Unicenter TNG

Unicenter TNG from Computer Associates is a suite of interrelated modules that addresses a different aspect of end-to-end enterprise and systems management.

Joel Sloss

May 1, 1997

18 Min Read
ITPro Today logo in a gray background | ITPro Today

View your network from 10 feet or 10,000 feet

Computer Associates (CA) Unicenter TNG (short for The Next Generation) isbig. Really big. Mind-bogglingly big. But Unicenter's size stands to reasonbecause it can manage an entire enterprise. Unfortunately, a complete review ofevery Unicenter feature could fill more than 50 pages. So to keep this articlewithin reasonable limits, let's look at just those features new to the TNGrelease.

In late 1995, Windows NT Magazine did a first-look review of aprerelease version of Unicenter for Windows NT (see John Enck, "TheUnicenter of the Universe," October 1995). CA has been shipping the NTversion of its final product for more than a year (after several years in theUNIX, AS/400, and Novell markets), and we recently received the latestversion--Unicenter TNG--for review in the Windows NT Magazine Lab.

TNG is a suite of interrelated modules. Each module addresses a differentaspect of end-to-end enterprise and systems management: The WorldView userinterface includes 2D and 3D network maps, object browsers, and discoverywizards; the Enterprise Managers include applets for managing event logs,actions, users, and so on; a software development kit (SDK) lets you developcustom interfaces and integrate third-party management applications; and newagent software enables everything from remote administration to asset tracking.You can add modules for software distribution, advanced Help desk, remotecontrol, and other enterprise tasks.

Like all information handling systems, TNG creates a lot of data. Theproduct houses this data in a repository using Microsoft's SQL Server or CA'sOpenIngres. CA refers to the information within a repository as a managementdomain (not to be confused with NT domains). You can run TNG and SQL Server(preferably version 6.5) on the same system or have a dedicated database serveron your network. The latter option can be handy if you have multiple TNGadministrators. You can distribute your management load by creating multiplesmall repositories across your enterprise (only one per SQL Server). You canthen use Simple Network Management Protocol (SNMP) traps to notify you when TNGidentifies a fault for any of the events in these management domains (for moreinformation on SNMP, see the sidebar, "Understanding SNMP."

You have manual control over data objects in a repository. For example, youcan manually set an object to critical status to inform other administratorsthat you are managing that object, or you can have TNG automatically generate anevent--and log it--to notify users of the service interruption. Objectsautomatically return to normal status after you correct the fault, or you canmanually intervene and set the object to normal after you finish managing aresource.

Getting Started
TNG covers various aspects of system and network management, inventorycontrol, workload scheduling, backups, security, user management, and remotecontrol/Help desk for any SNMP-enabled device (e.g., computers, printers,routers, and managed hubs). The ultimate goal of TNG and every other NTenterprise management tool is to provide single-seat administration so you canuse your network to analyze and fix almost any system-related problem (exceptfor changing physical hardware components) without having to leave your desk. CApositions TNG as the do-everything, end-to-end enterprise management solution(i.e., if you have TNG, you shouldn't need anything else). Unfortunately, no onepackage delivers full single-seat administration. You have to pick two or three,or perhaps more, solutions that work together with minimal hassle to provideeverything you need across your enterprise.

TNG integrates with other systems management products such as Microsoft'sSystems Management Server (SMS) through SNMP. Although many people used to viewTNG and SMS as competing products, they now consider TNG and SMS to becomplementary. SMS adds to TNG's features by providing enterprise desktopmanagement tools, such as software distribution and NT user management--forinformation on SMS, see Tim Daniels, "SMS 1.2,".

If you are planning a large-scale TNG installation, CA will typicallyassist you on an on-site consulting basis. You don't have to use CA's services,but they can be helpful when you configure and customize your management systemand train your administrators. The software is easy to install, although thebasic pieces involve several steps (all server components run as NT services).However, the program is monolithic enough that moving to an online productionmode takes effort.

What you install (and what you pay for) depends on the size of your networkand what you hope to accomplish with TNG. If you want basic management, you needto install TNG's server components on the SQL Server and management system andSNMP service and agents on all servers and workstations you want to manage. Thisbasic level of installation gives you all of TNG's main functions, such as eventnotification, backup, and security. For more complex operations, such as remotecontrol and remote systems management, you need to install optional agentsoftware on every system you want to manage, regardless of whether thesemachines use NT, Windows 95, Windows 3.x, UNIX, Novell, Mac, or other operatingsystems.

The GUI
CA sent its solution pre-installed with a beta version of TNG on anIntergraph TDZ-410 (dual 200MHz Pentium Pro with 128MB RAM and a RealiZmgraphics card--for information on this workstation, see my review in "NTGraphics Workstations Roundup," February 1997). We subsequently reinstalledthis workstation with the full release version of TNG. So why did CA ship such apowerful system to play the role of a console? One of TNG's claims to fame isits GUI, which you see in Screen 1. The GUI can function almost completely in 3Dusing OpenGL. With such complicated realtime graphics (animated fly-bys of yournetwork, world navigation, system drill-downs, etc.), having a system with anOpenGL-accelerated graphics card really helps-- you don't need a managementconsole with this much power, but this setup made for a nice demo.

Viewing the World in 3D
TNG, with its new 3D WorldView metaphor and GUI, focuses on fault trackingand notification and event management. When an event arises, the situationgenerates an action such as an administrative alert. This action, in turn, willgenerate a trouble ticket, which should lead to problem resolution.

You can view a 3D world map and keep an eye out for red balls (no kidding)to appear over an asset, indicating a critical problem, as you see in Screen 2.The more likely scenario is that you will receive an administrative alert(email, page, console message, etc.) sending you looking for the red ball. Afteryou find it, you drill down to the problem by clicking the objects where thealert appears. When you select the object, TNG zooms in to your local network,to a subnet (if you have one), to the problem system, to inside the computerwhere you can see installed devices (NICs, hard disks, etc.) and software. Ifyou place the cursor over an object, TNG opens a small dialog box that tells youthe object's identification and status. If you click the object with your mouse,TNG will zoom in on the object, unless you are at the lowest level (in thiscase, TNG will beep at you). If you right-click the object, you see a menu whereyou can select operations such as open details and ping. You can also administerthe object by changing parameters, installing software (if you have the module),and so forth.

Viewing the World in 2D
Screen 3, shows TNG's 2D GUI, which perhaps gives you more instantaneousinformation than viewing your enterprise in 3D. Flying around the world toinvestigate various objects is fun, but it can be time consuming--free time is aluxury most administrators don't have.

The 2D WorldView has two operational modes: run and design. Run mode letsyou perform standard operations such as opening and viewing objects, viewingyour network topology, and gathering performance and functional data. Designmode lets you customize your views. Here is where TNG's new interface isimpressive.

Customizing the GUI
CA's new approach to enterprise management is business process views (BPVs),logical groupings of objects that relate to specific aspects of your company,such as accounting or Internet services. A BPV can include any kind of object,managed or unmanaged, anywhere in your enterprise--across a LAN, WAN, dial-up,or other connection--that you either locate manually or have TNG track downautomatically. By grouping devices, you can manage a process without having toworry about other unnecessary objects. For example, if an Internet server goesdown, you don't have to hunt around for it. Instead, your Internet Services viewwill turn red so you can go directly to the fault (shown with a red ball in 3Dor a red server icon in 2D) without drilling down through extraneoushierarchies.

The 2D and 3D views are fully customizable--you can create geographic mapsand layouts such as floor plans (using bitmaps and AutoCAD .dxf files), whereyou can precisely place network objects. To do this customization, you use adrag-and-drop interface. TNG immediately replicates changes from one view to theother (e.g., from 2D to 3D).

TNG also provides a Topology Browser and Control Panel for managing views.The Topology Browser is an NT Explorer-type view of your managed objects andnetwork that lets you use a BPV or expanded tree view to go directly to aproblem object. You can have instant access in the 2D or 3D interface or watchthe interface fly you there. The Control Panel is a simple way to track whereyou are and where you've been on your network. A history file lets you go tospecific problem areas that you've already visited.

Managing Your Repositories
TNG's new WorldView provides several tools for managing your repository,including Create Repository, Class Browser, Class Wizard, Object Browser, andSchema Builder. Create Repository provides a simple front end to SQL Server. Youcan use it as an alternative to the SQL Enterprise Manager to generate a newrepository or reconfigure an existing one. In addition, this tool lets youinsert sample data into a new repository to test a setup before a final productrollout. The repository import and export function lets you easily move data(such as maps, objects, and recorded data) between systems. One script fileduplicates the data (providing a basic backup method), and another scriptinserts the data into an existing repository and reports any conflicts withprevious data. You can also import or export only specific objects.

The Class Browser, as you see in Screen 4, lets you view existing classes(a list of properties for an object with static and dynamic attributes). TheClass Wizard lets you create new classes and modify previously defined classes.Among the attributes you can create and assign are icons for the 2D and 3Dviews, parent/child relationships, and status indicators. TNG uses asingle-inheritance scheme, so objects can inherit attributes from only oneclass, but objects can contain multiple objects of any classes.

The Object Browser gives you a tree view of every object you have defined,with associated class properties, in your repository. You can access each objectin this view just as if you were in the 2D or 3D map, so you can right-click onthe object and select Go there to zoom in on a particular object, or youcan bring up the Object Viewer. Screen 5 shows the Object Viewer, which youaccess by right-clicking an object in the 2D view or 3D view and selectingObject View. This view gives you all available Management Information Base (MIB)data for that object from the SNMP agent and data from the repository. If youtype in enough information in the Object Viewer (if you know it off the top ofyour head), it will take you directly to the object.

In addition, the Object Viewer can display dynamic SNMP data, which letsyou create graphical views such as disk and memory usage and packets per secondfrom a router. Using Object Linking and Embedding (OLE), you can launch aninstance of MS Excel to graph realtime data, or use TNG's built-in methods. Bysetting thresholds and alarms, you can post warnings to the NT Event Log andgenerate events or SNMP traps as administrative alerts.

The Schema Builder lets you define what MIBs Object Viewer uses. It alsolets you compile new MIBs for use by SNMP and TNG agent software. You simplycreate a text file of MIB file names, and Object Viewer will use the file.

TNG's Security and NT's Security
TNG's security is built around assets, which can be users, files, I/Odevices, and databases (anything listed in your repository) and policy rules.The agent technology manages these assets through security rules. TNG usesspecific software to manage databases (such as SQL Server and Oracle WorkgroupServer on NT) and various objects on other systems, spanning everything fromWin95 to an IBM 3090.

You define user accounts and passwords in TNG so users can have specificaccess permissions to assets. This approach is similar to NT's security exceptthat instead of using access control lists (ACLs), TNG uses policy rules-basedsecurity. Policy rules are if-then statements that a security evaluator such asa file system filter governs by checking all accesses (including calendar-basedaccess rights).

Users log on to TNG the same way they log on to NT, which providessimultaneous sign-on (i.e., you don't have to log on to your NT domain and thento TNG). TNG's and NT's domain security models are not completely integrated,but TNG can pass user and group changes to your NT Security Accounts Manager(SAM) database. If you make changes to NT, you will have to re-import youraccounts database into TNG.

TNG's User Profile Synchronization replicates changes that you make to auser's profile (e.g., a user's ID, name, password, status, and usage calendars).The User Profile Synchronization takes the changes and passes them to othersystems in a station group (a TNG object that enumerates what target machinesTNG needs to update when you make a security change). This approach lets TNGoperate across any kind of system or platform that it can manage and lets youcontrol the security policies of all enterprise systems (e.g., NT, NetWare, VMS,UNIX) from one station.

TNG operates as the top layer of security. The software passes all accessesfrom NT to TNG and checks them against TNG's policy rules, so you have to defineall assets in TNG to protect them. Setting up specific permissions for assetslets TNG enforce security policies across various operating systems, but thisability introduces an inherent weakness. Although TNG-defined users can'tviolate NT's security and NT users can't violate TNG's security, you must useTNG to define access rights to managed objects; otherwise, only NT's systemsecurity protects the objects. In short, you have to maintain two complete andseparate security systems or include all system and data files, users, and soon, under TNG's security umbrella. Fortunately, TNG ships with a command toautomatically import all NT user accounts, but not ACLs, into TNG to simplifyadministration.

As an alternative, and to handle possible holes in a supplemental securitysystem, TNG offers two security modes, allow and deny, with full-accessauditing. Allow mode lets TNG protect only what you want it to (in ahierarchical fashion)--you have to specify what assets fall under TNG's securitypolicies, and everything else is left open or covered by the host operatingsystem. If you use naming conventions, existing policy statements cover any newobjects that you add to the hierarchy. Deny mode protects everything (all TNGand non-TNG objects) on the system unless you specify otherwise. In this mode,the software checks every access against TNG's security. If no policy exists topermit the access request, TNG automatically denies access.

TNG provides enforcement modes that operate under allow mode. You candefine different enforcement modes for different systems and users. The firstmode is fail, which denies an access request if the request violates definedsecurity policies. Warn mode tells the user that the access request violates thesecurity policies, but warn mode still grants access. Quiet mode lets you definea user who is immune to TNG's security policies, but must still follow the hostoperating system's security policies. You can also specify enforcement actionsfor TNG to take after violations occur. Such actions are to cancel the requestand deny access; cancel the request, deny access, and log the user off theserver; cancel the request, deny access, log the user off the server, andsuspend the user from logging back on to the system. You can audit all theseevents for future analysis. Together, the auditing feature and the enforcementmodes are very useful for testing a TNG rollout in a production environmentwithout affecting any user's normal operation.

Agent Technology
Another new component to TNG is an SDK for integrating and developing newTNG-aware applications. CA has exposed APIs so you can create agents for customproprietary applications or situations not already in TNG, while still usingyour standard repository, security policies, and management routines.

TNG is open and extensible, so you can customize it to fit your enterpriseenvironment, and customization is certainly key with TNG. It has many featuresright out of the box, but you still need to integrate it and match it to yourexisting network and applications. With standard development tools such asVisual C++, you can even build an object browser.

Testing TNG
I tested TNG in a multiprotocol, multidomain network with several types ofnetwork devices, such as routers, printers, NT servers and workstations, andNetWare servers. To begin, I used TNG's Autodiscovery Wizard, which automatesthe search for your managed devices (with support for TCP/IP, IPX/SPX, DECnet,and SNA), builds the initial topology of your network, and enters it into yourrepository. I used this tool to analyze the Windows NT Magazine Lab andthe surrounding corporate network.

The wizard offers several methods for discovery: an IP ping sweep, AddressResolution Protocol (ARP) cache (TNG queries the ARP tables in the routers itfinds and continues searching from there), or fast ARP (TNG just uploads the ARPtables). Each method has its uses, but the IP ping sweep provides the mostdetail. This method pings every address you define in a range, asks the devicesit finds whether they are SNMP enabled, gathers a small amount of MIB data, andenters this information into the repository to build the topology view.

TNG's Discovery Monitor tool tells you the status of a runningautodiscovery, how many objects it found, and how long it took. You can controlhow many levels deep the scan goes (a subnet is the finest granularityavailable) and how many attached networks it discovers. TNG places all devicesit discovers in an IP network group with one representative icon at the toplayer of the 2D and 3D views. After the autodiscovery fills the repository, CA'sDomain Manager software lets you set domain polling times, intervals, and types,which govern the repository and fault notification frequency.

I found a few problems with TNG. For example, it has no undo function, andobject deletes are not recursive. If you delete a top-layer object, such as thewhole IP subnet or BPV, TNG doesn't remove the underlying objects. Also, therelease of TNG I evaluated did not support Dynamic Host Configuration Protocol(DHCP) autodiscovery. As the DHCP server shuffles IP addresses, TNG doesn'tupdate the repository accordingly. This lack of synchronization causes conflictswith addresses pointing to the wrong managed devices. CA reports that patchesare available from the company's Web site to fix the cascade delete and to addDHCP support for autodiscovery.

While I was autodiscovering devices, I noticed that TNG does not useLANManager communications layers, so on a first pass, it won't tell you about orrespect NT domains. To include domains in your TNG security model, you have tostart using TNG's security management features.

End-to-End
The final question is whether you can deploy TNG as a complete, standaloneenterprise management system for NT. Well, not yet. CA reports that it will beadding more modules and tighter integration with NT in the next two releases(the first release is due out by the end of this year). Right now, TNG lackssome features, so you have to add other packages to your administration plan. Ata minimum, you need to consider adding TNG's optional modules, such as softwaredistribution and advanced Help desk for complete enterprise control.

Other features missing from TNG include built-in remote NT systemadministration and hooks (except for those in NT's native tools) for new DesktopManagement Interface (DMI) standards (although you can access this data via aManagement Information Format--MIF--to MIB converter) or system/networkperformance monitoring. As a result, TNG is not well suited to network design orcapacity planning. You need to carefully plan your security strategy with TNG.If you don't, you can introduce new security holes. TNG also lacks fileadministration capabilities that are directly integrated with its WorldViewinterface-- you still have to use NT's standard tools, rather than having onepoint of administration.

Despite its shortfalls, TNG is a powerful enterprise managementenvironment. It can be difficult to grasp at first, but once you learn your wayaround the GUI, the system is very logical.

CA offers two options for TNG support. The first is a basic phone supportand bug fixes service contract that costs 15 percent of the current TNG price(regardless of what you paid for TNG when you purchased it) per year. The otherservice contract includes full phone support, fixes, and upgrades for the timeyou have the contract and costs 19 percent of the current TNG price per year.You must sign up for one of these two service contracts when you license yourcopy of TNG. Any large enterprise considering a rollout of TNG will want to makesure to put a program in place for 24*7 support, with a guaranteed resolutiontime, such as four-hour response. These services are available, so build theminto your management solution. You will find numerous Help files and anonline-books utility on the distribution CD-ROM that you can easily distributeto your administrators.

TNG is not for everybody, and its deployment requires planning andcustomization. However, if you run a large-scale, complex, heterogeneousnetwork, TNG is well worth the effort and cost.

Unicenter TNG

Computer Associates * 516-342-5224 or 888-864-2368Web: http://www.cai.comPrice: $2500 (base)

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like