• TimeStamp Patch for Insights On-Premises (IOP)

    Important Notes:
    1. This article is for ControlUp On-Premises customers only!
    2. This patch only applies to IOP 3.5 and below.

    The Issue

    Beginning of January 1, 2020, un-patched IOP instance may be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets these criteria will be indexed with incorrect timestamps. While we do not expect any issues due to the fact we use epoch time, we recommend patching as a precautionary measure.

    The Solution

    To implement the new TimeStamp Patch for the IOP.

    Please download an updated version of datetime.xml and apply it to your IOP server

    After you download the file, you must apply it directly over the existing datetime.xml file using the following procedure. You must apply the updated file to all affected On-Premises IOP instances prior to January 1, 2020.
    If not applied, you may experience timestamp recognition problems from that point forward.

    1. Download the "datetime.xml" timestamp recognition file from here.
    2. Save it on your ControlUp Insights On-Premises server.
    3. On each IOP instance, do the following:
      • Using your operating system file management utilities, copy the updated datetime.xml from the location where you downloaded it to the $IOP_HOME/etc directory (i.e. c:\program files\smartx\controlup insights\etc) on the IOP platform instance.
        Note: Ensure that the updated file overwrites the existing file.
      • Confirm that the new datetime.xml has been written to the $IOP_HOME/etc directory.
      • Restart the IOP platform.

        Your IOP platform instance is now patched!
  • Setting up a Schedule Task for Backing Up IOP Activity Files.

    Following the How to Backup IOP Activity Files share article; 

    In this article, we'll do a walkthrough on how exactly to set up the backup script as a scheduled task in your Insights machine so the activity file share will be over-sized or taking all of the disk space. 

    NOTE - This article is for On-Premises customers only.

    Prerequisites: 

    1. The script MUST run on the machine running IOP (InsightsOnPrem)
    2. The user needed to run the script is an IOP Admin (the original Admin account).
      • The password should not contain a $doller sign. 
    3. You need 7zip installed or it's command line version 7za.exe (downloadable via this link). 
    4. Download the script at the bottom of this page.

    Instructions:

    1. Press the Windows + R keys on your keyboard to open Run (or use Start), and then type taskschd.msc in the open field.
    2. Right-click 'Task Scheduler Library' and choose 'Create Task'.
    3. In the newly opened window we'll fill out the following in the General tab; 
      1. Task Name - this name will be displayed as the task name.
      2. Description - a short detailed description so colleagues will know that it's used by ControlUp. 
      3. Select the 'Run whether user is logged on or not' 
      4. Mark the 'Run with highest privileges
      5. You can configure the task to be coded to your local OS.
        mceclip0.png
    4. In the Triggers tab, click New.
      1. In this guide, we'll use Daily at midnight but you can configure it based on the available size of the disk. Every Sunday is also good and the task will re-occur every day\week.
        mceclip0.png
    5. In the Actions tab, click New.
      1. In Action, select the 'Start a program' option
      2. Program/script will be 'PowerShell'
      3. Add arguments will be based on your choosing. The script holds a Synopsis which explains which methods you can use. In this example, I choose the syntax that creates the zip files in a remote location and then removes the original files to save space in the backup directory This is the command: 
        C:\Archive-Files.ps1 -username admin -password P@ssw0rd -DeleteSource 
      4. Start in is optional but over here since the script is located in C:\, I've placed it as a pointer. 
        mceclip1.png
    6. Press OK and you'll be prompted to enter the credentials of the service account\other AD account the task will run as. 
      mceclip2.png

    Once done, you can right-click the task and Run to test the task integrity.

     

  • Monitor Error: "Error with saving file to local disk"

    ControlUp Monitor uses the interactive logon and impersonates as the AD account it's set to run with in order to perform the following tasks -

    1. Writing Activity files to disk (for On-Premises deployments only)
    2. Writing CSV to disk when using the Export Schedule feature

    To allow this, the AD account that the monitor is using in its settings must be granted with the Allow log on locally security policy setting.
    For On-Premises customers, it's best practice to have the activity files folder locally on the monitor machine so the security settings should be assigned to the same machine.

    Example #1: You've configured the Monitor on machine A to export CSVs to machine B. 
    Machine B will need the interactive logon rights for the AD account the monitor is using. 

    Example #2: (for On-Premises) You've configured the Monitor on machine A to write the activity files to a folder on the same machine. A. 
    Machine A will need the interactive logon rights for the AD account the monitor is using

    Example #3: (for On-Premises) You've configured the Monitor on machine A to write the activity files to a folder that resides on machine B. 
    Machine B will need the interactive logon rights for the AD account the monitor is using.  

    --------------------------------

    Troubleshooting steps available if the following terms are met- 

    • The Monitor is showing red in the Console. 
    • The Monitor is experiencing issues writing the Activity Fils into the SMB dedicated share. 

    The Cause:

    There could be a couple of reasons which each is different-

    1. The drive that the Activity Files folder resides on, has a disk space issue. (for On-Premises) 2019-05-22_10-00-27.png
    2. The configured Activity Files folder path is invalid\moved\removed so the Monitor can't find it.2019-05-22_09-32-56.png
    3. The AD account that the Monitor is using, doesn't have the right permissions.2019-05-22_14-01-57.png

    The Solution:

    (numbered according to the previous section)

    1. Locate the Activity Files folder. The disk that it resides on, it's probably is out of space. 

    • If you do not know the exact location of the folder, you can see it in the Insights website by going into Admin > Settings > Activity Folder.
      • Another option is to go to the OnPrem server - go to > Registry Editor > HKEY_LOCAL_MACHINE\SOFTWARE\Smart-X\ControlUpServer\IOP and there you'll have the 'SharedFolder' key. The path in that key will be the location of the Activity Files folder.
    • Refer to the How to Backup IOP Activity Files share article to move, zip & clean the folder. 
    • As a temporary option, add space to the disk, and then the monitor will continue to write files there. NOTE that the folder will keep growing unless you maintain it properly. More information can be found here Managing IOP Activity Files folder

    2. Re-create the Activity Files folder and assign the right permissions.

    3. Verify that the AD account that the monitor is using has the permission it requires. 

     

    If you have any further questions or need further assistance, contact us at support@controlup.com

     

     

     

  • Authorization Failed

    Cannot Log In to Console

    When a user launches the Console they may get the following error message: 

    Authorization Failed: ControlUp Server was unable to validate the group membership of your user account. Please make sure that the security group configured for ControlUp access in Active Directory is in place or contact support@controlup.com for further assistance. 

     

    First, check the troubleshooting steps in the article: Your Windows user is not authorized to use ControlUp (On-Premises Login Issue)

    If you have checked all these steps and you're still unable to log in to the Console, check the User Management log located on the ControlUp On-Premises server in the following location: 

    "C:\Program Files\Smart-X\ControlUp Server\WebApps\UserManagementService\7_WS\UserManagementService.log"

    Check the errors at the bottom of the log. If you see the group listed: 'ControlUp_PrivateCloudMembers' then the issue is that your service account is unable to read the contents of the file: "C:\Program Files\Smart-X\ControlUp Server\Server Settings\ControlUpServerSettings.xml" 

    To resolve, make certain that your ControlUp service account has Read & Execute permissions to the ControlUpServerSetting.xml that defines the ControlUp User group, then perform an IISRESET. 

    On-Premises Login Issue

    The Issue:

    You cannot login to ControlUp Real Time Console in an On-Premises mode
    environment. The message you receive is - "Authorization Failed"

    The Solution:

    It appeared that the password for the two service accounts that needed to run the ControlUp services were expired. So, AD was not letting them to run the services. 
    You can verify if this is indeed the case, if you try to restart the ControlUp services and they do not start back - 

    1. ControlUp Incidents
    2. ControlUp-LDS or ADAM_ControlUp-LDS

    To receive more details about the failure, you can look at the login log which is located on the On-Premises server in C:\Program Files\Smart-X\ControlUp Server\Websites\UserManagementService\7_WS\user management.log 

    If the following errors appear in the user management log:
    ERROR|Error in BaseResponse. |UserManagement.Exceptions.UserManagementException: Failed to bind to organization permissions group 'AD Group Name'It means the issue could be with the AD group you assigned as the group for users who can login to ControlUp Console:

    • The AD group and SID needs to match in the server settings file, located here - "C:\Program Files\Smart-X\ControlUp Server\Server Settings\ControlUpServerSettings.xml"
    • The group needs to be a Security Global group.
    • Application Pools - Verify all application pools are running and do IISReset on the On-Premise server.
    • In 7.1 & 7.2 it could be a license issue (IOP Allowed - Yes/No).

    How do I get the SID? click here (external link) for additional information.

     

  • Configuring a dedicated username for the CU SQL DB

    In SQL, the semicolon character is a statement terminator. It is a part of the SQL-92 standard.

    We've seen users in On-Premises deployment that are using semicolon in the username or password. Because of that, the string to the SQL DB is down and it cancels the link to the SQL.

    There should be no semicolon in the password or username that you use for the SQL. 

     

     

  • Setting an alert for the On-Premises Monitor that isn't writing files to Activity folder

    For OnPrem customers who use Insights (IOP), their Monitor generates files into the Activity files folder and then they get indexed into the IOP database. In case the monitor stops exporting real-time data files, we offer an alert that can be setup (for hybrid cloud customers we have such alert defined on our side which alerts when the monitor stops uploading data).

    The following script / scheduled task will send an e-mail alert to pre-configured recipients. 

    In order to define the alert (scheduled task) which will run every 30 minutes, and will execute the script with a delay of 45 minutes, please follow these steps:

    1. Please download the PowerShell script that is attached to the bottom of this article. (name: activity_files_health.ps1)
    2. Place the script on the machine where the Activity Files Shared Folder is located. 
    3. NOTE: by editing it with notepad++ for example, you can read the script's help and examples. (or Get-help in PS)
    4. Open Task Scheduler > create new scheduled task as the example below:
      • Define a name 
      • Run after user logon (Run whether user logged on or not)
      • Run with highest privileges 
        2018-07-31_1347.png
        Set a daily schedule to repeat every 30 minutes
        2018-07-31_1346_001.png
        2018-07-31_1347_001.png
        Define an action which will start PowerShell.exe
    • Add an argument (which explained below)
    • Add start path
      2018-07-31_1346.png
      In the actions tab, the argument field is very important. As you can see in the argument, the script is located in c:\code, the path may change according to your setting
    • If you look at the argument, in the powershell script help\example -  
      • The delay is 45 minutes, the address from and to are defined and the subject of the email is also there and can be defined as you like, and finally you define which SMTP server to use. (if user and password is needed, in the script you will find an example with that syntax).
        2018-07-31_1347_002.png
    • Define the conditions according to your needs
      2018-07-31_1345_001.png
    • Define the settings according to your needs
      2018-07-31_1345.png
      An event in the event viewer is written (successful and when there was an issue) in the application log.
      2018-07-31_1158.png2018-07-31_1158_001.png

     

     

  • Update On-Premises Script Actions

    The following explains how to import the latest SA’s updates to your ControlUp On-Premises Console:

    1. Download the SA Package from here - Link 
    2. Copy the file to your On-Premises Server.
      • Right-click the file and select Properties.
      • Check "Unblock" and click OK.
    3. Extract the ZIP file.
    4. 'Edit' the file and verify that the DB name is exactly as the one you used during the installation.
      mceclip0.png
    5. Open Programs and Features on your on-premises server.
    6. Locate the ControlUp Server > Change
      mceclip0.png
    7. Click Update SBAs > Choose the extracted file.
      mceclip1.png

     

    Manual update of the Script via SQL Studio

    Another option is to run the .sql script linked below, just run it against the ControlUpDB in SQL DB, it will truncate the entire SA directory and replace it with the new versions of the scripts.

  • Error in 'tstats' or litsearch Command: License Limit Was Exceeded - IOP 8.x

    Troubleshooting

    If there is an issue with your Insights license, one of the following messages appear:

    image__3_.pngimage__1_.png

    This may due to the following reasons:

    1. License Violation - This may be because the daily indexing volume exceeds the license allowance or due to the expiration of the license.
      In the example below, the maximum daily index volume hit 214MB on one of the days in the week. 
      IOP_introsp1.png
      View your license to see if your indexing volume exceeded your allowance.
      To view your license, go to Settings in the Admin section of Insights and select License, and your license information appears.

      Standalone Mode

      mceclip2.png

      Cluster Mode

       

       

      Note: If you have a problem accessing the enterprise Enterprise License Group screen, you might need to open incoming traffic to the IOP master node on port 8080.
        

      mceclip0.png

      To increase your license's maximum volume, contact support@controlup.com

    2. CSV Files Index - Verify that Insights is not indexing anything other than files that starts with 'cuiop'.
      In the example below, the CSV element caused a repeated license violation roughly 24 hours after the reset license has expired.IOP_introsp1csv.png
      Another way to diagnose the issue is to search |tstats count by sourcetype in the Insights search in the top left corner for the previous 24 hours' activity. This displays the sourcetypes that Insights has indexed and shows what type of file is causing the issue.
      For more assistance, contact support@controlup.com with a screenshot of the search.
      IOP-TstatsSearch1.png

    Adding a New License

    To add a new license in standalone mode:

    1. From the Insights screen, click Settings, and the the Settings screen appears.
    2. From the Licensing tab, click Add License and the Add License popup appears.
    3. Click Choose File and select your license. Click Install, and a popup appears to confirm that the license was properly installed.

    Once the new license is installed, Insights must be restarted. See below for more details.

    To add a new license in cluster mode:

    1. From the Insights screen, click Settings, and the the Settings screen appears.
    2. From the Licensing tab, click here, and the Add the Enterprise License Group screen appears.
      Note: If you have a problem accessing the enterprise Enterprise License Group screen, you might need to open incoming traffic to the IOP master node on port 8080.  
    3. Click Add License and then Choose File to select your license. Click Install, and a popup appears to confirm that the license was properly installed.

    Once the new license is installed, Insights must be restarted. See below for more details.

    To restart Insights:

    1. From the Settings screen, select the Maintenance Task tab and click Restart, and confirmation screen appears.
    2. Click OK, and Insights restarts with your new valid license.
  • Reducing Size for ControlUpDB in SQL

    In ControlUp On-Premises mode a SQL DB named ControlUpDB is used, sometimes it can become very large, the main reason for that is that SQL DB is saving Incidents to be shown in Incident Pane at the Console.

    We have prepared a SQL Script that will address this issue and delete Incidents older than 30 days (the maximum that can be shown via Incidents Pane).

    This does not affect the Log Size or other functionality and does not require restarting any service.

    Please see attached script.

     

     

  • Moving from Hybrid Cloud to On-Premises

    Moving to On-Premises installation will cause a loss to some of ControlUp's Hybrid Cloud features and you will need to arrange additional resources to your network infrastructure. Please review the On-Premises Installation Prerequisites article.

    Visit the following article to learn more about ControlUp modes, the deployment and Feature Comparison Matrix chart -> ControlUp Modes

    **Make sure to contact your sales person and inform him of this decision as license will need to be changed**. 

    Moving to On-Premises will require these following steps:

    • If you wish to keep the current organization name, you will need to save the current configuration file which is located in %appdata%\ControlUp\Configuration folder. Usually the files extension will be *.v4.xml
    • If you want to create a new organization you will need to do the following: 
      • Issue a new organization name.
      • Remove ControlUp Agents from all machines.
    • Contact your account manager or ControlUp Support and inform them that you'll need a On-Premises license file. 
    • New dedicated servers as instructed in installation prerequisites article:
      • On-Premises Server
      • IOP Linux Server
      • SQL Instance or Server

     After completing all of the above:

    1. Remove all agents (ONLY if a new org is being created)
    2. Uninstall the Monitor
    3. Uninstall the Console

    Then install ControlUp On-Premises using installation guide.

    *When installing the Console, best practice is the assign a dedicated AD group as "Owner". If assigning a user, that user will be "Owner" of that organization. 

  • Remove Users from On-Premises Org

    The solution is to open ADSI edit and remove the users.

    Here are the steps:
    1. Open ADSI edit with the settings shown in the screenshot:2017-04-20_0909.png2017-04-20_0910.png2) Remove the users you no longer wish to see.2018-01-03_0837.png

  • Locations where the ControlUp service account is used in ControlUp On-Premises configurations.  

    Location: On-Premises Server – Configured during On-Premises Server installation process.

    • IIS Application Pool services
      • 7_WS.Pool
      • ConfigurationPool
      • HandshakePool
      • IncidentsReporterPool
      • IncidentsViewerPool
      • MasterPool
      • SBAPool
      • UploaderPool
    • ControlUp-LDS service
    • ControlUp Incidents service

    Location: Monitor Settings – Configured during Monitor deployment process.

    • Go to Monitor Settings, highlight the Monitor you want to update, and click “Settings…”

    Location: SQL Server – Configured during On-Premises Server installation process.

    • The account MUST have dbo owner permissions to the ControlUpDB.
  • Change the AD Group for ControlUp On-Premises Console Access

    Change the AD Group for ControlUp On-Premises Console Access.
    When you install ControlUp On-Premises Server you are asked to provide an Active Directory group to manage access to the ControlUp Console. After installation, you may wish to change this group. 

    The Active Directory group that you chose can be found in the file C:\Program Files\Smart-X\ControlUp Server\Server Settings\ServerSettings.XML located on the On-Premises Server.
    In order to change the group, you must open this file, change the group name, and update the group SID:2018-02-06_14-50-58.jpgTo find an AD groups SID, open an elevated powershell prompt from a system that has the AD powershell components installed and type the following command: Get-ADgroup <AD Group Name>

  • Your Windows user is not authorized to use ControlUp (On-Premises Login Issue)

    The Issue:
    You try to login to the On-Premises ControlUp Real Time Console and receive an error - "Your Windows user is not authorized to use ControlUp" (or the error might be Black Screen instead of splash screen) The Cause:
    The issue might be caused by several reasons. 
    To receive more details about the failure, you can look at the login log which is located on the On-Premises server in:
    C:\Program Files\Smart-X\ControlUp Server\Websites\UserManagementService\4.1_WS\user management.log  

    The cause of this issue might be one of the following:

    1. License issue -
    If the number of members in the authorized group, defined during the On-Premises server application wizard, as the group which contains the AD users which are allowed to login to ControlUp, cross the number of admins in the license, you will receive this error. 

    2. AD user or group issue - 
        - The AD user is not part of the authorized group.
        - The group or its SID was changed manually in the settings file.
        - The AD Group type is universal and not global. 

    3. Setup Issue - 
    The authentication method in the IIS is incorrect. 

    The Solution:

    1. License Issue - 
    As mentioned, the error might indicate the number of members in the authorized AD group is higher than the license permits (The error might be Black Screen instead of splash screen).
    To verify the number of users if the authorized group match the license limit, please follow these steps:

    - Check the license quantity: 
    On the On-Premises server, go to - C:\Program Files\Smart-X\ControlUp Server\Server Settings\<LicenseFileName>.XML In the following example, the quantity is unlimited.- Check which group you defined during the installation (if you do not remember):
    On the On-Premises server, go to - C:\Program Files\Smart-X\ControlUp Server\Server Settings\ControlUpServerSettings.XML  - Check the license location and name:Now that you know the name of the group, check the number of members

    2. AD user or Group -
    In case the user is not part of the AD group you defined during the installation of the On-Premises application server as the authorized group of admins which can login to ControlUp, you will receive this error.
    To verify the user you logged in with to windows and tried to launch ControlUp with, follow these steps:

    • Verify which user you are logged in with -
    • Verify the the group you chose to use and its members as mentioned above in License Issue solution.
    • Make sure the group is types global and not universal

    In case the group was changed manually in the settings file and only the name was changed and not corresponding SID number, you will receive this error.

    • To verify the group and SID, please follow the steps mentioned above in License Issue solution. 

    3. Setup Issue - 
    The authentication method in the IIS is incorrect.
    To verify the authentication defined for the On-Premises ControlUp site, follow these steps:

    • Open the IIS manager on the On-Premises server
    • Under the ControlUp site click on Authentication
    • Verify that Windows Authentication is the only one Enabled

     

  • ControlUp On-Premises IOP - LDAP Setup

    The first login to ControlUp's On-Premises Insights website is done with user Admin and the password configured for the root user. You can keep using the Insights user but you can also use LDAP authentication.
    To define LDAP authentication, first access the configuration page:
    Go to Admin > Settings > LDAP Configuration > Add LDAP Strategy  
    LDAP Strategy Name - define the configuration name 

    LDAP connection settings
    Host: Active Directory Domain Controller computer name:
    Your IOP server must be able to resolve this host (check via nslookup)

    Port: 389 for non SSL, 636 with SSL (636)
    SSL enabled: You must also have SSL enabled on your LDAP server.

    Connection order: 1
    The order in which IOP queries this LDAP server (among enabled servers).

    Bind DN
    If you want a specific user to run the queries, this is the distinguished name used to bind to the LDAP server. In most cases this field should be left blank.
    Any user can be used to bind (service account is preferred, password does not change).
    For example: CN=IOP LDAP Account,OU=ServiceAccounts,OU=Accounts,DC=controlUp,DC=demo
    If you are not sure how to get these details, go to Active Directory Users and Computers and right click the user and choose Properties. Go to attribute editor and look for distinguishedName. Make sure to enable advanced features under the View menu.
    mceclip0.pngUser settings

    User base DN
    Apply either User settings or Group settings. You can use both.
    The location of your LDAP users, specified by the DN of your user subtree. You can specify several DNs separated by semicolons.
    For example: DC=controlup,DC=demo

    User base filter
    Used to filter users. Highly recommended if you have a large amount of user entries under your user base DN. For example: '(department=IT)'

    User name attribute
    The user attribute that contains the username, usually the sAMAccountName, Note that this attribute's value should be case insensitive.

    Real name attribute
    The user attribute that contains a human readable name. This is typically 'cn' (common name) or 'displayName'.

    Email attribute
    The user attribute that contains the user's email address. This is typically 'mail'.

    Group mapping attribute
    The user attribute that group entries use to define their members. If your LDAP groups use distinguished names for membership, you can leave this field blank.
    mceclip1.png

    Group settings

    Group base DN
    Apply either User settings or Group settings. You can use both.
    The location of your LDAP groups, specified by the DN of your group subtree. You can specify several DNs separated by semicolons.
    This describes the group of users authorized to use insights.
    For example: CN=IOP Admins,OU=Groups,OU=Accounts,DC=controlUp,DC=demo

    Static group search filter
    The LDAP search filter used to retrieve static groups. Highly recommended if you have a large amount of group entries under your group base DN. For example, '(department=IT)'

    Group name attribute
    The group attribute that contains the group name. A typical value for this is 'cn' or 'member'.

    Static member attribute
    The group attribute whose values are the group's members. Typical values are 'member' or 'memberUid'. Groups list user members with values of groupMappingAttribute.

    Nested groups
    Controls whether IOP expands nested groups using the 'memberof' extension. Only check this if you have nested groups and the 'memberof' extension on your LDAP server.
    mceclip2.pngDynamic group settings

    Dynamic member attribute
    The dynamic group attribute that contains the LDAP URL used to find members. This setting is required to configure dynamic groups. A typical value is 'memberURL'.

    Dynamic group search filter
    The LDAP search filter used to retrieve dynamic groups (optional). For example, '(objectclass=groupOfURLs)'

     Advanced settings

    Checkbox:  Enable referrals with anonymous bind only
    Most of our customers do not enable this option. IOP can use referrals with anonymous bind only but you must also have anonymous search enabled on your LDAP server. Turn this off if you have no need for referrals.

    Search request size limit
    Sets the maximum number of entries requested by LDAP searches. The number actually returned is subject to the limit imposed by the LDAP server.

    Search request time limit
    The maximum time limit in seconds to wait for LDAP searches to complete. This should be less than the UI timeout of 30s.

    Network socket timeout
    The maximum amount of seconds to wait on a connection to the LDAP server without activity. As a connection could be a search, this must be greater than the search time limit. Enter -1 for an infinite timeout.
    mceclip3.png

  • Black Screen when launching on-premises console

    The Issue:
    You launch the ControlUp Console and get a black screen. 
    After you wait the console opens empty without your configuration.image025.jpgThe Cause:
    In the license you have specific number of admins allowed. Look in the license, under - QuantityDuring the installation you defined AD Group for Authorized Users - who can login to ControlUp Console.
    The number of users in the group is more than the number in the license file. You might have nested a group in the ControlUp AD Group, and in that group you have more users than defined in the license. 

    The Solution:
    Please make sure in the ControlUp Authorized AD Group, you define the same number of users defined in the license file under Quantity (of ControlUp admins).

     

  • ControlUp has detected...Using an on-premises Installation Error

    Issue Description:

    User is able to log in to ControlUp Console but receives the error - "ControlUp has detected that your environment is using an on-premises Installation"ControlUp1.PNGControlUp2.PNG

    The Reason:
    Your organization has installed the ControlUp on-premises server. Once the license is requested, the environment is set to use the on-premises deployment and not the cloud.

    When a user tries to launch a cloud console from the on-premises domain, the cloud console gets rejected.

    The Solution:
    Install the on-premises console and not the cloud console. The on-premises console is part of the on-premises installation package. If you do not have the on-premises console installer, please contact support to have the latest console. 

    If you have installed the console and it still attempts to connect as a cloud console, please go to KEY_LOCAL_MACHINE\Software\Smart-X\ControlUp\PrivateCloud and Set Dword IsUsingPrivateCloud to 1.

     

  • Changing The Location & Size of IOP Database

    By default, the Insights On-Premises (IOP) data base is limited to 500GB and once you reach that size, the data is overwritten.
    Please note that if you have less than 5 GB on the drive storing the data base, Indexing and some other functionalities will be stopped as well.
    Here are the steps on how to change the location of the data base:

    1. Go into the Insights server and stop the service "Splunkd.exe" 
    2. Go to:   (location may change if installed on different location)
      C:\Program Files\Smart-X\ControlUp Insights\var\lib\
    3. Copy the entire 'Splunk' folder to the new location (for example.. D\E drive..)
      The new location it will be like this: 
    4. After coping the folder was done, go to
      C:\Program Files\Smart-X\ControlUp Insights\etc
      • Open "splunk-launch.conf" via Notepad
      • Where it says: "#SPLUNK_DB=" take down the pound sign (#)
      • Add the new location of the Splunk folder. E.g from the image below: SPLUNK_DB=E:\CUIOP_db\splunk
    5. Run via CMD as administrator:  
      "C:\Program Files\Smart-X\ControlUp Insights\bin\splunk" start
    6. All should show "Done" and in the end for the process starting you'll see:
      (with your server name)
    7. Once the service is up and running, you can run some reports in Insights, see it's all working.

    Please note that the splunk folder in the old location may be recreated. It may contain a few small files. This is expected and not an issue. The new location will be used to read and write the vast majority of data from. 
    In order to change the database size, log into your Insights and go to Admin > Settings > Index Management and select 'Set max size' for the 'cuiop' DB. 
    mceclip0.png

    If you're selecting smaller size then the existing size, Insights will automatically adjust.

  • SQL Express Setup for On-Premises Mode

    In case you deploy SQL express for on-premises solution, be sure to enable the TCP/IP protocol in the SQL Configuration Manager.

    By default the TCP\IP is disabled and also does not have any port assigned.

    Once you enable the protocol, restart the SQL express service and then in the TCP/IP properties you will see the port number, before the restart the port is zero.After finishing the protocol and port setup, continue with the On-Premises installation wizard.

  • Authorization Failed (On-Premises Login Issue)

    The Issue:

    You cannot login to ControlUp Real Time Console in an On-Premises mode
    environment. The message you receive is - "Authorization Failed"

    The Solution:

    It appeared that the password for the two service accounts that needed to run the ControlUp services were expired. So, AD was not letting them to run the services. 
    You can verify if this is indeed the case, if you try to restart the ControlUp services and they do not start back - 

    1. ControlUp Incidents
    2. ControlUp-LDS or ADAM_ControlUp-LDS

    To receive more details about the failure, you can look at the login log which is located on the On-Premises server in C:\Program Files\Smart-X\ControlUp Server\Websites\UserManagementService\7_WS\user management.log 

    If the following errors appear in the user management log:
    ERROR|Error in BaseResponse. |UserManagement.Exceptions.UserManagementException: Failed to bind to organization permissions group 'AD Group Name'It means the issue could be with the AD group you assigned as the group for users who can login to ControlUp Console:

    • The AD group and SID needs to match in the server settings file, located here - "C:\Program Files\Smart-X\ControlUp Server\Server Settings\ControlUpServerSettings.xml"
    • The group needs to be a Security Global group.
    • Application Pools - Verify all application pools are running and do IISReset on the On-Premise server.
    • In 7.1 & 7.2 it could be a license issue (IOP Allowed - Yes/No).

    How do I get the SID? click here (external link) for additional information.

  • On-Premises Script Error - "The Primary File...model database"

    The issue:

    Error message: "The primary file must be at least X MB to accommodate a copy of the model database" (1024 in this example, it depends on the environment setup)

    The Reason:

    When DB is created it uses the Model DB as template, the model DB is a built in system database in SQL.
    In our ControlUp On-Premises data base creation script, we use:
    DECLARE @dbDataFileSize VARCHAR(10) = 502017-02-23_1417.png The Resolution:
    Please right click the Model DB and go to properties -> Files and check the initial size (MB) Model-DB-SS.JPGThen edit the SQL script the On-Premises wizard created, Line 30, edit the value and change it from 50, in this example as you see the Initial size is 128MB, so in the script change it to 129MB, and that will resolve the issue.

  • The Incidents Pane Is Currently Offline (On-Premises Mode)

    The Issue:
    The Incidents pane is not available and seem to be offline.
    ErrorConnetingtoDB.png
    The Cause:
    There is a connection issue between the On-Premises application server and the SQL server storing the ControlUp data base.

    The Solution:
    1. Check if the ControlUp Incidents service is up and running
    2. Test the connection between the On-Premises server and the SQL server, using the ODBC utility.
    3. Open the regedit.exe on the On-Premises server and check the SQLConnectionString. The string is encrypted and in order to decrypt it, please contact support@controlup.com in order to receive the decryptor utility.

  • On-Premises Troubleshooting - Handshake Service Error

    The Issue:

    During first log in to the On-Premises ControlUp Real-Time Console you receive an error - "An error occurred while getting the user management service URL..."

    The Cause:

    The console tries to connect to the on-premises server, specifically to the IIS and fails.
    The core of the on-premises server is based on the IIS internal site we add during the on-premises server installation and if the IIS is not available, you will not be able to log in.

    The Solution:

    The main issue here is that the IIS application pools were not defined correctly with the service account (you chose during the installation wizard of the on-premises application server) or ControlUp certificate is not bind correctly.
    During the on-premises installation, the IIS role is added and both the binding of the site and the application pools identity property, are defined during the installation wizard.

    In order to troubleshoot the issue and verify the configuration is correct, please follow these steps:
    1. When you have an issue to login, you can refer to the relevant log file, in order to understand better the issue, the log file is located in the service folder, on the on-premises server, under c:\program files\smat-x\controlup server\webapps
    UsermanagementService folder or HandshakeService folders will notify you if there is a login issue.
    Other services - IncidentsReporterService and IncidentsViewerService are responsible to read and write incidents to and from the ControlUp database. If you have a SQL connection issue, you will see the error in those logs.2. Make sure the ControlUp services are running as expected and the "log On As" property is defined with the correct service account (same service account you defined during the installation)3. Please open the IIS manager (go to start->run and type Inetmgr)

    Check under the application pools, the identity configuration, it should show the service account you defined during the on-premises application server installation wizard. 2017-03-20_1707.png4. Check the binding of the Controlup site, see below screenshot - 

    Focus on the Controlup site, click on Binding -> Edit5. To check the license and settings files, go to the on-premises server, under c:\program files\smart-x\controlup server\server settings (for more information regarding license troubleshooting, refer to the article - Your windows user is not authorized to use controlup

    ** If any of the details above did not help or you see a difference between your configuration and the configuration presented in the article, and you do not know how to fix it, please contact our support at support@controlup.com 

  • On-Premises - Service Unavailable (503)

    The Issue: 

    You try to launch the console and receive the following error:2018-01-18_1432.png

    The Cause:
    The IIS application pools are not available.2018-01-18_1433.pngThe Solution: 

    It happens that the service account's (used during the on-premises installation) password change (e.g every 3 months policy).
    When the service account's password change the application pool cannot be started.
    To resolve the issue you need to change the password for each application pool, and then restart the IIS service, for example:2018-01-18_1435.png

    There are cases where you will need to add the service account to the  Performance Log Users local group of the ControlUp Server On-Premises, in order for the service account to be able to start the application code.

  • On-Premises daily quota data base update

    The Issue:
    Each ControlUp customer receive a daily quota of 1000 incidents per day.
    In case you crossed the quota, you will notice a red message in the Incidents pane, telling you that you have crossed the daily limit of incidents. 

    The Solution:

    Online customers should follow this article to resolve the issue - Exceed the daily quota of 1000 incidents
    On-Premises users can update the daily quota limit by themselves.
    In order to update the limit, please open the SQL studio on the ControlUp database server and run the following script:


    Use ControlUpDB
    go
    UPDATE IncidentOrganizations
    SET MaxIncidentsPerDay = 100000, PenaltyDateUtc = NULL
    WHERE OrganizationId ='e5abf1de-4d91-4357-8c68-e6e99aae5802'
    go

    Another option is to manually update the limit in the SQL studio as presented in the following screenshot:

  • Master Service is disconnected

    The Issue:
    During the installation of the ControlUp Monitor you receive an error - "Master Service is disconnected"The installation of the ControlUp Monitor is finished but the error can be viewed in the status tab.The Cause:
    There is a connection issue to the SQL server and\or the ControlUp database. 

    The Solution:
    First, make sure you have followed the installation guide and installed or updated the ControlUp data base correctly.
    Second step we recommend on doing is to test the connection between the On-Premises server and the SQL server, using the ODBC utility (Windows Control panel -> administrative tools).
    Second step would be to check the SQL connection details either via the on-premises installer or in the registry of the On-premises server.
    To check the connection details you can either run the on-premises application wizard in upgrade\repair mode, and then go over the connection details, or open the regedit.exe on the On-Premises server and check the SQLConnectionString. The string is encrypted and in order to decrypt it, please contact support@controlup.com in order to receive the decryptor utility. 

  • How to copy and create a Script Based Action (SBAs for On-Premises customers)

    ControlUp On-premises customers cannot import a new released script based action at the moment and because of that, they need to copy the script from our website and create their own new script locally.
    To achieve that, please follow these steps:

    1. Copy the script code you like from our website, click here to reach our scripts library
    2. In the Controlup Real Time Console, go to the script based actions and click on create new script. You can create a new script from the Organizational Actions or My Draft Actions tabs

    1.png

    1. Give the new script a name and then make sure you define the correct type of resource, execution context, and security context you like to use. 
    2. In the script page, paste the script you have copied from our site library (Step 1)
    3. In the arguments page use the arguments needed for the script to run successfully.
    4. Once the script is ready, click on Finalize and you are good to go. 

    Note: If you are not sure which settings or arguments should be used, please contact support@controlup.com and we will help you with screenshots, what needs to be defined in the different fields.

  • On-Premises Insights (IOP 3.X) - SSL

    The default installation does not include SSL.

    However, implementing SSL is relatively simple and recommended.

    Please follow the following steps:

    Secure the Web with your own certificate

    This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:

    Note: IOP currently does not support password-protected private keys. You should remove the password from your key before configuring IOP for the certificate.

    Before you begin: Copy your certificates to a new folder

    Copy the server certificate to $IOP_HOME/etc/auth/splunkweb or to your own certificate repository in $IOP_HOME/etc/auth.

    In the following example our web certificate is called myIOPCertificate.pem and our private key is called myIOPPrivateKey.key:

    *nix:

    # cp $IOP_HOME/etc/auth/mycerts/myIOPCertificate.pem $IOP_HOME/etc/auth/mycerts/myIOPPrivateKey.key $IOP_HOME/etc/auth/splunkweb

    Windows:

    copy $IOP_HOME\etc\auth\mycerts\myIOPCertificate.pem $IOP_HOME\etc\auth\splunkweb\
    
    copy $IOP_HOME\etc\auth\mycerts\myIOPPrivateKey.key $IOP_HOME\etc\auth\splunkweb\

    Note: Do not overwrite or delete the existing certificates located in $IOP_HOME/etc/auth/splunkweb/. The certificates at this location are automatically generated upon startup, meaning that any changes you make will be overwritten at startup. Instead, in the next steps, we will rewrite the relevant configuration file to point to your new certificate location.

    Configure IOP to use the key and certificate files

    Note: IOP does not support passwords for private keys, so you must remove the password from the key before using the key to secure Web.

    1. In $IOP_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings]stanza. The file
    paths can be set either using relative or absolute paths. Both of the following examples are
    equivalent if $IOP_HOME is set to d:/myroot/home.

    The following is an example of an edited settings stanza using a path relative to
    $IOP_HOME:

    [settings]
    # Example of using path relative to $IOP_HOME
    enableSplunkWebSSL = true
    privKeyPath = etc/auth/mycerts/mySplunkWebPrivateKey.key
    serverCert = etc/auth/mycerts/mySplunkWebCertificate.pem

    The following is an example of an edited settings stanza using a path relative to
    $IOP_HOME:

    [settings]
    # Example of using absolute path
    enableSplunkWebSSL = true
    privKeyPath = d:/myroot/home/etc/auth/mycerts/mySplunkWebPrivateKey.key
    serverCert = d:/myroot/home/etc/auth/mycerts/mySplunkWebCertificate.pem

    2. Restart The service: # $IOP_HOME/bin/splunk restart splunk service

    3. To change the Console URL to open as https (instead of http) please go to the On-Prem server > Open the regedit.exe

    Change the UseSSL to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Smart-X\ControlUpServer\IOP

     

    If you encounter any issue or question, please let us know at support@controlup.com

  • On-Premises Server Installation Fails - "Invalid digital signature"

    The Issue:
    The installation of the on-premises server fails due to invalid digital signature (cab1.cab) The Reason:
    The on-premises server is missing the Digicert Root CA certificate or if you do not have Internet access, or have a restrictive firewall or proxy, setup may be failing to verify the signature because it cannot access the online certificate revocation list (CRL).
    As you can see below screenshot shows our installer is signed and our certificate is signed by Digicert. If you do not have the root certificate you will notice red x.2017-07-25_1026.pngThe Solution:
    In order to resolve the missing certificate issue, please open the certificates manager (you can launch it from Run -> certmgr.msc).
    Import the Digicert root ca certificate, it is attached to this article, in case you need it (DigiCert.pfx), password: Qa123456. For more information about a second workaround, checking the CRL settings, please review this blog article  

  • Communication Ports Used by ControlUp: On-Premises Mode

    CU_On-PremisesSOLVE.jpg

    From the On-premises Server/Application

    Destination Type Port Protocol Details
    SQL Instance TCP 1433 ms-sql-s Application to SQL communication

    From the Console

    Destination Type Port Protocol Details
    Citrix XenDesktop Controllers TCP 80 HTTP Communication with XenDesktop Infrastructure
    Citrix XenServer Pool Master/Hosts TCP 80 HTTP Communication with XenServer Infrastructure (and RRD communication)
    ControlUp Agent TCP 40705 WCF Console to agent communication via the WCF protocol
    ControlUp Agent TCP 135 - 139, 445 RPC / WMI Agent deployment and upgrades via the console Certain OOB actions, such as restarting the agent
    ControlUp Monitor TCP 40706   Agent deployment and upgrades via the console Certain OOB actions, such as restarting the agent
    ControlUp Monitor TCP 135 - 139, 445 RPC / WMI ControlUp Console - Monitor management port
    ControlUp On-premises Server TCP 443 HTTPS Communication with ControlUp On-Premises Server web services
    Domain Controllers TCP 389 LDAP LDAP communication with Domain Controllers. Used for: Initial Login, Adding new Computers, Adding new AD connections
    NetScalers TCP 443 / 80 HTTP(S) Depending on what the administrator configured
    Nutanix/AHV TCP 9440   Communication with Nutanix Infrastructure
    VMware Horizon Connection Server TCP 443 HTTPS Communication with Horizon Infrastructure
    VMware vCenter Server TCP 443 HTTPS Communication with vSphere Infrastructure
    *.cloud.com TCP 443 HTTPS Communication with Citrix Cloud
    Linux Client TCP 22 SSH Communication with Linux Machine

    From the Monitor

    Destination Type Port Protocol Details
    Citrix XenDesktop Controllers TCP 80 HTTP Communication with XenDesktop Infrastructure
    Citrix XenServer Pool Master/Hosts TCP 80 HTTP Communication with XenServer Infrastructure (and RRD communication)
    ControlUp Agent TCP 40705 WCF Console to agent communication via the WCF protocol
    ControlUp Agent TCP 135 - 139, 445 RPC / WMI Only used for agent deployment via the monitor
    ControlUp On-premises Server TCP 443 HTTPS Communication with ControlUp On-premises Server web services
    Domain Controllers TCP 389 LDAP LDAP communication with Domain Controllers. Used for: Initial Login, Adding new Computers, Adding new AD connections
    IOP Appliance (standalone) TCP 443/9997/8089/9887   For sending historical data and monitor statistics to the IOP appliance(s)
    IOP Data Node TCP 9997   Sending data to Insights
    NetScalers TCP 443 / 80 HTTP(S) Depending on what the administrator configured
    Nutanix/AHV TCP 9440   Communication with Nutanix Infrastructure
    SMTP Server TCP 25 SMTP Email Alerts
    VMware Horizon Connection Server TCP 443 HTTPS Communication with Horizon Infrastructure
    VMware vCenter Server TCP 443 HTTPS Communication with vSphere Infrastructure
    *.cloud.com TCP 443 HTTPS Communication with Citrix Cloud
    Linux Client TCP 22 SSH Communication with Linux Machine
    Solve Server TCP 443 HTTPS Communication with Solve

    From the Data Collector

    Destination Type Port Protocol Details
    Citrix XenDesktop Controllers TCP 80 HTTP Communication with XenDesktop Infrastructure
    Citrix XenServer Pool Master/Hosts TCP 80 HTTP Communication with XenServer Infrastructure (and RRD communication)
    NetScalers TCP 443 / 80 HTTP(S) Depending on what the administrator configured
    Nutanix/AHV TCP 9440   Communication with Nutanix Infrastructure
    VMware Horizon Connection Server TCP 443 HTTPS Communication with Horizon Infrastructure
    VMware vCenter Server TCP 443 HTTPS Communication with vSphere Infrastructure
    *.cloud.com TCP 443 HTTPS Communication with Citrix Cloud
    Linux Client TCP 22 SSH Communication with Linux Machine

    From the IOP Master Node

    Destination Type Port Protocol Details
    Domain Controllers TCP 389/636 LDAP(S) LDAP communication with Domain Controllers. Used for: Initial Login, Adding new Computers, Adding new AD connections
    IOP Data Node TCP 8089   Cluster Communication
    SMTP Server TCP 25 SMTP  

    From the IOP Data Node

    Destination Type Port Protocol Details
    IOP Data Node TCP 9887   Data Replication
    IOP Data Node TCP 8089   Cluster Communication
    IOP Master Node TCP 8089   Cluster Communication

    From the Solve Server

    Destination Type Port Protocol Details
    ControlUp Monitor TCP 443 HTTPS Solve connection to ControlUp Monitor
Powered by Zendesk