• Is ControlUp for You?

    ControlUp is tailor-made for systems administrators and helpdesk personnel who oversee multi-user environments and are required to prevent and troubleshoot performance issues, application failures and operating system errors. Typically, these tasks require a repetitive and time-consuming execution of existing consoles, scripts and various management tools, none of which are capable of achieving the systems administrator’s two primary goals:

    • Quickly identify issues in a complex multi-user environment
    • Resolve these issues in a simple and efficient manner

    ControlUp is a comprehensive system monitoring and management solution which provides deep visibility into the real-time activity of servers, workstations, users and the applications they use. The real-time console gathers and displays a wealth of current information regarding system health and performance. It also allows for powerful management actions to be executed in order to resolve issues and change system configurations. The ControlUp monitor service assists with 24/7 monitoring of your assets and alerts about any abnormal behavior according to a customizable set of incident triggers.

    ControlUp Insights, the historical reporting and analytics platform, accumulates activity and performance data over time and displays a variety of reports that enable systems administrator to investigate past issues, track usage trends, analyze the systems performance and make decisions regarding future system design and configuration.

     

     

  • Typical Usage Scenarios

    RDS / Citrix Farm Management

    In a RDS environment, the user sessions are distributed across multiple servers. ControlUp allows the farm administrator to gain a complete performance overview of the servers, identify bottlenecks, locate user sessions, and pinpoint the issue to the level of an individual Windows process. ControlUp’s grid view allows for viewing the RDS farm as it is designed to be – a continuous fabric of resources available to multiple users. If a system task or a setting change is required, ControlUp can perform the change simultaneously on multiple servers or user sessions, keeping the server farm configuration uniform and stable.

    VDI Environment Management

    Virtual desktops environments need to provide a stable and robust user experience with great mobility and flexibility, which presents some unique challenges to the systems administrator. ControlUp’s aggregated grid view and simultaneous management task execution capabilities allow VDI administrators to oversee resource consumption, system stability and user experience in VDI sessions, and also to perform maintenance and troubleshooting tasks with a minimum amount of time and effort.

    Physical Servers and Desktops Management

    ControlUp can manage any amount of Windows servers and desktops, regardless of their purpose or usage. Monitoring performance, gathering software inventory, deploying files and registry settings, configuring Windows components, and remotely controlling user sessions for technical support – these are just a few examples of tasks making ControlUp an ideal all-in-one toolbox for system administrators.

  • Basic Concepts

    ControlUp Console – the main executable of ControlUp, available for download as a single file named ControlupConsole.exe. There are no install/uninstall routines for this component, just a portable executable.

    ControlUp User – typically a systems administrator, technical specialist, or support technician working with ControlUp Console. Every ControlUp user is required to create an online login account which is used for user identification and licensing.

    Managed Computer – a Windows computer which a ControlUp user wishes to manage and/or monitor using ControlUp. It needs to belong to an Active Directory domain and to have .Net Framework 3.5 or 4.5 installed. When first contacted by a ControlUp Console, every Managed Computer is assigned to a ControlUp organization.
    (More details…)

    ControlUp Agent – a lightweight executable named cuAgent.exe that runs as a system service on every Managed Computer. This component provides performance information and handles the execution of management actions.

    ControlUp Organization – a logical grouping of Managed Computers handled by the same team. A ControlUp User selects an organization during login and is restricted to managing computers that belong to the selected organization only.
    (More details…)

    ControlUp Monitor – a background service which operates in a way similar to the ControlUp console but without the graphical user interface. ControlUp Monitor connects to all of the computers in your organization and performs continuous monitoring and reporting of incidents as well as automatic exporting of data tables for historical reporting. If you require 24/7 monitoring and alerting about incidents in your environment, it is recommended that you install at least one instance of ControlUp Monitor.
     (More details…)

    ControlUp Insights – a reporting and analytics platform that displays historical reports using data gathered by ControlUp. In order to start using ControlUp Insights, at least one instance of ControlUp Monitor should be installed in an organization.
    (More details…)

    Incident  - in ControlUp, an incident is an occurrence on one of your managed computers that falls under the scope of one of the configured incident triggers. For example, you might configure a “Process Ended” incident trigger with a filter of “Process name=svchost.exe”. Every subsequent crash or error exit of a process with this name will generate an incident. Incidents are recorded in the ControlUp Hybrid Cloud Services database and are available for display in the Incidents Pane of ControlUp.
    (More details…)

    Incident Trigger – a definition of an occurrence that should be recorded as an incident. Triggers of two types are supported in ControlUp: community triggers are created by ControlUp based on vendor recommendations and industry best practices, and user-defined triggers which can be configured according to your needs. Each trigger includes a set of conditions: trigger type (Stress Level, Process Started, etc.), filter (specific conditions like computer name or operating system), scope (folders and schedule – when and where the trigger applies). In addition, every trigger may include a set of follow-up actions, for example an email alert.
    (More Details…)

    Script-Based Action (or SBA)  a PowerShell, VBScript or batch script, which was imported to ControlUp as a management action. Script-based actions (SBAs) can be assigned to any of ControlUp’s managed resources (folders, computers, sessions, etc.). SBAs can be downloaded from the community repository or created manually and shared within your ControlUp organization.
     (More details…)

    Hypervisor connection – the connection parameters needed for a console or data collection agent to connect with a supported hypervisor management platform (vCenter or XenServer pool master). After the connection to the hypervisor management platform, host and VM information is automatically retrieved and populates the ControlUp database. (If the connection is to vCenter, datacenter and cluster information is also gathered, for better organization of virtualization resources.)

    XenDesktop Connection - an object in the organization tree that contains the details necessary for ControlUp to collect data from a single XenDesktop site. Once configured and connected, it enables for populating the Sessions and Computers views with information retrieved from XenDesktop brokers.

    (More details…)

    Cloud Connection

    By using ControlUp’s AWS EC2 cloud management all the instances are visible in the same place, their performance metrics and cost metrics are displayed with a great level of granularity, all live and in real time. If resources are strained, they’re shown in flashing red. If any aspect of the cost shoots up, so will the red flags.

    (More Details...)

    NetScaler Connection - an object in the organization tree that contains the details necessary for ControlUp to collect data from a single NetScaler appliance. Once configured and connected, it populates the Load balancers, Services, Service groups, Gateways, HDX sessions and NICs views with data retrieved from the NetScaler API.

    Hypervisor folder – similar to a regular folder, but intended to organize hypervisor connections.

    Hypervisor – the term ControlUp uses to refer to the connection points to the virtualization world, namely vCenter and the Xen pool master. Strictly speaking, the vCenter server is not a hypervisor, but for the purposes of consistency in ControlUp, it is referred to as one.

    Host – a computer running VMware ESX/ESXi or Citrix XenServer that ControlUp accesses via the Hypervisor connection. The virtualization hosts are the computers that run multiple virtual machines on them.

    VM – Virtual Machines that run as guests on the ESXi/Xen server hosts. If the guest VM is running a supported version of Windows, then the ControlUp Agent can be installed on it and it will become a fully managed computer by ControlUp. There are some performance statistics that can be gathered about all VMs, managed or not, because ControlUp queries the hypervisor about all of them. However, full data retrieval is only possible if there is a ControlUp agent installed on the guest OS.

     

     

  • ControlUp Modes

    ControlUp Hybrid Cloud

    ControlUp Hybrid Cloud is the default operation mode for ControlUp, which offers the largest set of available features and the easiest deployment. In Hybrid Cloud, you need to download ControlUp Console and perform some basic configuration steps in order to start monitoring and managing your resources. There is no need to install and configure databases or other infrastructure components. All the back-end services (such as storage, database, alerting by email and mobile notifications) are provided seamlessly by ControlUp Hybrid Cloud.

    When working in Hybrid Cloud, ControlUp requires Internet connectivity and relies on a persistent connection to ControlUp Hybrid Cloud. Various controls and mechanisms are in place to ensure the security of your data stored in ControlUp Hybrid Cloud. For more information on ControlUp Hybrid Cloud security, please refer to our security whitepaper.

    The following diagram displays the architecture of ControlUp Hybrid Cloud Mode:

    1.png

     

    On-premise Deployment

    In On-Premises Mode, all the back-end services required for ControlUp are installed in the organizational network. This mode is designed for customers who would like to enjoy the features of ControlUp without contacting ControlUp Hybrid Cloud. On-Premises Mode eliminates the requirement for Internet connectivity and enables all components of ControlUp to operate autonomously without contacting ControlUp Hybrid Cloud.

    To configure ControlUp in On-premises Mode, you need to prepare some infrastructure resources, such as a SQL database and a web server, and then download and install ControlUp server components.

    On-Premises Mode does not include some of the features that rely on ControlUp Hybrid Cloud. For the full comparison matrix of ControlUp operation modes, see table below.

    The following diagram displays the architecture of ControlUp On-Premises Mode:

     

    2.png

     

    ControlUp On-Premises Prerequisites Guide

    Standalone Mode

    In Standalone Mode, ControlUp Console operates autonomously without relying on any servers. Standalone Mode is designed for a single administrator using ControlUp Console for ad-hoc monitoring and management in environments which do not have an Internet connection or do not permit any organizational data to leave the network.

    To configure ControlUp in Standalone Mode, you need to submit a license request and receive a standalone license from ControlUp Support.

    Standalone Mode does not include a substantial amount of ControlUp features. For the full comparison matrix of ControlUp operation modes, see table below.

    The following diagram displays the architecture of ControlUp Standalone Mode:

     

     

     

    Feature Comparison Matrix

    Capture.JPG

     

  • ControlUp Architecture & Security Concepts

     

    ControlUp Architecture & Security Concepts

    (Last updated: January 2018)

     

    Overview

    This document describes the ControlUp suite architecture, including different deployment topologies scenarios, a description of all major components and their communications model, data stored in the relevant ControlUp data stores and data protection mechanisms.

     

    ControlUp Architecture

    ControlUp supports various topologies based on the customer requirements and security policies. Below we will describe the two major topologies used by ControlUp customers. A full description of the components illustrated below is available in the next chapter.

    ControlUp Hybrid Cloud Mode

    ControlUp Hybrid Cloud  mode is enabled by default if your network has Internet connectivity. In this mode, the ControlUp back-end components are hosted on our secured Amazon Web Services Cloud servers. while the ControlUp Console and monitor runs inside the enterprise network

    The following drawing is a high-level overview of ControlUp architecture when working in a Hybrid Cloud  mode:

    hybrid_cloud.png

    ControlUp On-Premises Mode

    ControlUp On-Premises mode enables organizations to install the ControlUp back-end components on their on-premise data-center. In this mode both the ControlUp back-end components and the ControlUp Console and monitor runs inside the enterprise network

    The following drawing is a high-level overview of ControlUp architecture when working in On-Premises mode:

    on_prem.png

     

    ControlUp Components

    In this chapter we will describe the various software components that are part of the ControlUp architecture.

     

    Customer Network Components

    ControlUp Console is the main component used by sysadmins for real-time management and monitoring of their virtual infrastructure, physical and virtual servers, VDI  and RDS environments. The console distributes the ControlUp Agents to the managed computers/VMs, and exposes the UI which enables admins to configure Hypervisor connections, XenDesktop sites, NetScaler Appliances, AWS regions and Monitor services.

    The console maintains communication with the relevant managed computers/VMs, Hypervisors, XenDesktop sites, NetScaler appliances and AWS regions and displays real-time performance data to the sysadmin. The console also communicates with the ControlUp back-end Servers for various operations.

    ControlUp Monitor Service

    The ControlUp Monitor service is a key component in any ControlUp deployment. The Monitor Service carries out two major functionalities:

    1. Incidents reporting and alerting.
    2. Historical data uploads.

    Once installed and started, the ControlUp Monitor logs into your ControlUp organization and connects to your managed computers/VMs,Hypervisors, XenDesktop sites, Netscaler appliances and AWS regions. The Monitor starts receiving system information and performance updates from your organization, just like an additional ControlUp Console instance. The primary difference between a ControlUp Monitor Service and a Console is the fact that the Monitor runs as a Windows service, requiring no user interaction and allowing for continuous monitoring of your resources, ensuring continuous coverage for incident alerting and reporting capabilities among others.

    The ControlUp Monitor Service also uploads the historical data that is used for the construction of reports and analytics displayed in ControlUp Insights. For more information regarding the architecture and security measures for ControlUp Insights, please refer to the “ControlUp Insights – Security Measures and Procedures” document.

    ControlUp Data Collector

    A software component which collects performance and configuration information from the Hypervisor management web service, the XenDesktop sites, the NetScaler appliances and the AWS regions via remote API calls. By default each ControlUp Monitor Service is configured as a data collector which pulls data directly from the connected hypervisors (Esxi or XenServer) Xendesktop brokers and NetScaler Connector

    In a production deployment it is recommended to configure a dedicated data collector which acts as a proxy for all other ControlUp consoles and Monitor services:

    Configuring a dedicated data collector is a best practice, please refer to the following article.

     1.jpg

    Connection Types

    vSphere

    The ControlUp Data Collector communicates with the configured vCenter server via the SDK web service, the default communication channel is based on the SSL protocol (e.g. https://vcenter.fqdn/sdk). By default, data collection occurs every 20 seconds and a read-only account is sufficient to pull all configuration and performance data, in order to enable VM Power Management, go to the Virtual Machine/Interaction category and enable the following:  ⧫Power Off  ⧫Power On  ⧫Reset

    XenServer

    The ControlUp Data Collector communicates with the configured XenServer via port 80 (by default) and also communicates directly with each XenServer pool member to pull the real-time performance metrics via the RRD API. By default, data collection occurs every 20 seconds and a read-only account is sufficient to pull all configuration and performance data, in order to enable VM Power Management, upgrade the user role to ‘VM Operators’.

    XD Connector

    The ControlUp Data Collector communicates with the configured XenDesktop Broker via port 80 (by default) to pull configuration and performance data. During the initial connection the data collector discovers all XenDesktop Brokers and save them in the Broker's Failover List to enable data collection in-case the first XenDesktop Broker is not available. The data collector utilizes both the PowerShell and OData API’s to pull relevant data in Delivery Groups, Brokers, VDA’s, User Sessions and Published Applications.

    The Read Only Administrator right to all farms that will be managed is sufficient for monitoring purposes. If you want to be able to use the built-in XenDesktop management features like enabling maintenance mode for example, then this account will require the following permissions:

    • Edit Application Group Properties
    • Edit Application Properties (Application Group)
    • Edit Delivery Group Properties
    • Edit Machine Catalog Properties

    Cloud connector

    The ControlUp Data Collector communicates with AWS's .net SDK over https.
    The Data collection intervals are as follows:

    Metadata (computer name, state etc.) – 20 second intervals.

    "Cloudwatch" data – depending whether the instance has detailed monitoring or not (as defined on the AWS instance itself). Detailed monitored instances  - 1 minute intervals.

    Non-Detailed monitored instances  - 5 minute intervals.

     

    NetScaler Connector

    The ControlUp Data Collector communicates with the NetScaler appliance over HTTP or HTTPS, depending on the user’s preference over API.  The data collections intervals - Depend on the size of NetScaler deployment and are configurable.

    ControlUp Agent

    The ControlUp agent is a software component which collects performance information on the managed computer/VM and sends it to the ControlUp Console or to the ControlUp Monitor instances which are currently running in the network and are connected to the managed computer. The ControlUp agent also executes the management actions performed by the users running the ControlUp Console.

    For further information, please refer to the following article.

     

    Cloud based Backend Components (Hybrid Cloud Mode)

    ControlUp Cloud Servers

    ControlUp Cloud Servers reside in the Amazon Web Services cloud (US and Ireland datacenters) and provide login, licensing, central configuration, and database services for all ControlUp Consoles and Monitor service instances running on the customer network.

    2.png

    AWS RedShift

    All data uploaded to ControlUp Insights is loaded from Amazon S3 into Redshift, a petabyte-scale SQL data warehouse service that runs on highly optimized and fully managed AWS compute and storage resources

    ControlUp Insights Cloud Servers

    ControlUp Insights offers a web portal (https://insights.controlup.com) which allows authorized users to display, save, export and share reports based on the uploaded data. The web portal is hosted by Amazon Web Services using the EC2 service.

    On-premise based Backend Components (on-prem mode)

    ControlUp On-Premises Server

    The ControlUp On-Premises server is powered by a Windows server which is designed to provide the functionality of the ControlUp Cloud Server within the customer’s network. After configuring the On-Premises Server, all ControlUp consoles and Monitor service instances running in the customer’s network will connect to the On-Premises Server which provides login, licensing, central configuration, and database services for the Consoles and Monitors services..

    The ControlUp On-Premises server is designed primarily for environments in which Internet connection is limited or blocked, or in which regulation does not permit organizational data to be stored outside the company’s network.

    The ControlUp On-Premises Server includes the following software components:

    1. Windows Server 2012 R2 / 2016 R2
    2. Microsoft .Net Framework 3.5  and above
    3. Lightweight Directory Services
    4. IIS services
    5. ControlUp Web Services hosted on IIS
    6. MS SQL database: 2016, 2014 R2, 2012 R2, all in Express, Standard, and Enterprise Editions. (can be deployed on existing SQL instance). SQL 2008 is NOT supported.

    During the initial login phase, ControlUp consoles and Monitor services instances authenticate themselves against the On-Premises server using either the user’s account token or an explicitly provided AD username and password.

    The authentication protocol between the console/monitor instances and the On-Premises server is based on Windows Authentication (HTTP 401 Challenge) over HTTPS.


    ControlUp Insights On-Premises Server

    The ControlUp Insights On-Premises server is a query database server which runs on the customer’s network, facilitating the use of ControlUp Insights On-Premise for analytics and reporting. The server is an internal data collector which processes and creates data models to allow advanced reporting and analytics capabilities without any external network connection. For further information, please see the detailed documentation here: https://docs.google.com/a/controlup.com/document/d/1VLLwN27dTEKUl3IL_8daNyVOIQx4hnwjab3_ceQisy4/edit?usp=sharing 

    ControlUp Data Stores

    This chapter will describe the various data stores being used in a ControlUp deployment.

    ControlUp In-RAM Database

    A proprietary database used by each ControlUp Console / Monitor service instance to store all real-time performance and configuration data gathered by the data collection agents. This database is a volatile database, which exists only when the console/monitor executable is running. The Security Policy within the Console allows for proper role-based maintenance of the various features within the Console. The in-RAM data retention policy allows up to 100 historical transactions per counter. 

    ControlUp Configuration Database

    The ControlUp central configuration is hosted on a Lightweight Directory Services database. The location of the database depends on the chosen ControlUp topology:

    1. ControlUp Hybrid Cloud  Mode – In this mode the configuration database is stored on the ControlUp Servers running in the AWS cloud
    2. ControlUp On-Premises Mode – In this mode the configuration database is stored on the ControlUp On-Premises server running inside the customer network

    The configuration database includes all persistent configuration objects that are part of the ControlUp organization, including the following objects (not all items are listed here):

    • Distribution settings defaults
      • Auto-Upgrade
      • Check Ping
      • Check Prerequisites
      • Default Port
      • Temporary / Permanent Mode
      • Keep-Connected Interval
    • Hypervisor Connection settings
    • XD Connection settings
    • Cloud connection settings
    • NetScaler connection settings
    • Managed Computer /VM Information
      • Install Mode (temporary / permanent)
      • CPU Count
      • Domain Role (Workstation / Member Server / etc)
      • Highest session count (Max value of the ‘session’ counter)
      • Manufacturer
      • Model
      • OS Caption
      • OS Service Pack
      • Physical (MAC) Address (used for Wake-On-Lan)
      • System Type (x86 / x64 / etc)
      • Total RAM
      • Domain DNS
      • ControlUp Port
      • Netbios Name
      • FQDN
      • Description
      • Last Connection Error
    • Folder Information
      • Name
      • Description
    • Delegation Information
      • All entries configured by the user
      • Owner information
        • NT Account Name
        • NT Account SID
      • Role Information
        • NT Account Name
        • NT Account SID
      • Stress Settings
        • Stress settings configured by the user
      • RDP Connection Properties
        • Authentication Level
        • Connect to console
        • Device Redirection Configuration
        • SmartSize settings
        • Connect to console
        • Start Full Screen
        • Start Program on connection
        • Name
        • Port
      • AD Connections (metadata only)
      • Branch Mappings
      • Trigger Settings
      • Generic ControlUp configuration settings

    User credentials are never stored in the configuration database.

    All data objects in the configuration database are encrypted using Rijndael algorithm (AES) with a per-customer random 128 bit encryption key. In the Hybrid Cloud  mode, the encryption key is stored on the ControlUp Cloud servers and protected using DPAPI. In the On-Premises mode, the data is encrypted for obfuscation purposes only, the key is stored locally, along with a secret hardcoded string.

    All data objects are encrypted locally, at the console / monitor instances, before being transmitted over the network to the relevant web services / database.

    ControlUp Incidents Database

    The ControlUp Incidents database is hosted on a Microsoft SQL database, the location of the database depends on the chosen ControlUp topology:

    1. ControlUp Hybrid Cloud  Mode – In this mode the Incidents database is stored on the ControlUp AWS RDS instance
    2. ControlUp On-Premises Mode – In this mode the Incidents database is stored on a Microsoft SQL server running on the customer network

    Incident Triggers are definitions of significant events that should be recorded by ControlUp for later analysis. Each trigger includes a list of conditions which specify when the incident will be recorded and which follow-up actions will be performed at that time.

    The Incidents database contains all historical incidents that were reported by the ControlUp consoles and Monitor services based on the customer triggers definitions. The information stored in the Incidents database can be viewed via the ControlUp Incidents Pane.

    Sensitive Incidents related data such as host and computer names, IP addresses, account names, event message data and process command lines are encrypted using Rijndael algorithm (AES) with a per-customer random encryption key. In the Hybrid Cloud  mode, the encryption key is stored on the ControlUp Cloud servers and protected using DPAPI. In the On-Premises mode, the data is encrypted for obfuscation purposes only, the key is stored locally, along with a secret hardcoded string.

    All incidents are encrypted locally, at the console / monitor instances, before being transmitted over the network to the relevant web services / database.

    ControlUp Local Cache

    Configuration Cache files are stored on the computer running the ControlUp Console and the ControlUp Monitor service, in the Application Data directory under the user’s profile (e.g. %UserProfile%\AppData\Roaming\ControlUp). By default, NTFS restricts access to the file to allow only to the user himself and members of the local Administrators group.

    If the files are copied and used by a different user, the encrypted data cannot be decrypted and the user will have to re-enter all passwords. Other configuration data will be available.