such as Profibus, SERCOS, or ControlNet.

What if you don't see good results?

The most common reason why probing is not 100% successful is missing or incorrect
access credentials for devices where those are needed -- particularly for Windows
PCs. In this scenario, correct the credentials and re-do the probe.

Related is the case where a Windows endpoint just isn't configured for WinRM or
WMI. In this situation please check the knowledge base entries
https://support.langner.com/hc/en-us/articles/360019474038-How-do-I-configure-
Windows-PCs-for-WinRM-access- and https://support.langner.com/hc/en-
us/articles/360047116912-How-do-I-configure-Windows-PCs-for-WMI-access-.

Another cause for trouble is when you route into a remote network and the ports that
Asset Discovery needs are blocked by a firewall or by Access Control Lists. Whenever
possible you should use Asset Discovery within the same subnet as the devices you
intend to discover.

Finally, if all fails, reach out for help! Open a ticket at https://support.langner.com and
tell us what's wrong. However please provide as many data as you can, including
screenshots and a diagnostic file of your discovery.

Probing more networks

You are now ready to probe other networks, most likely with different device types.
As a suggestion, by all means do probe your switch management networks -- this way
OT-BASE will be able to create automatic network topology diagrams like the ones
you see here.

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -6-
When probing multiple networks with one Asset Discovery node, you can simplify
matters by checking the "Export" box in the network setting for all networks that you
want to probe and then click on the global "Probe" button in the upper left corner of
the configuration client.

We also encourage you to involve coworkers, such as engineers from different

departments or other sites, who may also be interested in OT-BASE Asset Discovery.
Let them evaluate OT-BASE Asset Discovery in their networks and exchange
experiences, so that you can get a really good idea how OT-BASE fits for your
organization.

Can I export the discovery results to Excel?

Yes and no. The only target to which OT-BASE Asset Discovery can export to is OT-
BASE Asset Center. However, from Asset Center you can export to Excel, Visio,
Splunk, ServiceNow, and many other platforms.

Moving towards a full proof-of-concept

OT-BASE Asset Discovery is not OT-BASE. It's just a tiny part of it -- namely, the
discovery component. The real value is in consolidating discovery data in OT-BASE
Asset Center, the central management application of OT-BASE. What you see in OT-
BASE Asset Discovery is only a small subset of what OT-BASE Asset Center will
reveal.

To get an idea of how your discovery data is inventoried in OT-BASE Asset Center,
watch the following video (click on the screenshot to see the video on Youtube):

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -7-
In production use, you will no longer use the configuration client of OT-BASE Asset
Discovery -- that is, after a node is configured properly. It will then do its thing in the
background, every 24 hours, without human intervention. Discovery data will be
stored in an encrypted file that can be uploaded to OT-BASE Asset Center.

There are two ways how to check out the full product, including Asset Center:

1. Subscribe to our SaaS product, OT-BASE Cloud. You can upload discovery
results from your Asset Discovery evaluation and see how they look like in
Asset Center. OT-BASE Cloud is billed monthly based on the number of
devices. And even if you ultimately don't choose to use OT-BASE permanently,
you can export your discovery results to Excel and Viso.
2. Take advantage of our on-prem evaluation package. In this scenario you get
OT-BASE Asset Center for on-prem installation, along with all the additional
add-on tools for auditing etc. This is sold at a fixed price and lets you check
everything out for sixty days. Contact sales to learn more about pricing etc.

Langner, Inc.: OT-BASE Asset Discovery installation and first steps (12/2021) -8-