• Certificate-based Agent Authentication - Manual Configuration on Console & Monitor Machines

    This is the manual procedure for the running the script that is outlined in this article. This information gives you the details of what happens on each of your console and monitor machines when you run the automated script in case you want to troubleshoot the procedure or go through all the steps manually. 

    First read through Certificate-Based Agent Authentication to be sure you have all the prerequisites listed and that you create the certificates as recommended.

    You have to complete these manual steps for every machine or location running the ControlUp Console and the ControlUp Monitor.

    Apply Private Key Certificate to the Machines Running the ControlUp Console and Monitors

    1. Ensure the private key (.pfx file) you created is copied onto the machines running the ControlUp Console and Monitors, and that you have the password for the certificate stored in this file.
    2. Access the directory with the private key and double click the .pfx file. The Windows Certificate Import Wizard opens.
      CertImportWizard.png
    3. Select Local Machine and click Next.
      Note: You can select the Current User option if you want to require a certificate for each user separately for this console. 
    4. Confirm that the selected .pfx file is correct and click Next.
      CertImportWizardConfirm.png
    5. Enter the private key password and click Next.

    6. Store the certificate. Select Place all certificates in the following store and click Browse to select the Personal directory to store it there. Click Next.
      CertImportWizardStore.png

    7. In the next window, click Finish and the Certificate Import Wizard confirms that the import was successful.
      CertImportWizardSuccess.png

    Configure Registry Key on the ControlUp Console and Monitor Machines

    For the console and monitors to start using a client-side certificate, a registry configuration is required. The registry can be configured either under the HKCU or HKLM registry hives for the console and under the HKLM for the monitors. Each hive refers to the appropriate certificate store.

    Once you complete creating this registry key, you can export it to be used on any other ControlUp Console machines and the ControlUp Monitor machines.

    1. On the console machine, open the Registry Editor and go to: HKLM/SOFTWARE/Smart-X/ControlUp/ClientCert 
      Missing keys must be created manually. 

    2. Create a DWORD value named Enabled and assign it the value of 1.

    3. Create a string value (REG_SZ) named Thumbprint and assign it the same value as assigned in the Thumbprint in the private key certificate.
      You can find the Thumbprint in the private key certificate as follows.

        1. Access the Microsoft Management Console (mmc).
        2. Choose File Add/Remove Snap-in
        3. Select Certificates from the Available Snap-ins list and click Add > for it to appear in the Selected Snap-ins list.
        4. When prompted, select Computer account, and click Next, and then Finish.
        5. Click OK to close the Add or Remove Snap-ins window.
        6. Open the Certificates item and go to Personal Certificates.
        7. Locate the .pfx certificate file you imported. Double-click the file and open the Details tab.
          The Thumbprint field is shown in the list as follows:
          CertificateThumbprint.png
        8. Highlight the Thumbprint. In the details box, highlight the thumbprint sequence value and copy it into a Unicode text editor such as Notepad ++. 
          Note: If the sequence if not maintained as Unicode, it may not work when added to the registry key.
        9. Copy the Thumbprint value into the registry key you created above. It should look like this: RegKeyThumbprint.png

    Add Network Service to the ControlUp Monitor Machine Private Key

    All the machines running ControlUp Monitors in your environment must also have this private key certificate file and the registry key you created above.

    Additionally you must add the Network Service to the Security table for the certificate applied to the monitor machines. This is because the monitor runs in the context of the Network Service account.

    1. Access the Microsoft Management Console (mmc).
    2. Open the Certificates item and go to Personal > Certificates.
    3. Right-click the private key you applied to this machine per the above procedure. Select All Tasks > Manage Private Keys...ManagePrivateKeys.png
      Note: 
      If you have a non-standard deployment, you may have to search for the private key file.
    4. Add the Network Service to the Security table allowing Full Control (default option).NetworkService.png
    5. Restart the monitor machine.

    Once you have completed this stage of the procedure, restart the ControlUp Real-Time Console. When you log into the console, you should see a Certificate icon displayed at the bottom of the console window.
    ConsoleCertificateIcon.png
    You should repeat this for every machine running the ControlUp Real-Time Console. You can export the registry configuration and import it to the other machines running the console and the monitors. 

    You must now configure the ControlUp Agent machines per the instructions in this article: Certificate-Based Agent Authentication.

     

     

  • Is ControlUp for You?

    ControlUp is tailor-made for systems administrators and helpdesk personnel who oversee multi-user environments and are required to prevent and troubleshoot performance issues, application failures and operating system errors. Typically, these tasks require a repetitive and time-consuming execution of existing consoles, scripts and various management tools, none of which are capable of achieving the systems administrator’s two primary goals:

    • Quickly identify issues in a complex multi-user environment
    • Resolve these issues in a simple and efficient manner

    ControlUp is a comprehensive system monitoring and management solution which provides deep visibility into the real-time activity of servers, workstations, users and the applications they use. The real-time console gathers and displays a wealth of current information regarding system health and performance. It also allows for powerful management actions to be executed in order to resolve issues and change system configurations. The ControlUp monitor service assists with 24/7 monitoring of your assets and alerts about any abnormal behavior according to a customizable set of incident triggers.

    ControlUp Insights, the historical reporting and analytics platform, accumulates activity and performance data over time and displays a variety of reports that enable systems administrator to investigate past issues, track usage trends, analyze the systems performance and make decisions regarding future system design and configuration.

     

     

  • Basic Concepts

    ControlUp Console – the main executable of ControlUp, available for download as a single file named ControlupConsole.exe. There are no install/uninstall routines for this component, just a portable executable.

    ControlUp User – typically a systems administrator, technical specialist, or support technician working with ControlUp Console. Every ControlUp user is required to create an online login account which is used for user authentication to ControlUp's configuration servers. 

    Managed Computer – a Windows computer which a ControlUp user wishes to manage and/or monitor using ControlUp. It needs to belong to an Active Directory domain and to have .Net Framework 3.5 or 4.5 installed. When first contacted by a ControlUp Console, every Managed Computer is assigned to a ControlUp organization.
    (More details…)

    ControlUp Agent – a lightweight executable named cuAgent.exe that runs as a system service on every Managed Computer. This component provides performance information and handles the execution of management actions.

    ControlUp Organization – a logical grouping of Managed Computers handled by the same team. A ControlUp User selects an organization during login and is restricted to managing computers that belong to the selected organization only.
    (More details…)

    ControlUp Monitor – a Windows service which operates in a way similar to the ControlUp console but without the graphical user interface. ControlUp Monitor connects to all of the computers in your organization and performs continuous monitoring and reporting of incidents as well as automatic exporting of data tables for historical reporting. If you require 24/7 monitoring and alerting about incidents in your environment, it is recommended that you install at least one instance of ControlUp Monitor. Two Monitor services can be installed and will operate as an Active/Passive HA pair in case of failover. 
     (More details…)

    ControlUp Insights – a reporting and analytics platform that displays historical reports using data gathered by ControlUp. In order to start using ControlUp Insights, at least one instance of ControlUp Monitor should be installed in an organization.
    (More details…)

    Incident  - in ControlUp, an incident is an occurrence on one of your managed computers that falls under the scope of one of the configured incident triggers. For example, you might configure a “Process Ended” incident trigger with a filter of “Process name=svchost.exe”. Every subsequent crash or error exit of a process with this name will generate an incident. Incidents are recorded in the ControlUp Hybrid Cloud Services database and are available for display in the Incidents Pane of ControlUp.
    (More details…)

    Incident Trigger – a definition of an occurrence that should be recorded as an incident. Triggers of two types are supported in ControlUp: community triggers are created by ControlUp based on vendor recommendations and industry best practices, and user-defined triggers which can be configured according to your needs. Each trigger includes a set of conditions: trigger type (Stress Level, Process Started, etc.), filter (specific conditions like computer name or operating system), scope (folders and schedule – when and where the trigger applies). In addition, every trigger may include a set of follow-up actions, for example an email alert.
    (More Details…)

    Script-Based Action (SBA) or Script Actions  a PowerShell, VBScript or batch script, which was imported to ControlUp as a management action. Script-based actions (SBAs) can be assigned to any of ControlUp’s managed resources (folders, computers, sessions, etc.). SBAs can be downloaded from the community repository or created manually and shared within your ControlUp organization.
     (More details…)

    Hypervisor connection – the connection parameters needed for a console or data collection agent to connect with a supported hypervisor management platform (vCenter, Nutanix, Hyper-V, or XenServer pool master). After the connection to the hypervisor management platform, host and VM information is automatically retrieved and populates the ControlUp database. (If the connection is to vCenter, datacenter and cluster information is also gathered, for better organization of virtualization resources.)

    XenDesktop Connection - an object in the organization tree that contains the details necessary for ControlUp to collect data from a single XenDesktop site. Once configured and connected, it enables for populating the Sessions and Computers views with information retrieved from XenDesktop brokers.

    (More details…)

    Cloud Connection

    By using ControlUp’s AWS EC2 cloud management all the instances are visible in the same place, their performance metrics and cost metrics are displayed with a great level of granularity, all live and in real time. If resources are strained, they’re shown in flashing red. If any aspect of the cost shoots up, so will the red flags.

    (More Details...)

    NetScaler Connection - an object in the organization tree that contains the details necessary for ControlUp to collect data from a single NetScaler appliance. Once configured and connected, it populates the Load Balancers, Services, Service Groups, Gateways, HDX sessions and NICs views with data retrieved from the NetScaler API.

    Hypervisor folder – similar to a regular folder, but intended to organize hypervisor connections.

    Hypervisor – the term ControlUp uses to refer to the connection points to the virtualization world, namely vCenter and the Xen pool master. Strictly speaking, the vCenter server is not a hypervisor, but for the purposes of consistency in ControlUp, it is referred to as one.

    Host – a computer running VMware ESX/ESXi, Hyper-V, Nutanix AHV, or Citrix XenServer that ControlUp accesses via the Hypervisor connection. The virtualization hosts are the computers that run multiple virtual machines on them.

    VM – Virtual Machines that run as guests on the ESXi/Xen server hosts. If the guest VM is running a supported version of Windows, then the ControlUp Agent can be installed on it and it will become a fully managed computer by ControlUp. There are some performance statistics that can be gathered about all VMs, managed or not, because ControlUp queries the hypervisor about all of them. However, full data retrieval is only possible if there is a ControlUp agent installed on the guest OS.

     

     

  • ControlUp Modes

    ControlUp Hybrid Cloud

    ControlUp Hybrid Cloud is the default operation mode for ControlUp, which offers the largest set of available features and the easiest deployment. In Hybrid Cloud, you need to download ControlUp Console and perform some basic configuration steps in order to start monitoring and managing your resources. There is no need to install and configure databases or other infrastructure components. All the back-end services (such as storage, database, alerting by email and mobile notifications) are provided seamlessly by ControlUp Hybrid Cloud.

    When working in Hybrid Cloud, ControlUp requires Internet connectivity and relies on a persistent connection to ControlUp Hybrid Cloud. Various controls and mechanisms are in place to ensure the security of your data stored in ControlUp Hybrid Cloud. For more information on ControlUp Hybrid Cloud security, please refer to our security whitepaper.

    The following diagram displays the architecture of ControlUp Hybrid Cloud Mode:

    Hybrid_Cloud_Architecture.jpg

    On-premise Deployment

    In On-Premises Mode, all the back-end services required for ControlUp are installed in the organizational network. This mode is designed for customers who would like to enjoy the features of ControlUp without contacting ControlUp Hybrid Cloud. On-Premises Mode eliminates the requirement for Internet connectivity and enables all components of ControlUp to operate autonomously without contacting ControlUp Hybrid Cloud.

    To configure ControlUp in On-premises Mode, you need to prepare some infrastructure resources, such as a SQL database and a web server, and then download and install ControlUp server components.

    On-Premises Mode does not include some of the features that rely on ControlUp Hybrid Cloud. For the full comparison matrix of ControlUp operation modes, see table below.

    The following diagram displays the architecture of ControlUp On-Premises Mode:

    CU_On-Premises.jpg

     

    Feature Comparison Matrix

    Capture.JPG

     

  • ControlUp Architecture & Security Concepts

     

    Overview

    This document describes the ControlUp suite architecture, including different deployment topologies scenarios, a description of all major components and their communications model, data stored in the relevant ControlUp data stores and data protection mechanisms.

     

    ControlUp Architecture

    ControlUp supports various topologies based on customer requirements and security policies. Below we will describe the two major topologies used by ControlUp customers. A full description of the components illustrated below is available in the next chapter.

    ControlUp Hybrid Cloud Mode

    ControlUp Hybrid Cloud mode is enabled by default if your network has Internet connectivity. In this mode, the ControlUp back-end components are hosted on our secured Amazon Web Services Cloud servers. while the ControlUp Console and monitor runs inside the enterprise network

    The following drawing is a high-level overview of ControlUp architecture when working in a Hybrid Cloud  mode:

    Hybrid_Cloud_ArchitectureSOLVE.jpg

    ControlUp On-Premises Mode

    ControlUp On-Premises mode enables organizations to install the ControlUp back-end components on their on-premise data-center. In this mode both the ControlUp back-end components and the ControlUp Console and monitor runs inside the enterprise network

    The following drawing is a high-level overview of ControlUp architecture when working in On-Premises mode:

    CU_On-PremisesSOLVE.jpg

    ControlUp Components

    In this chapter we will describe the various software components that are part of the ControlUp architecture.

     

    Customer Network Components

    ControlUp Console is the main component used by sysadmins for real-time management and monitoring of their virtual infrastructure, physical and virtual servers, VDI  and RDS environments. The console distributes the ControlUp Agents to the managed computers/VMs, and exposes the UI which enables admins to configure Hypervisor connections, XenDesktop sites, NetScaler Appliances, AWS regions and Monitor services.

    The console maintains communication with the relevant managed computers/VMs, Hypervisors, XenDesktop sites, NetScaler appliances and AWS regions and displays real-time performance data to the sysadmin. The console also communicates with the ControlUp back-end Servers for various operations.

    ControlUp Monitor Service

    The ControlUp Monitor service is a key component in any ControlUp deployment. The Monitor Service carries out two major functionalities:

    1. Incidents reporting and alerting.
    2. Historical data uploads.

    Once installed and started, the ControlUp Monitor logs into your ControlUp organization and connects to your managed computers/VMs,Hypervisors, XenDesktop sites, Netscaler appliances and AWS regions. The Monitor starts receiving system information and performance updates from your organization, just like an additional ControlUp Console instance. The primary difference between a ControlUp Monitor Service and a Console is the fact that the Monitor runs as a Windows service, requiring no user interaction and allowing for continuous monitoring of your resources, ensuring continuous coverage for incident alerting and reporting capabilities among others.

    The ControlUp Monitor Service also uploads the historical data that is used for the construction of reports and analytics displayed in ControlUp Insights. For more information regarding the architecture and security measures for ControlUp Insights, please refer to the “ControlUp Insights – Security Measures and Procedures” document.

    ControlUp Data Collector

    A software component which collects performance and configuration information from the Hypervisor management web service, the XenDesktop sites, the NetScaler appliances and the AWS regions via remote API calls. By default each ControlUp Monitor Service is configured as a data collector which pulls data directly from the connected hypervisors (Esxi, AHV, Hyper-V, or XenServer), Xendesktop brokers, and NetScaler Connector

    In a production deployment it is recommended to configure a dedicated data collector which acts as a proxy for all other ControlUp consoles and Monitor services:

    Configuring a dedicated data collector is a best practice, please refer to the following article.

    Fig_2_2x.png

    Connection Types

    vSphere

    The ControlUp Data Collector communicates with the configured vCenter server via the SDK web service, the default communication channel is based on the SSL protocol (e.g. https://vcenter.fqdn/sdk). By default, data collection occurs every 20 seconds and a read-only account is sufficient to pull all configuration and performance data, in order to enable VM Power Management, go to the Virtual Machine/Interaction category and enable the following:  ⧫Power Off  ⧫Power On  ⧫Reset

    XenServer

    The ControlUp Data Collector communicates with the configured XenServer via port 80 (by default) and also communicates directly with each XenServer pool member to pull the real-time performance metrics via the RRD API. By default, data collection occurs every 20 seconds and a read-only account is sufficient to pull all configuration and performance data, in order to enable VM Power Management, upgrade the user role to ‘VM Operators’.

    XD Connector

    The ControlUp Data Collector communicates with the configured XenDesktop Broker via port 80 (by default) to pull configuration and performance data. During the initial connection the data collector discovers all XenDesktop Brokers and save them in the Broker's Failover List to enable data collection in-case the first XenDesktop Broker is not available. The data collector utilizes both the PowerShell and OData API’s to pull relevant data in Delivery Groups, Brokers, VDA’s, User Sessions and Published Applications.

    The Read Only Administrator right to all farms that will be managed is sufficient for monitoring purposes. If you want to be able to use the built-in XenDesktop management features like enabling maintenance mode for example, then this account will require the following permissions:

    • Edit Application Group Properties
    • Edit Application Properties (Application Group)
    • Edit Delivery Group Properties
    • Edit Machine Catalog Properties

    Cloud connector

    The ControlUp Data Collector communicates with AWS's .net SDK over https.
    The Data collection intervals are as follows:

    Metadata (computer name, state etc.) – 20 second intervals.

    "Cloudwatch" data – depending whether the instance has detailed monitoring or not (as defined on the AWS instance itself). Detailed monitored instances  - 1 minute intervals.

    Non-Detailed monitored instances  - 5 minute intervals.

     

    NetScaler Connector

    The ControlUp Data Collector communicates with the NetScaler appliance over HTTP or HTTPS, depending on the user’s preference over API.  The data collections intervals - Depend on the size of NetScaler deployment and are configurable.

    ControlUp Agent

    The ControlUp agent is a software component that collects performance information on the managed computer/VM and sends it to the ControlUp Console or to the ControlUp Monitor instances which are currently running in the network and are connected to the managed computer. The ControlUp agent also executes the management actions performed by the users running the ControlUp Console.

    For further information, please refer to the following article.

     

    Cloud based Backend Components (Hybrid Cloud Mode)

    ControlUp Cloud Servers

    ControlUp Cloud Servers reside in the Amazon Web Services cloud (US and Ireland datacenters) and provide login, licensing, central configuration, and database services for all ControlUp Consoles and Monitor service instances running on the customer network.

    Fig_1_2x.png

    AWS RedShift

    All data uploaded to ControlUp Insights is loaded from Amazon S3 into Redshift, a petabyte-scale SQL data warehouse service that runs on highly optimized and fully managed AWS compute and storage resources

    ControlUp Insights Cloud Servers

    ControlUp Insights offers a web portal (https://insights.controlup.com) which allows authorized users to display, save, export and share reports based on the uploaded data. The web portal is hosted by Amazon Web Services using the EC2 service.

    On-premise based backend components (On-Prem mode)

    ControlUp On-Premises Server

    The ControlUp On-Premises server is powered by a Windows server which is designed to provide the functionality of the ControlUp Cloud Server within the customer’s network. After configuring the On-Premises Server, all ControlUp consoles and Monitor service instances running in the customer’s network will connect to the On-Premises Server which provides login, licensing, central configuration, and database services for the Consoles and Monitors services..

    The ControlUp On-Premises server is designed primarily for environments in which Internet connection is limited or blocked, or in which regulation does not permit organizational data to be stored outside the company’s network.

    The ControlUp On-Premises Server requires the following software components:

    1. Windows Server 2012 R2 / 2016
    2. Microsoft .Net Framework 3.5 AND .Net Framework 4.5 or above
    3. Lightweight Directory Services
    4. IIS services
    5. ControlUp Web Services hosted on IIS
    6. MS SQL database: 2016, 2014 R2, 2012 R2, all in Express, Standard, and Enterprise Editions. (can be deployed on existing SQL instance). SQL 2008 is NOT supported.

    During the initial login phase, ControlUp consoles and Monitor services instances authenticate themselves against the On-Premises server using either the user’s account token or an explicitly provided AD username and password.

    The authentication protocol between the console/monitor instances and the On-Premises server is based on Windows Authentication (HTTP 401 Challenge) over HTTPS.


    ControlUp Insights On-Premises Server

    The ControlUp Insights On-Premises server is a query database server which runs on the customer’s network, facilitating the use of ControlUp Insights On-Premise for analytics and reporting. The server is an internal data collector which processes and creates data models to allow advanced reporting and analytics capabilities without any external network connection. For further information, please see the detailed documentation here: https://docs.google.com/a/controlup.com/document/d/1VLLwN27dTEKUl3IL_8daNyVOIQx4hnwjab3_ceQisy4/edit?usp=sharing 

    ControlUp Data Stores

    This chapter will describe the various data stores being used in a ControlUp deployment.

    ControlUp In-RAM Database

    A proprietary database used by each ControlUp Console / Monitor service instance to store all real-time performance and configuration data gathered by the data collection agents. This database is a volatile database, which exists only when the console/monitor executable is running. The Security Policy within the Console allows for proper role-based maintenance of the various features within the Console. The in-RAM data retention policy allows up to 100 historical transactions per counter. 

    ControlUp Configuration Database

    The ControlUp central configuration is hosted on a Lightweight Directory Services database. The location of the database depends on the chosen ControlUp topology:

    1. ControlUp Hybrid Cloud  Mode – In this mode the configuration database is stored on the ControlUp Servers running in the AWS cloud
    2. ControlUp On-Premises Mode – In this mode the configuration database is stored on the ControlUp On-Premises server running inside the customer network

    The configuration database includes all persistent configuration objects that are part of the ControlUp organization, including the following objects (not all items are listed here):

    • Distribution settings defaults
      • Auto-Upgrade
      • Check Ping
      • Check Prerequisites
      • Default Port
      • Temporary / Permanent Mode
      • Keep-Connected Interval
    • Hypervisor Connection settings
    • XD Connection settings
    • Cloud connection settings
    • NetScaler connection settings
    • Managed Computer /VM Information
      • Install Mode (temporary / permanent)
      • CPU Count
      • Domain Role (Workstation / Member Server / etc)
      • Highest session count (Max value of the ‘session’ counter)
      • Manufacturer
      • Model
      • OS Caption
      • OS Service Pack
      • Physical (MAC) Address (used for Wake-On-Lan)
      • System Type (x86 / x64 / etc)
      • Total RAM
      • Domain DNS
      • ControlUp Port
      • Netbios Name
      • FQDN
      • Description
      • Last Connection Error
    • Folder Information
      • Name
      • Description
    • Delegation Information
      • All entries configured by the user
      • Owner information
        • NT Account Name
        • NT Account SID
      • Role Information
        • NT Account Name
        • NT Account SID
      • Stress Settings
        • Stress settings configured by the user
      • RDP Connection Properties
        • Authentication Level
        • Connect to console
        • Device Redirection Configuration
        • SmartSize settings
        • Connect to console
        • Start Full Screen
        • Start Program on connection
        • Name
        • Port
      • AD Connections (metadata only)
      • Branch Mappings
      • Trigger Settings
      • Generic ControlUp configuration settings

    User credentials are never stored in the configuration database.

    All data objects in the configuration database are encrypted using Rijndael algorithm (AES) with a per-customer random 128 bit encryption key. In the Hybrid Cloud  mode, the encryption key is stored on the ControlUp Cloud servers and protected using DPAPI. In the On-Premises mode, the data is encrypted for obfuscation purposes only, the key is stored locally, along with a secret hardcoded string.

    All data objects are encrypted locally, at the console / monitor instances, before being transmitted over the network to the relevant web services / database.

    ControlUp Incidents Database

    The ControlUp Incidents database is hosted on a Microsoft SQL database, the location of the database depends on the chosen ControlUp topology:

    1. ControlUp Hybrid Cloud  Mode – In this mode the Incidents database is stored on the ControlUp AWS RDS instance
    2. ControlUp On-Premises Mode – In this mode the Incidents database is stored on a Microsoft SQL server running on the customer network

    Incident Triggers are definitions of significant events that should be recorded by ControlUp for later analysis. Each trigger includes a list of conditions which specify when the incident will be recorded and which follow-up actions will be performed at that time.

    The Incidents database contains all historical incidents that were reported by the ControlUp consoles and Monitor services based on the customer triggers definitions. The information stored in the Incidents database can be viewed via the ControlUp Incidents Pane.

    Sensitive Incidents related data such as host and computer names, IP addresses, account names, event message data and process command lines are encrypted using Rijndael algorithm (AES) with a per-customer random encryption key. In the Hybrid Cloud  mode, the encryption key is stored on the ControlUp Cloud servers and protected using DPAPI. In the On-Premises mode, the data is encrypted for obfuscation purposes only, the key is stored locally, along with a secret hardcoded string.

    All incidents are encrypted locally, at the console / monitor instances, before being transmitted over the network to the relevant web services / database.

    ControlUp Local Cache

    Configuration Cache files are stored on the computer running the ControlUp Console and the ControlUp Monitor service, in the Application Data directory under the user’s profile (e.g. %UserProfile%\AppData\Roaming\ControlUp). By default, NTFS restricts access to the file to allow only to the user himself and members of the local Administrators group.

    If the files are copied and used by a different user, the encrypted data cannot be decrypted and the user will have to re-enter all passwords. Other configuration data will be available.

     

  • ControlUp Agent Security Best Practices

    The ControlUp agent is a central component of the ControlUp architecture. It is a lightweight executable that is deployed on your managed machines to provide performance information and handle the execution of ControlUp actions on those machines.

    Security Best Practice Recommendations

    At ControlUp we care about your security and are committed to the protection of your infrastructure and data. These recommendations help reduce the risk of a potential attacker trying to manipulate a ControlUp Agent in case that potential attacker has already gained access to your internal environment.

    Follow these steps to secure the communication between ControlUp components so you can further minimize the risk of any intrusion into your organization’s networks and systems.

    Secure Communication between ControlUp Console/Monitor and ControlUp Agents

    The ControlUp agents deployed onto your machines must be able to communicate with the ControlUp Console and the ControlUp Monitors. You can secure this communication channel by performing these steps:

    • Make sure your monitored machines are running the ControlUp Agent version 8.2.5 or higher. This version includes important security enhancements.
    • Enable a Firewall Rule/Policy. This method is recommended as it’s relatively easy to implement and doesn’t rely on a ControlUp version.
    • Enable ControlUp Certificate-based agent authentication. To achieve the highest level of security, this requires ControlUp version 8.1.5 and higher.
    • Encrypt communication between the agents and all consoles and monitors.

    Firewall Inbound Rule

    On any computer running the ControlUp agent, you can enable a Firewall inbound rule that allows access to port 40705 only to authorized computers.

    Machines added to this firewall inbound rule should ideally use static IP addresses. Add all the following:

    • Machines running the ControlUp Monitor service
    • Machines running the ControlUp Console

    If you don't own a firewall for your network, we recommend using the built-in Windows firewall alongside a Group Policy to apply the firewall rule to all machines running the ControlUp Agent.

    Certificate-based Agent Authentication

    You can enable ControlUp Agent machines to communicate only with those machines that can be authenticated via signed security certificates.  

    From version 8.2.5 you can also enforce this certificate based authentication using agent MSI deployment.

    For details on how to configure this certificate-based authentication between the agent machines and the ControlUp Console and Monitor machines, see Certificate-Based Agent Authentication.

    Encrypt Agent Communication

    You can select to encrypt the communication between all agents and all consoles and monitors within your ControlUp organization. This is an option you can select in the Agent Deployment Settings page of the Real-Time Console.

    For details on how to enable this encryption option, see Agent Security Options in Agent Settings.

     

     

     

     

     

  • Certificate-Based Agent Authentication

    You can enable tighter control over how the ControlUp Agent communicates with the ControlUp Console and ControlUp Monitors.

    The procedure below prevents other machines from accessing the agent unless they have been authorized via digital certificate. This is the highest level of security you can apply to the communication between the ControlUp Console and Monitors to the ControlUp Agents.

    You can read more about ControlUp Agent Security Best Practices and different configuration options.

    This article includes these topics:

    Prerequisites

    • ControlUp version 8.1.5.649 or higher
    • *.PFX certificate 
    • *.CER certificate 
    • GPO template to deploy the settings on the agent side. 
      Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and the ACL method described here.

    Create the Certificates

    You should assign a trustworthy member in your organization as the certificate authority administrator. This administrator should provide the public key and private key certificates.

    When creating the certificates, consider the following:

    • The supported bit keys are 2048/4096.

    • When a certificate is created, an expiration date is set with it. It’s important to keep this in mind for future renewals.

    • When renewing the certificate, the thumbprint must be replaced in the GPO deploying to the agents and also on the monitor/console machines.

    Run a PowerShell Script to Configure the ControlUp Console and Monitor Machines 

    The steps to configure the ControlUp Console and ControlUp Monitor machines can be accomplished by running the PowerShell script Assign auth certificates to CU that is attached to this article as a text file. 

    Note: If you want to understand the manual steps behind this script, see Certificate-based Agent Authentication - Manual Configuration on Console & Monitor Machines.

    Additional prerequisites and notes about running the script

    • You must have remote access from the machine where you are running the script to all the console and monitor machines where you are applying the certificate. You can use the -credential parameter described below to ensure that the account you specify has remote access to all the machines. 

    • You can use the script to either access a certificate that's already installed in the machine or specify a file for importing a certificate.

    • If using the -copyCertificateLocally parameter described below, the machine running the script must have read access to the certificate specified in the -certificatePath parameter. 

    • Requires PowerShell version 3 or higher on the machine running the script.

    Script parameters

    Here is a list of the script's parameters with descriptions:

    certificatePath

    Path to the .pfx certificate file to import. Can be a folder if there is only one .pfx file contained in the folder.

    certificateSubject

    Regular expression to match the name of an existing installed certificate if you want to use that existing certificate rather than importing one from a file.

    clearTextPassword

    Password for the private key in the .pfx certificate.

    secureStringPassword

    Password for the private key in the .pfx certificate as a secure string.

    computers

    A comma separated list of console and monitor machines you want to apply the certificate.

    If none is specified or the computersFile parameter is not used, the certificate is applied only onto the local machine.

    computersFile

    A path and name of the text file containing one machine per line. Blank lines and those starting with # are ignored as are any characters like space or # after the computer name.

    Use this parameter or the computers parameter to identify the machines where to apply the certificate. If not specified and the computers parameter is not used, the certificate is applied only onto the local machine.

    copyCertificateLocally

    Copy the certificate file specified by the -certificatePath parameter to the %temp% folder on the remote machine and delete the copy after import.

    credential

    PSCredential object to use for the PS remoting. If you assign a $null value to this parameter, while running the script you are prompted to enter the PowerShell remoting credentials.

    If you don't use this parameter, you must have remote access to the machines you are applying the certificate.

    useSSL

    Use SSL for PS remoting.

    noRestart

    Do not restart the ControlUp monitor service if present.

    port

    Use the specified port for PS remoting rather than the default.

    Use case examples of the script

    1. Configure the already existing certificate containing *.madonna.local in the subject for use by ControlUp on machines glcumonitor01 and glcumonitor02:

    & '.\Assign auth certificates to CU.ps1' -certificateSubject '*.madonna.local' -computers glcumonitor01,glcumonitor02

    2. Configure the already existing certificate containing *.madonna.local in the subject for use by ControlUp on the local machine:

    & '.\Assign auth certificates to CU.ps1' -certificateSubject '*.madonna.local'

    3.  Prompt for credentials to use for remoting to machines to apply the certificate. Use this parameter when the account running the script does not have PowerShell remoting permissions. Then configure the already existing certificate containing *.madonna.local in the subject for use by ControlUp on the local machine:

    & '.\Assign auth certificates to CU.ps1' -certificateSubject '*.madonna.local' -credential $null

    4. Import the certificate from the file c:\temp\controlup.pfx then copy it to each machine specified in the file C:\temp\cucertmachines.txt, one entry per line representing a console or monitor machine. Then import the certificate into that computer's personal certificate store and configure for use by ControlUp.

    & '.\Assign auth certificates to CU.ps1' -certificatePath c:\temp\controlup.pfx -Verbose -password "mypassword1" -copyCertificateLocally -computersFile C:\temp\cucertmachines.txt

    Verify the Certificate on the ControlUp Console Machines

    Once you have completed running the script, restart the ControlUp Real-Time Console. When you log into the console, you should see a Certificate icon displayed at the bottom of the console window.
    ConsoleCertificateIcon.png
    You should repeat this for every machine running the ControlUp Real-Time Console. 

    Verify the Certificate on the ControlUp Monitor Machines

    The machines running the ControlUp Monitors can be verified by checking the Registry Editor to see that the keys were imported to the machine and include the following:RegKeyThumbprint.png

    If you want to verify the communication to the monitor machine with a certificate, you can use a tool like log4net. Within the data the log supplies, you should see the following among the log lines:

    Client certificate read
    Enabled=True Thumbprint=<thumbprint value> key=HKEY_LOCAL_MACHINE
    Applying client certificate found on HKLM
    Client certificate was loaded

    Note: To stop the logging, stop the monitor service and remove the file that creates the logs (e.g. log4net). 

    Configure the ControlUp Agent Machines

    We recommend deploying the agent certificate and registry values via a GPO. The steps below describe how to install the certificate and registry values manually for testing purposes. 

    Both the manual setup and via a GPO require the public key (e.g. *.cer file). Each certificate should be stored in the Trusted Publishers certificate store of the local machine in scope.

    The ControlUp Agent supports multiple trusted certificates that can identify authorized consoles and monitors.

    Apply Public Key Certificate Manually to the Machines Running the ControlUp Agent

    1. Copy the public key certificate file (.cer) to the Trusted Publishers directory in the machine running the ControlUp Agent.

    2. On the agent machine, right-click the file and select Install Certificate. The Certificate Import Wizard opens.

      CertImportWizard.png

    3. Select Local Machine and click Next.

    4. Select Place all certificates in the following store.

    5. Click Browse to select the Trusted Publishers directory and click Next.AgentTrustedPublisher.png

    6. Click Finish, and the Certificate Import Wizard confirms that the import was successful. CertImportWizardSuccess.png

    Configure Registry Key on the ControlUp Agent Machine

    For the agent to start enforcing client-side certificate authentication, a registry configuration is required. The registry key should be configured under the HKLM registry hive. This configuration can be part of a GPO.
    Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and the ACL method described here.

    Here is the manual procedure you can use for testing.

    1. Open theRegistry Editor and go to: HKLM/SOFTWARE/Policies/Smart-X/ControlUp/Agent/TrustedClients

      Missing keys must be created manually.  

    2. Create a DWORD value named Enabled and assign it the value of 1.
    3. Create a Multi-String value (REG_MULTI_SZ) named Certificates. This key must contain all of the trusted certificates' thumbprints.

      The added key should look something like this:

      RegEdAgentConfirm.png

    Your ControlUp Agent will now communicate with only those ControlUp Consoles and ControlUp Monitor machines that can be authenticated by their private key certificates.

    Enforce Certificate-Based Authentication 

    From version 8.2.5 and higher, you can enforce the use of this feature on the agent machine if you use the MSI installer to install the agents on monitored machines.

    Param name: CERTONLY
    Usage:  CERTONLY=True
    Usage example:   Agentinstaller.msi CERTONLY=True 

    We recommend adding this parameter to enforce using the certificate-based authentication. This means that the key-pair authentication that comes default from ControlUp for version 8.2.5 is not used but your own private/public certificates are used to authenticate communication between the agent and console and monitor machines.

     

     

     

    1.  
  • Agent Security Options in Agent Settings

    ControlUp is continuing to improve the security around the communication between ControlUp Agents and the Real-Time Console and ControlUp Monitors in your environment. 

    For more information on how to set up secure agents, read the ControlUp Agent Security Best Practices.

    The following enhancements are available for the ControlUp Agent when adding machines to the ControlUp Console:

    Encrypt Agent Communication

    In the Real-Time Console > Agent Deployment Settings page, you can select to encrypt the communication between all agents within your ControlUp organization where you select this option.

    AgentSettingsEncrypt.png

    Encrypt Communication with the ControlUp Agents

    This option is turned off by default. You can select this option in the Agent Settings page in the Real-Time Console.

    Prerequisites:

    • Only a user who is the Organization Owner or who has Roles Manager permissions as set in the Security Policy Panel can select this option.
    • .Net Framework 4.7.2 or later must be installed on the agent, console and monitor.

    To Encrypt Communication with the ControlUp Agents:

    1. In the Real-Time Console > Settings menu, select Agents. The Agent Deployment Settings page opens.
    2. Select Use only encrypted communication.
    3. Restart the Real-Time Console and all monitor clusters.
    4. Update all agents to version 8.2.5 or higher.

    Troubleshooting

    If this option is selected and you get any of these messages:

    • The agent does not support encrypted communication EncryptError2.png
    • Failed to establish an encrypted connection with the agentEncryptError1.png
    • Operation timeout

    Ensure that all consoles, monitors and agents are running:

    • .Net framework version 4.7.2 or higher
    • ControlUp version 8.2.5 or higher

    Agent Authentication Key

    ControlUp generates a unique authentication for every ControlUp organization. By default all agents are configured with this public authentication key and accept communication only from trusted consoles or monitors that have the same corresponding private key.

    The authentication key is automatically configured for the agent machine during deployment.

    Access Key Value

    Because this is the default method of authenticating communication between the agents with the consoles and monitors, you don't have to take any action.

    If for any reason you do need to access the Agent Authentication Key, you can access it in the Real-Time Console > Settings > Agent Deployment Settings page. The same key is used for all agents deployed from this console.

    AgentSettingsKeys.png

    Click Copy to access the key value itself.

    On the agent machine, this authentication key is stored in the ControlUp Agent's registry in this path: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication\AuthKey

    The key can be manually set at any time and does not require the agent machine to be restarted.

    Add Key to Configuration Files that Install the Agents

    When installing agents using the Add Machine feature in the Real-Time Console, this key is automatically added to the agent machine by default.

    If you select not to deploy the agents automatically when the machines are added to the organization, you must manually add the same key as displayed in the Agent Deployment Settings page to whatever configuration file you are using to add the agent.

    To manually configure the key:

    Ensure that these registry key specifications are on every machine where the agent is deployed:

    • Path: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication

    • Name: AuthKey

    • Type: REG_SZ

    • Value: Public key string base64 encoded from the Real-Time Console > Agent Deployment Settings page. 

    To deploy agents along with the key using an MSI installer command parameter:

    The Agent MSI installer enables you to configure the Agents Authentication Key using an MSI PARAM.

    If you use the link to Download MSI Installer in the Real-Time Console > Agent Deployment Settings page, that MSI already comes configured with this parameter but you must update the key value.

    Param name: AUTHKEY 
    Usage:   AUTHKEY=agent authentication key 
    Usage example:   Agentinstaller.msi AUTHKEY=agent authentication key 

    Installing an agent along with this parameter configures the specified authentication key for the agent.

     

     

     

     

  • ControlUp Agent Access Control List (ACL)

    You can enable tighter control over how the ControlUp Agent communicates with the ControlUp Console and ControlUp Monitors.

    You can read more about ControlUp Agent Security Best Practices and different configuration options.

    The procedure below prevents other machines from accessing the agent unless their URLs have been added to an Access Control List (ACL) on the agent machines. This IP restriction can be applied on the ControlUp Agent machines to inspect the client IP and cross-reference it with a whitelist configured in the registry.

    Configure the Registry with an ACL Whitelist

    The console and monitor IPs to add to this list can be specific (e.g. 10.20.30.40) or listed using CIDR notation (e.g. 10.20.30.40/24). This configuration can be part of a GPO.
    Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and certificate-based authentication described here.

    Here is the manual procedure.

    1. Open the Registry Editor.

    2. Navigate to: HKLM/SOFTWARE/Policies/Smart-X/ControlUp/Agent/IPACL
      Missing keys must be manually created. 

    3. Create a DWORD value named Enabled and assign it the value of 1.

    4. Create a Multi-String value (REG_MULTI_SZ) named addresses. This key contains the permitted origin addresses of all ControlUp Console and ControlUp Monitor machines that communicate with this agent machine.

  • Typical Usage Scenarios

    RDS / Citrix Farm Management

    In a RDS environment, the user sessions are distributed across multiple servers. ControlUp allows the farm administrator to gain a complete performance overview of the servers, identify bottlenecks, locate user sessions, and pinpoint the issue to the level of an individual Windows process. ControlUp’s grid view allows for viewing the RDS farm as it is designed to be – a continuous fabric of resources available to multiple users. If a system task or a setting change is required, ControlUp can perform the change simultaneously on multiple servers or user sessions, keeping the server farm configuration uniform and stable.

    VDI Environment Management

    Virtual desktops environments need to provide a stable and robust user experience with great mobility and flexibility, which presents some unique challenges to the systems administrator. ControlUp’s aggregated grid view and simultaneous management task execution capabilities allow VDI administrators to oversee resource consumption, system stability and user experience in VDI sessions, and also to perform maintenance and troubleshooting tasks with a minimum amount of time and effort.

    Physical Servers and Desktops Management

    ControlUp can manage any amount of Windows servers and desktops, regardless of their purpose or usage. Monitoring performance, gathering software inventory, deploying files and registry settings, configuring Windows components, and remotely controlling user sessions for technical support – these are just a few examples of tasks making ControlUp an ideal all-in-one toolbox for system administrators.

  • Data-Source Distribution Guidelines

    Introduction to the Data-Source Distribution Guidelines

    When you add multiple Monitors to your organization, ControlUp automatically deploys them as a cluster. Each Monitor in the cluster is assigned particular roles it is responsible for filling.
    In order to minimize latency, a separate Site should be created for each physical location that is to be monitored. The site should be configured to include all the Monitors, and all the data sources they monitor, that are situated in that location.
    For High Availability, an additional Monitor should be set up at each monitored Site as a backup.
    Additional information:
    • Introduction to ControlUp Monitor Clusters in v8
    • Sizing Guidelines for ControlUp v8.x
    • ControlUp Monitor

    A Data-Source is any logical resource in your organization that is monitored by ControlUp.  For example, physical and virtual machines, hypervisors, XenDesktops, NetScalers, etc.

    Merging of data by association index is only performed per Site and not for the entire organization. Because of this, related data sources should be assigned to the same site. For example, if you have in your organization a Hypervisor connection, ControUp agent installed on the VMs, and a EUC connection of the environment that the same VMs are part of, they should all be monitored within the same ControlUp Site. 

    Tabel Of Contents 

    ----

    Managing the Organization's Data Sources in multi Site Configuration

    In the next steps, we'll explain how to access the data-sources management window in order for them to be managed by the ControlUp administrator in the organization. 

    1.  In the real-time console of v8.1 and above, select the Settings tab,
    2. Click  Monitors.
      mceclip5.png
    3. The monitor window will appear. Within the menu bar, click Settings.
      mceclip0.png
    4. From the right-side panel, click on Data Sources (this tab will only be available when multisite is configured).
      2019-12-30_14-48-24.png
      The folder structure you see in this window will be identical to the folder structure in the real-time console. 

    You can delegate Site association in the Site column and choose which site to associate with the specific data source. You can delegate Site association on machines, folders, hypervisors, etc. 

    Here are some examples;

    • If you have a VM which resides under the London site, the machine will need to be configured here to be associated with the London site. 
    • If your VMware datacenter is located on the London site, you can associate that data source with London. Simply change the settings in the Data Sources settings window and the monitor will perform the change. 

     mceclip2.png

    When assigning a hypervisor to a specific site, you will need to change the site association to the VMs under the same hypervisor which is in the folder structure as well.
    For example, if 'Nurse-PC' (VM) resides on 'VMware Demo1', we'll change the site performance on the hypervisors as well as the machine. See the image below for reference. 

    mceclip0.png

    Note: If you move/drag a machine on folder A which is associated with Site A to a new folder, for example, folder B which is associated with Site B, the Site switch will not occur automatically. You will need to perform the change in the Data Sources settings window. 

    Data Sources Quickview & Connection State

    You can also view the Data Sources tab and see which data source is connected to which monitor specifically and see the status of the connection.

    • In the Monitor window, click on the Data Sources tab -
      mceclip3.png
      In the image above, we can see that 'Win10GPU-1' is connected to the 'CUMONITOR01' monitor. 
      • You can also click Show under the Status column and see the connection status.
        If the machine is connected successfully. it will state Ready for VMs and Connected for hypervisors\XD sites and will state the initial connection time e.g.:
        mceclip0.pngIf the data source is not connected, a detailed description of the issue will be presented. E.g:
        2019-12-30_13-07-16.png
  • Introduction to ControlUp Monitor Clusters in v8

    Introduction to ControlUp v8.1

    Beginning with ControlUp v8.1, large organizations with many thousands of data sources can be monitored effectively through ControlUp. Support for large organizations is implemented by means of the Monitor Cluster feature, which enables multiple ControlUp Monitors to work together in order to monitor a single organization. Whereas a single Monitor can typically handle about 2,500 data sources (e.g. 2500 VDIs with 160 processes per machine or up to 400K processes in total per monitor node), a cluster of Monitors can handle virtually more than 50,000 data sources and much more.

    Note:  A data source is any logical resource in your organization that is monitored by ControlUp: physical and virtual machines, hypervisors, XenDesktops, NetScalers, etc.

    This article was written referencing the Controlup Hybrid Cloud solution. The aspects of the monitors are still valid for the On-Premise solution. In On-Premise, the Cloud is equivalent to the OnPrem/Application server.

    mceclip0.png
    A large organization with two sites employing multiple ControlUp Monitors to monitor the entire organization.

    Table Of Contents

    What a ControlUp Monitor Does

    A ControlUp Monitor is a Windows service that manages the continuous monitoring of your organization’s data sources. The main tasks performed by a Monitor are:

    • Retrieving data from data collectors: The Monitor connects at frequent intervals to each data collector in the organization to gather detailed up-to-date information about the statuses of each of the data sources from which it gathers information.

    Note:   A data collector is a software that connects to monitored entities and collects data from them. ControlUp Agents are data collectors that run on monitored Windows machines and gather status information from them whenever they are running. For non-Windows data sources, data collectors running on other machines retrieve status information by means of APIs.

    • Aggregating collected data: The Monitor organizes collected data from different sources that relate to the same entities (see Associating Related Data Sources below) so that it can be uploaded into Insights. Similar to the real-time console wherein the console it is displayed properly in the grid, the monitor caches the data locally on the monitor machine. 
    • Processing aggregated data: The Monitor analyzes the aggregated data in order to identify resources under stress and incidents that should trigger notifications or other automated actions. It then activates the relevant triggers and sends the aggregated data and the information it extracted from that data about stress levels and detected incidents to all open ControlUp Consoles.
    • Uploading collected data to Insights: In organizations that use ControlUp Insights to store and analyze historical data, the Monitor uploads the aggregated data and associated information to the Insights database. Before it relays the data to Insights, it reduces it to a manageable size (by decreasing the resolution and calculating average values for each data point).

     Deploying Multiple Monitors in an Organization

    In implementations of ControlUp in which less than the max-supported capacity per a single monitor node, (e.g. less than 400K processes organization-wide), data sources are being monitored, a single ControlUp Monitor is usually able to perform all of the tasks listed above. For larger organizations, multiple Monitors are necessary according to our Sizing Guidelines for ControlUp v8.x.

    Note:: The exact number of data sources that can be monitored by a single ControlUp Monitor varies from organization to organization, depending on the specific configuration of hardware and software.

    When multiple Monitors are added to an organization, they are automatically deployed as a cluster. Each Monitor in the cluster is assigned particular roles it is responsible for filling. Typically, each Monitor is responsible for collecting data from specific data sources and performing a preliminary aggregation of the data it collects. In addition, it may be tasked with completing the aggregation process for all of the data retrieved by all of the Monitors in the cluster, preparing and sending the data to Insights, and/or other functions.
    Only one Monitor cluster can be deployed in a single organization.

    How Monitor Clusters Are Managed

    In a cluster of Monitors, one of the Monitors acts as the Master Monitor. This Monitor is responsible for dividing up all of the organization’s monitoring tasks among the Monitors in the cluster. All of the other Monitors in the cluster are subordinate to the Master.

    The Master Monitor decides on-the-fly which Monitors will perform each monitoring task in the organization. It can change the assignments as necessary based on the load each Monitor is handling at that time.

    The first Monitor you deploy in your organization will be the monitor which will perform a 'check-in' to our cloud backend and then it is automatically being chosen as the Master.
    In general, the role of the master monitor can move between monitors in any site. 

    Linking Monitors to Sites

    Monitors work best when they are at the same location as the data sources they are monitoring because it minimizes latency in the collection of data from those sources.

    In order to enable the linkage of Monitors to the data sources at their location, ControlUp v8.1 and above now support the creation of Sites. Each distinct physical location in your organization – e.g., your New York data center and your London data center – should have its own site.
    The site should be configured to include all the Monitors, and all the data sources they monitor, that are situated in that location. The Master Monitor will only task Monitors in each site with the job of collecting data from the data sources in that site.

    Note:: Only one Monitor cluster can be deployed in a single organization, even if the organization has multiple sites. A site can have multiple Monitors.

    Planning the Organization’s Monitor Configuration

    Ideally, separate Monitors should be set up at each physical site in which a significant number of data sources are located. For example, if your organization has two data centers, in Washington and Paris, and each has about 3,000 data sources, it is best to set up a Monitor in N+1 configuration in each site for HA at each of these locations.
    Each Monitor can handle 2,500 VDIs with 160 processes per machine or up to 400K processes in total per monitor node.
    For information about the system requirements of Monitors, see Sizing Guidelines for ControlUp v8.x

    mceclip0.pngConfiguration of Monitors in a large organization

    Allowing for Backup and High Availability

    When a single Monitor is deployed in an organization, High Availability (HA) is achieved by setting up two Monitors to operate as an active/passive HA pair. If the primary Monitor fails, the secondary Monitor automatically takes over its functioning, ensuring that the monitoring process is not interrupted. 

    Note:: High Availability for a single ControlUp Monitor was already supported in ControlUp v. 7.

    When a cluster of Monitors is deployed in an organization, HA is implemented by setting up one Monitor more at each site than is required there, given the number of monitored data sources. When all of the Monitors at a site are functioning properly, some of their available resources remain idle. If any of the Monitors at a site fails, the Master Monitor divides up that Monitor’s tasks among the other Monitors running at the site.
    In addition, one of the Monitors in each cluster is designated to be the Master’s backup. This is an internal role that the master monitor is dynamically assigning to a different monitor.
    When the Master is running, the backup keeps an up-to-date replica of the Master’s state. If the Master Monitor fails, the backup automatically takes over for it.

    Associating Related Data Sources

    Logical entities in an organization are often related to one another. For example, a monitored hypervisor and all of the Guest OS data of the VMs running on it are all separate logical entities but they are also related to one another. The data presented in the ControlUp Console would be incomplete if it ignored the relationships between logical entities. 

    In order to enable ControlUp to match data from related data sources, the properties of every monitored data source include an association index. Related logical entities, like hypervisors and their VMs, all have the same association index.

    Association indexes enable ControlUp to match data from related data sources even if they are tracked by different Monitors. At each site, one of the Monitors is responsible for coordinating the matching of data from different sources based on their association indexes. This Monitor retrieves all the current activity data for each association index from the other Monitors at the site and merges the information to produce a complete picture of each entity’s status.

    Merging of data by association index is only performed per site, and not for the entire organization. Because of this, it is not recommended to assign related data sources to different sites. If, for example, a hypervisor and its VMs are assigned to different sites, it will not be possible to drill down from the hypervisor to its VMs.

  • Linux Integration with ControlUp

    Summary

    Starting with ControlUp v7.3 we support adding Linux machines into your organization and monitor them via the Console & Monitor.
    We're utilizing the connection to Linux machines via SSH (port 22) to gather information about the computer, processes and logical disks.
    If you have a CU data collector in place, we'll use port 40705 to get to the CU data collector and from there, the data collector will use port 22 to get to the Linux machines via SSH. Having a data collector will improve the performance on the Console & Monitor.

    The supported OS's are:

    • RHEL 6.x, 7.x
    • CentOs 6.x, 7.x

    Prerequisites

    • Before you begin the process of adding a Linux machine to a Linux Data Collector (LDC) for monitoring, the redhat‑lsb‑core package must be installed on the Linux machine.
    • Monitoring can only take place if the following RPMs are installed on the monitored Linux computer:

      EPEL repository

      wget

      bc

      sed

      gawk

      coreutils

      sysstat

      net-tools

      util-linux

      procps

    You can install these packages yourself on a Linux computer before you assign it to an LDC, or ControlUp can install them for you during the process of adding the Linux computer to an LDC.

    If you choose to let ControlUp install them, the credentials you provide for adding the computer to the LDC must have a sudo user role. In addition, the !requiretty property must be included in the /etc/sudoers file, either globally for the computer or individually for the user account that is used for adding the computer to the LDC.

    The following articles will assist you in creating a Linux data collector & adding machines to it -

    1. How to create a Linux Data Collector.
    2. Adding & assigning Linux Computers to a Linux Data Collector.