A user asked questions about implementing ControlUp in a corporate and isolated environment. The answers explained that Monitors and Data Collectors don’t need to be in the same domain, credentials can be used even without trust relationship, and port 40705 needs to be added. Professional Services from ControlUp can be sought for resolving automation issues in an environment with extensive security policies.
Read the entire ‘Implementation Questions for ControlUp in Corporate and Isolated Environments’ thread below:
I have a few questions regarding our ControlUp design.
We currently have ControlUp implemented in our corporate environment. We will we be adding ControlUp to an additional isolated environment in a separate domain with no trust relationship.
-
Do the Monitors and Data Collectors need to be in the same domain as the Citrix Farm?
-
Should the Monitors and Data Collectors be in the same network location as the Citrix Farms VDA’s?
Our plan is to use the ControlUp as a Jump box for our administrators in supporting the isolated environment.
I’m surprised your CSM is not having one of our PS guys do your design for you.
But to answer your question, no the monitors/data collectors don’t need to be in the same domain.
The monitors connect to the agent via the FQDN of the machine. Its just a TCP socket connection. No permissions are needed for that outside of controlup.
Also the data collector does not connect to the agents.
The monitors and console connect to the agents on port 40705.
And if you have multiple data centers then that needs to be addressed.
The monitors need Read AD from both domains is the trust relationship not needed?
No, you can use multiple creds.
You do need conditional DNS forwarding however.
I would suggest reaching out to your sales team. We can take care of all this for you in a design session.
yes you can add the multiple creds but if trust is not there how can the monitor authenticate them
It doesn’t need to.
hmm
Its just two exes talking to each other over a port.
No creds are used for that. Two services running as system talking to each other over the network.
Creds are only needed for agent deployment and you can add multiple (1 for each domain) to the monitor.
but would script actions and automation also be limited?
No.
Most automation is done by the agent running as system on the endpoint.
The monitor just tells the agent to do whatever.
No creds are used for that.
Depending on the execution context of the action.
nost automation i am running at the moment i don’t do from the end point but the monitor
For that you could use system (default) or credentials.
but even on the endpointthe account running the script needs the rights via the account u run the script with
No, not true
example to restart a service
a user with no permissions to the endpoint can run an action on it IF they have access in the security policy to do so.
Because at that point its just the console telling the agent (running as service) to execute the action.
with my experience not so
The PS1 is copied to the Network Service accounts profile, executed, then removed.
I personally documented this internally. Here is a snipit of that doc.
Script Based Actions (SBAs)
SBAs are the second form of actions in the console. These actions are add-ons that are downloaded from the community or created from within the ControlUp console. When a script based action is ran and its execution context is set to run on the target computer the script is then sent to the agent via a socket connection (default on port 40705). The agent then takes the script and writes it out to the C:\Windows\System32\config\systemprofile\AppData\Roaming\ControlUp\Scripts folder and executes it (by default in the SYSTEM context). The agent then takes the output of the script and the return code and sends it back to the console. The folder used can be customized if needed via registry values and the behavior can be changed to not delete the script after being ran.
i have a specific sight that automation will not run due to the lockdown on the VDI’s unless i use a service accout with elevated preledges. I tried for a year and Controlup Professional services also could not resolve the automation issues due to the extensive sercurity policies
@member sorry for stealing ur post
Well back to the monitor domain thing, multiple creds can be used so it doesn’t matter. Physical location is more important.
For this particular design I would just move the agents over into a new “bucket” and link the console/monitors to it on port 40705.
Remove this 80/443 link from the data collector to the VDAs and add 40705 as seen by these arrows. 80/443 is only needed for the API calls from the data collectors to the DDCs.
Thank you I really appreciate it.
Continue reading and comment on the thread ‘Implementation Questions for ControlUp in Corporate and Isolated Environments’. Not a member? Join Here!
Categories: All Archives, ControlUp for VDI, ControlUp Scripts & Triggers