ControlUp Monitor Permissions & Security - Cloud ONLY.
Among the ControlUp components, one of the most important ones is the Monitor. The monitor is a component that you install from within the ControlUp Real-Time Console and is the entity that is in charge of monitoring all the endpoints, hypervisors, and more 24\7.
The monitor is also the one to monitor the endpoint for alerts based on the triggers that you have set up and also upload the data into Insights, our online reporting system.
The best practice is to have the monitor installed on its own dedicated server and provisioned with the necessary resource as explained in the ControlUp Sizing Guidelines article.
This article explains how the ControlUp Monitor works and what permissions we need to give it in order to properly work
If you're using the on-premises solution, refer to the on-premises article in this link.
The Monitor in Cloud Environments
After you deploy the monitor, it will be recognized on that machine by its process named cuMonitor.
There are two entities that the Monitor is using on its end:
- The cuMonitor.exe is running as the "NETWORK SERVICE" account on the Monitor machine only.
- The Monitor is also using an AD account that you configure it to use when you set up the monitor, and it uses it for several purposes:
- Deploy the ControlUp Agents on remote machines (if the user had administrative rights on the remote machines).
- Connect to the machines using port 40705 in order to monitor them. (for Insights, alerting, etc).
- The Monitor also uploads data to our cloud servers so it will populate data into Insights.
If you have a proxy, you need to configure it under the monitor settings by going to Settings > Monitors > Settings. Under Proxy Settings, you can configure your proxy.
In order for the monitor to successfully upload data into Insights, the following URLs must be accessible via HTTPS from the Monitor machine.
US (+Non-EU) customers:
Permissions in the Security Policy pane
In the ControlUp Real-Time Console, you'll have to delegate the proper security permissions for the AD account that the monitor is using. This will need to be within the Console in the Security Policy pane.
- In the 'Perform organization-wide actions' section-
- View All Hypervisors.
- Connect to Data Source.
- Use Shared Credentials (in the sub-section 'Shared Credentials Store').
- In the 'Run Computer Actions' section-
- Connect to Windows Computer.NoteIf you have Linux machines in your environment, include the 'Connect to Linux Computer' permissions as well.
- Connect to Windows Computer.
It's best practice to configure the credentials that you use in the environment as Shared - you can read more about it in the following article -> Configuring Shared Credentials.
Local Policy requirements
The Monitor AD account defined in the monitor requires the "Allow Log on Locally" user permission on the Monitor machine (the service account defined in the monitor settings-> Domain identity tab).
Therefore, verify two things in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
- The AD account has the "Allow log on locally" user right.
- The AD account is not part of the "Deny log on locally" user right.
The monitor has the ability to install the ControlUp Agent on machines. For example, machines that are booted up agentless.
In the Monitor settings, we state the following-
It's best practice to have the AD configured with admin privileges on the endpoint but not mandatory. If you have the ControlUp Agent baked in the golden image or installed on a machine that isn't going to boot without the agent, the AD account used in the monitor can be a non-admin user.