DAC Agent

Introduction

Even though the purpose of the Desktop Check is to monitor desktop applications, the machine that hosts the DAC Agent must be treated as a “server”, or a “measurement point”, and not managed as a general user PC, for instance.

So:

  • Except for installation or troubleshooting, there must be no logged-in users on the agent machine during operation (other than that used by the Agent SW)

  • No other applications may run

  • Automatic updates must be disabled (except security updates)

  • Access by RDP must be enabled

  • For PC, Ethernet cable is a requirement

  • It is recommended that a Virtual Machine is used

  • If a physical machine is used (laptop/desktop) it should be handled and placed so that its continued operation is not accidentally interrupted.

Note: Since the agent is installed in a customer environment, the customer is responsible for it. Apica can not take responsibility for any changes done to the server hardware or other software that may impact the ASM Desktop Agent. 

Language/Character setting

English or Swedish

Hardware

The minimal hardware requirements are:

CPU

Quad-Core (x64 compatible)

RAM

4 GB

HDD

120 GB System Partition

Note: The number of processing cores, and the processing capacity needed depends on the needs of e.g. the Client SW that is being monitored, or how many and how “heavy” checks are configured on the agent.

Networking

The agent needs to be able to connect to the following IP addresses and ports.

SaaS Agent

Port

Direction

Protocol

IP

Service

Encryption Type

Communication Details

Port

Direction

Protocol

IP

Service

Encryption Type

Communication Details

5222

Outbound

TCP

world.apicanet.com 

(194.213.119.237)

Apicanet XMPP

STARTTLS

Communication is of agent status info, i.e. scenario queue length,
enabled status for allocation of  jobs to the agent/troubleshooting

443

Outbound

TCP

transfer.apicanet.com

(194.213.119.133)

https://transfer-us1.apicasystems.com (FOR US SILO)

HTTPS Data Transfer

HTTPS

Communication consists of the resulting performance data from the completion of a monitoring check job. 
(i.e. response time, DOM timings, page size, steps, errors)

OnPrem Agent  (i.e. full ASM OnPrem installation)

Port

Direction

Protocol

IP

Service

Port

Direction

Protocol

IP

Service

8080

Inbound

TCP

Control of Agent

HTTP REST Data

8080

Outbound

TCP

Point at the HttpDB instance (which runs on Tomcat), e.g. http://<server>:8080/httpdb

HTTP Data Transfer

Operating System

  • Windows Server 2016 or Windows Server 2019

  • Only by special request: Windows 10.  It should be noted that Windows 10 has restrictions that make it less suited for the role of a monitoring agent, and it will require more maintenance work. If the customer chooses to use a desktop/laptop with Windows 10, which is part of a domain, it can be expected that there are restrictions, updates, Anti-Virus SW, etc. that leads to additional maintenance work, and will lower the operational availability of the agent.

Security Settings and Group Policies

A) Installation and configuration require administrative privileges. It is therefore assumed that you are logged in as a user with admin rights while you perform the installation.

B) If Group Policies have to be changed, this must be done centrally (via the domain controller--as an administrator--the Group Policy Management Console (GPMC)) to manage and configure Group Policy settings), not locally, since central settings will override local eventually.

C) The execution of a Desktop Checks makes use of two user accounts on the agent, here called User1 and User2.

  • User1 is the account that is used to initiate a check run by creating a temporary new user session. It will execute the 'psexec' command + the Apica rdc.exe command to accomplish this.

  • User2 is the account used for the temporary session and the account that the tested application will run as.

D) The user should not have to change the password, nor should it ever expire. If it does, the agent will stop working.

E) The ability to execute a check requires that these users are not restricted from doing their job. The best option is for both accounts to be a member of the local administrators' group.

If not:

  • User1 and User2 shall be members of the Remote Desktop Users group. It may be necessary to configure this locally.

  • User1 and User2 must be allowed to execute programs, such as Java, psexec, rdc.exe, and the application to be monitored.

  • User1 and User2 must be allowed to read and write to the file system.

User Access Control (UAC)

If possible, disable UAC locally for both accounts.

Else:

(path in gpedit) : Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options

  • Allow UIAccess applications to prompt for elevation without using the secure desktop Enabled

Explanation - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.

  • Only elevate executable files that are signed and validated Disabled

Explanation - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.

  • Only elevate UIAccess applications that are installed in secure locations Disabled

Explanation - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.

Machine settings

IPv6 should be disabled on all interfaces of the server.

Remote Desktop Service must be enabled

The Group Policy Always prompt for password upon remote desktop connection" must NOT be enabled. Solution: Disable it, or "not configured".

If you have these prerequisites, you are ready to download the installer.

Can't find what you're looking for? Send an E-mail to support@apica.io