Agent Outbound Communication
    • Dark
      Light
    • PDF

    Agent Outbound Communication

    • Dark
      Light
    • PDF

    Article Summary

    9.0 Beta

    This article covers information relevant only to the version 9.0 beta release. Want to be the first to try our new features? Join the ControlUp Beta Program!

    Important

    ControlUp Real-Time DX no longer supports Windows Server 2012/R2 machines, following Microsoft's recent end of support. We recommend Windows Server 2016 or a later version to use the 9.0 features.

    Before ControlUp version 9.0, the ControlUp Agents acted as servers by listening on TCP port 40705 for inbound connections. The ControlUp Console and Monitors acted as clients by connecting to the agents. This method required you to allowlist incoming TCP connections for all the machines in your organization with agents installed.

    From version 9.0, the Agent Outbound Communication feature reverses the connection direction. Now by default, the agents act as the clients, and the monitors act as the servers by listening to port 40705 for outbound connections from the agents.

    The following diagram illustrates the connection changes:
    AgentInboundOutbound1

    Note

    Outbound communication is supported only for connections from the ControlUp Agents to the Monitors. It isn't supported for connections from the Agents to the Consoles.

    Inbound port 40705 is still required for:

    • Data collector machines

    • Machines you want to manage via the Console

    Prerequisites to enable Agent Outbound Communication

    Important

    From version 9.0, .NET Framework 4.8 must be installed on the agent, console, and monitor machines.

    • Version 9.0

    • Enable outbound port 443 (TLS 1.2) on all agent machines

    • Provide all agents with the Registration Key. If you use the console, it is automatically added to the registry. If you install/upgrade agents with the MSI, you must provide it manually.

    Required URLs

    Component

    US + Rest of the World (non-EU) URLs

    Agent

    https://cu-agents-cpa.controlup.com/broker-discovery

    https://cu-agents-cpa.controlup.com/outbound-security

    https://cu-agents-cpa-us.controlup.com/broker-discovery

    https://cu-agents-cpa-us.controlup.com/outbound-security

    To use the Remote Control feature:

    • solve-ws-proxy-us.controlup.com

    • 3.210.212.180

    • 44.205.79.193

    Monitor

    https://cu-services-cpa.controlup.com/outbound-security

    https://cu-services-cpa.controlup.com/broker-discovery

    https://cu-services-cpa-us.controlup.com/outbound-security

    https://cu-services-cpa-us.controlup.com/broker-discovery

    Component

    EU URLs

    Agent

    https://cu-agents-cpa.controlup.com/broker-discovery

    https://cu-agents-cpa.controlup.com/outbound-security

    https://cu-agents-cpa-eu.controlup.com/broker-discovery

    https://cu-agents-cpa-eu.controlup.com/outbound-security

    To use the Remote Control feature:

    • solve-ws-proxy-eu.controlup.com

    • 18.194.198.179

    • 18.159.29.205

    Monitor

    https://cu-services-cpa.controlup.com/outbound-security

    https://cu-services-cpa.controlup.com/broker-discovery

    https://cu-services-cpa-eu.controlup.com/outbound-security

    https://cu-services-cpa-eu.controlup.com/broker-discovery

    Benefits

    Agent outbound communication can benefit your environment by reducing barriers for the following:

    • MSPs with multi-tenant deployments

    • Streamline deployment of ControlUp Agents

    Enabling Outbound Communication

    You can install the 9.0 agent with either MSI or the Real-Time Console. If you upgrade or install the agent from the console, the agent is automatically configured with the registry key saved under the following path:
    HKEY_LOCAL_MACHINE\SOFTWARE\Smart-X\ControlUp\Agent\Communication

    AgentOutbRegKey(1)

    If you configure the agent using group policy, the registry key is saved under: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Smart-X\ControlUp\Agent\Communication

    The agent uses the CertificateValidationLevel key to validate the certificate at its respective location in the registry. If the CertificateValidationLevel key is missing or has a value of “0”, the agent only checks if the certificate subject matches the monitor IP address. If the CertificateValidationLevel key has a value of “1” or more, the agent performs the full certificate validation process.

    If you install the agent with the MSI, you must manually provide:
    Authentication Key. Required to connect to the agent via the console.
    New in 9.0: Registration Key. Required for outbound communication. Without it, the agent won’t be able to communicate outbound.

    AgentOutBMSIRegkey(1)

    Master Images

    If you install the agent on a machine that will be used as a master image for non-persistent machines, in the MSI installer, select the Configure this installation as a master image checkbox:
    ConfigMasterIm

    Revert to Agent Inbound Communication

    If you don’t want to use the new agent outbound communication, you can revert to the inbound communication.

    Broker Discovery Service

    The broker is a new monitor role which is granted to all monitors in the cluster. The Broker Discovery service discovers the broker monitors in clusters for ControlUp Agents in outbound connection mode.

    The following clients call the service:

    • Agents query data on brokers in the cluster before connecting to the monitor with the lightest load.

    • Monitors submit updated data from brokers in the cluster.

    When the service is online, it discovers brokers via our ControlUp Hybrid Cloud Services. When the service is offline, it discovers brokers listed in the registry settings of the agent machines.

    Broker Registry Configuration

    You can set the Broker Discovery service to discover brokers when the service is offline by using the following registry settings on the agent machines.

    If you installed the agent from the console, use registry path HKEY_LOCAL_MACHINE\SOFTWARE\Smart-X\ControlUp\Agent\Communication

    If you configured the agent using group policy, use registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Smart-X\ControlUp\Agent\Communication

    You can configure the following available keys and values in either path:

    • Monitors. For offline broker discovery, a list of monitor addresses to be contacted.

    • DisableOnlineBrokeringFlow. To automatically use offline brokering, set value to 1.

    • OnlineServiceEnvSuffix. The environment for online services, for example .dev or .qa.

    • OnlineServiceRegionSuffix. The region suffix for online services, for example -cpa-us, -cpa-eu, etc. Usually there is no need to configure it manually, because it is resolved automatically.

    • DisableProxyToOnlineServices. If the proxy shouldn’t be used to connect cloud services, set to 1.

    • DisableProxyToMonitor. If the proxy shouldn’t be used to connect to the monitor, set to 1.

    • ProxyToOnlineServices. Dedicated proxy (DNS or IP) that the agent should use to connect to cloud services.

    • ProxyToMonitor. Dedicated proxy address (DNS or IP) that the agent uses to connect to the monitor.

    • SiteId. Site ID of the agent.

    • Outbound. If the agent should be used for inbound communication, set to 0.

    • LastDiscoveredMonitors. For offline broker discovery in combination with the Monitors list, a list of last discovered monitor addresses via online brokering.

    Security

    The Broker Discovery service authenticates monitors with JSON Web Tokens (JWT) and agents with personal access tokens (PAT).

    Server Certificates

    The ControlUp Agent must validate server certificates for outbound communication issued by the ControlUp Monitor. Outbound communication works over TLS channels, which require SSL certificates to establish connections. The monitor automatically creates a unique certificate each time it starts the gRPC server, based on its public DNS/FQDN, with one of the following methods:

    • Self-signed certificates. The agent validates if the Common Name from the certificate corresponds to the monitor's IP address.

    • Third-party certificates. The monitor creates a certificate sourced from the local certificate store. If enabled, the agent validates if the certificate is endorsed by a root authority or if it's part of a recognized certificate chain.


    Was this article helpful?