ControlUp Monitor Permissions & Security - Cloud ONLY.

Summary

Among the ControlUp components, one of the most important ones is the Monitor. The Monitor is a component that you install from within the CU Real-Time Console and is the entity that is in charge of monitoring all the endpoints, hypervisors and more 24\7. 

The monitor is also the one to monitor the endpoint for alerts based on the triggers that you have set up and also upload the data into Insights, our online reporting system.  

The best practice is to have the monitor installed on its own dedicated server and provisioned with the necessary resource as explained in the ControlUp Sizing Guidelines article.

This article will explain how the monitor works, what it does and what permissions we need to give it in order to properly work. 

If you're using the on-premises solution, refer to the on-premises article in this link.

The Monitor in Cloud Environments

After you deploy the monitor, it will be recognized on that machine by its process named "cuMonitor.exe". 

There are two entities that the Monitor is using on its end:

  1. The "cuMonitor.exe" is running as the "NETWORK SERVICE" account on the Monitor machine only.
  2. The Monitor is also using an AD account that you configure it to use when you set up the monitor, and it uses it for several purposes:
    1. Deploy the ControlUp Agents on remote machines (if the user had administrative rights on the remote machines).
    2. Connect to the machines using port 40705 in order to monitor them. (for Insights, alerting, etc).
  3. The Monitor also uploads the data to our cloud servers so it may populate data in Insights for you. 

Note - if you have a proxy, you'll need to configure it under the monitor settings by going to Settings > Monitors > Settings (in the window that opened) and then Proxy Settings and configure your proxy.

 2019-05-04_11-38-46.jpg

In order for the Monitor to successfully upload the data into Insights, for following URLs must be accessible via https from the Monitor VM-

  1. fe1.controlup.com
  2. fe2.controlup.com
  3. fe3.controlup.com
  4. fe4.controlup.com
  5. rt-app.controlup.com
  6. *.amazonaws.com

Note - customers that use the limited availability 8.x version should add insights-hec.controlup.com:443 as well to the exception list. At the moment, the IP is dynamic for this URL. 

Permissions in the Security Policy (within ControlUp)

In the ControlUp Real-Time Console, you'll have to delegate the proper security permissions for the AD account that the monitor is using. This will need to be within the Console in the Security Policy pane.  

  1. In the 'Perform organization-wise actions' section-
    • View All Hypervisors.
    • Connect to Data Source.
    • Use Shared Credentials (in the sub-section 'Shared Credentials Store').
  2. In the 'Run Computer Actions' section-
    • Connect to Windows Computer.
    • Note - If you have Linux machines in your environment, please include the 'Connect to Linux Computer' permissions as well.

It's best practice to configure the credentials that you use in the environment as Shared - you can read more about it in the following article -> Configuring Shared Credentials.

Local Policy requirements

The Monitor AD account defined in the monitor requires the "Allow Log on Locally" user permission on the Monitor machine (the service account defined in the monitor settings-> identity tab).

Therefore, please verify two things in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

  1. The AD account has the "Allow log on locally" user right.
  2. The AD account is not part of the "Deny log on locally" user right.

Administrative privileges

The monitor has the ability to install the ControlUp agent on machines. For example, machines that are booted up agent-less. 

In the Monitor settings, we state the following-

inline1140112793.png

It's best practice to have the AD configured with admin privileges on the endpoint but not mandatory. If you have the ControlUp Agent baked in the golden image or installed on a machine that isn't going to boot without the agent, the AD account used in the monitor can be a non-admin user. 

 

If you have further questions about the Monitor, feel free to ask us at support@controlup.com

Powered by Zendesk