DAC Agent
Introduction
Even though the purpose of the Desktop Check is to monitor desktop applications, the machine that hosts the DAC Agent must be treated as a “server”, or a “measurement point”, and not managed as a general user PC, for instance.
So:
Except for installation or troubleshooting, there must be no logged-in users on the agent machine during operation (other than that used by the Agent SW)
No other applications may run
Automatic updates must be disabled (except security updates)
Access by RDP must be enabled
For PC, Ethernet cable is a requirement
It is recommended that a Virtual Machine is used
If a physical machine is used (laptop/desktop) it should be handled and placed so that its continued operation is not accidentally interrupted.
Note: Since the agent is installed in a customer environment, the customer is responsible for it. Apica can not take responsibility for any changes done to the server hardware or other software that may impact the ASM Desktop Agent.
Language/Character setting
English or Swedish
Hardware
The minimal hardware requirements are:
CPU | Quad-Core (x64 compatible) |
RAM | 4 GB |
HDD | 120 GB System Partition |
Note: The number of processing cores, and the processing capacity needed depends on the needs of e.g. the Client SW that is being monitored, or how many and how “heavy” checks are configured on the agent.
Networking
The agent needs to be able to connect to the following IP addresses and ports.
SaaS Agent
Port | Direction | Protocol | IP | Service | Encryption Type | Communication Details |
|---|---|---|---|---|---|---|
5222 | Outbound | TCP | (194.213.119.237) | Apicanet XMPP | STARTTLS | Communication is of agent status info, i.e. scenario queue length, |
443 | Outbound | TCP | (194.213.119.133) https://transfer-us1.apicasystems.com (FOR US SILO) | HTTPS Data Transfer | HTTPS | Communication consists of the resulting performance data from the completion of a monitoring check job. |
OnPrem Agent (i.e. full ASM OnPrem installation)
Port | Direction | Protocol | IP | Service |
|---|---|---|---|---|
8080 | Inbound | TCP | Control of Agent | HTTP REST Data |
8080 | Outbound | TCP | Point at the HttpDB instance (which runs on Tomcat), e.g. http://<server>:8080/httpdb | HTTP Data Transfer |
Operating System
Windows Server 2016 or Windows Server 2019
Only by special request: Windows 10. It should be noted that Windows 10 has restrictions that make it less suited for the role of a monitoring agent, and it will require more maintenance work. If the customer chooses to use a desktop/laptop with Windows 10, which is part of a domain, it can be expected that there are restrictions, updates, Anti-Virus SW, etc. that leads to additional maintenance work, and will lower the operational availability of the agent.
Security Settings and Group Policies
A) Installation and configuration require administrative privileges. It is therefore assumed that you are logged in as a user with admin rights while you perform the installation.
B) If Group Policies have to be changed, this must be done centrally (via the domain controller--as an administrator--the Group Policy Management Console (GPMC)) to manage and configure Group Policy settings), not locally, since central settings will override local eventually.
C) The execution of a Desktop Checks makes use of two user accounts on the agent, here called User1 and User2.
User1 is the account that is used to initiate a check run by creating a temporary new user session. It will execute the 'psexec' command + the Apica rdc.exe command to accomplish this.
User2 is the account used for the temporary session and the account that the tested application will run as.
D) The user should not have to change the password, nor should it ever expire. If it does, the agent will stop working.
E) The ability to execute a check requires that these users are not restricted from doing their job. The best option is for both accounts to be a member of the local administrators' group.
If not:
User1 and User2 shall be members of the Remote Desktop Users group. It may be necessary to configure this locally.
User1 and User2 must be allowed to execute programs, such as Java, psexec, rdc.exe, and the application to be monitored.
User1 and User2 must be allowed to read and write to the file system.
User Access Control (UAC)
If possible, disable UAC locally for both accounts.
Else:
(path in gpedit) : Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
Allow UIAccess applications to prompt for elevation without using the secure desktop Enabled
Explanation - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
Only elevate executable files that are signed and validated Disabled
Explanation - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
Only elevate UIAccess applications that are installed in secure locations Disabled
Explanation - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
Machine settings
IPv6 should be disabled on all interfaces of the server.
Remote Desktop Service must be enabled
The Group Policy Always prompt for password upon remote desktop connection" must NOT be enabled. Solution: Disable it, or "not configured".
If you have these prerequisites, you are ready to download the installer.
Can't find what you're looking for? Send an E-mail to support@apica.io