Contents x
    Agent Security Options in Agent Settings
      • Print
      • Dark
        Light
      • PDF
      Contents

      Agent Security Options in Agent Settings

        • Print
        • Dark
          Light
        • PDF
        Article Summary

        ControlUp continuously improves the security protecting the communication between the ControlUp Real-Time Console, Agents, and Monitors in your environment. 

        For more information on how to set up secure agents, see ControlUp Agent Security Best Practices.

        You can use the following enhancements for the ControlUp Agent when you add machines to the ControlUp Console:

        Encrypt Agent Communication

        You can select the option to use only encrypted communication between all agents within your ControlUp organization. By default, this option isn't selected.

        Prerequisites:

        • You must be a user with the Organization Owner role or have Roles Manager permissions set in the Security Policy panel to select this option.
        • .NET Framework 4.5 or higher must be installed on the agent and console.
        • .NET Framework 4.8 or higher must be installed on the monitor. Version 9.0 requires .NET Framework 4.8 on the agent.

        To Encrypt Communication with ControlUp Agents:

        1. In Real-Time Console > Settings > Agent Deployment Settings, select Use only encrypted communication.
        2. Restart the Real-Time Console and all monitor clusters.
        3. Update all agents to version 8.2.5 or higher.

        AgentEncrypt

        Troubleshooting

        If this option is selected and you receive any of the following error messages:

        • The agent does not support encrypted communication. Upgrade the agent to version 8.2.5 or higher.
        • Failed to establish an encrypted connection with the agent.
        • Operation timeout.

        Ensure that all consoles and agents are running the following:

        • .NET framework version 4.5 or higher. Version 9.0 requires .NET Framework 4.8 on the agent.
        • ControlUp version 8.2.5 or higher.

        Ensure that all monitors are running the following:

        • .NET framework version 4.8 or higher.
        • ControlUp version 8.2.5 or higher.

        Agent Authentication Key

        ControlUp generates a unique authentication for every ControlUp organization. By default, all agents are configured with this public Authentication Key, and accept communication only from trusted consoles or monitors that have the same corresponding private Authentication Key.

        The Authentication Key is automatically configured for the agent machine during deployment.

        Access Key Value

        By default, the Agent Authentication Key is the method of authenticating communication between the agents, consoles, and monitors, so you don't need to perform any action.

        CopyAuthKey

        To access the Authentication Key:

        1. In the Real-Time Console, click Settings > Agent

        2. Under Agent Authentication Key, click Copy to copy the key value to your clipboard. The same key is used for all agents deployed from this console. 

        On the agent machine, this Authentication Key is stored in the following registry key: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication\AuthKey

        You can manually set the key at any time and you aren't required to restart the agent machine.

        From version 9.0, you can also access the Authentication Key if you run the Get-AgentPublicKey PowerShell cmdlet on your monitor machine.

        Add Key to Configuration Files that Install the Agents

        When you install agents using the Add Machine feature in the Real-Time Console, by default, this key is automatically added to the agent machine.

        If you don't choose to deploy the agents automatically when you add machines to your organization, you must manually add the same key as displayed in the Agent Deployment Settings page to the configuration file that you use to add the agent.

        To manually configure the key, use the following registry setting on all machines with the agent deployed:

        • Registry Key: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication
        • Value: AuthKey
        • Data Type: REG_SZ
        • Value Data: Public key string base64 encoded (from Agent Deployment Settings)

        If you do choose to deploy the agents automatically when you add machines to your organization, you can use the Agent MSI installer to configure the Agents Authentication Key using an MSI parameter. If you use the link to Download MSI Installer from Agent Deployment Settings, the MSI is already configured with the parameter, but you must update the key value.

        To deploy agents with the key using an MSI installer command parameter, update the following key values:

        • Parameter Name: AUTHKEY
        • Parameter Value: AUTHKEY=agent authentication key
        • Usage Example: msiexec /i Agentinstaller.msi AUTHKEY=

        If you install an agent with this parameter, it configures the specified authentication key for the agent.

        Agent Registration Key

        From version 9.0, a new Registration Key is required to use agent outbound communication instead of agent inbound communication. The Registration Key enables agents to obtain a Personal Access Token (PAT) from the ControlUp security service. If you don't want to use the outbound communication feature, ignore this key. 

        CopyRegKey

        For more details about the Registration Key, see Manual Installation.

        Was this article helpful?
        What's Next