Prerequisites for Custom Installation

This topic describes the prerequisites required for a Custom Installation.

It is critical that you complete all the prerequisites. If you do not complete this list - even missing a few items, ObserveIT may fail to deploy or you may have performance problems (some which may be discovered only after going to production when data is accumulated. In addition, this could result in permission and other issues.

For more information about Custom Installation, see Custom Installation Steps.

ObserveIT General Prerequisites

Make sure you are set up with:

  • System Requirements: Describes the minimum system requirements for each ObserveIT component

  • Supported Platforms: Describes the supported Windows, Mac and Unix/Linux platforms on which you can install the following ObserveIT components

Active Directory

  • All ObserveIT back-end components must be members of the same Active Directory domain.

  • Document and configure proper AD-related network traffic in case there are network or firewall restrictions between any back-end components and/or to Active Directory domain controllers.

    When one or more Application Servers are in a DMZ without access to AD DCs, consider using RODCs for the DMZ.

  • Create an Active Directory-based Service Account for ObserveIT (for example "OITService") with the following properties:

    • Member of the default domain group, no additional permissions on domain level

    • Password set to never expire

  • Create an Active Directory-based data retention account for ObserveIT (for example "OITDataDel") with the following properties:

    • Member of the default domain group, no additional permissions on domain level

    • Password set to never expire

    In cases where AD domain membership cannot be achieved (such as when one or more Application Servers are in a DMZ without access to AD) - it may be possible to use local accounts and the built-in application account that is created during installation.
    Reach out to PS/Support for detailed instructions.

SQL Server

Machine configuration

Ths SQL server must be installed on a supported platform. (See Supported Platforms.)

Make sure the machine has the following disk configuration:

  • The disk volumes / LUNs are located on storage providing required disk I/Ops

  • Each disk volume / LUN is formatted with NTFS file system using 64KB block size

  • Make sure File and Object Access auditing is NOT enabled on any of the disks

  • Make sure any Anti-Virus software that is installed on this machine is configured to exclude the DB and log files from scanning

  • For the ObserveIT databases:

    • A separate disk volume / LUN for each CPU core available

  • For the ObserveIT database logs:

    • A separate disk volume / LUN for database transaction logs

  • For the tempdb database:

    • A separate disk volume / LUN for tempdb database files

    For best performance, allocate multiple MDF files, one per each CPU core available up to a total of 8, and place on multiple disks / LUNs.

SQL Server configuration

Make sure the SQL server is a supported version and edition. (See Database Server in Supported Platforms.)

Configure the following:

  • SQL Server leaves at least 4 GB of RAM to the Operating System

  • SQL Server is configured to place new databases and log files on non-OS volumes

  • Full Text Search feature is installed

  • SQL Server is in the Windows Authentication mode

  • SQL Server is installed with the Latin1_General_CI_AS collation setting

  • For High Availability / Disaster Recovery, one of the two supported mechanisms is configured:

    Using HA features may require running SQL Enterprise Edition.

    • Windows Clustering
    • SQL Server Always On Availability Group

  • Pre-installation: The ObserveIT Service account is added as a login on the SQL server and is granted db_creator role on the SQL server

  • Post installation: The ObserveIT data retention account is added as a login on the SQL Server and is later granted the role_DeleteFromObserveIT role permission on the "ObserveIT" database

    In cases where AD domain membership cannot be achieved, add a SQL Login that is granted SYSADMIN role on the SQL Server.
    Reach out to PS/Support for detailed instructions.

  • Set Auto Update Statistics for ObserveIT to true

  • Set Page_Verify setting for ObserveIT databases to Checksum

  • Set Auto Shrink setting for ObserveIT databases to false

  • If data at rest encryption is required for the SQL databases, the Transparent Data Encryption (TDE) feature is required. This requires SQL Server Enterprise Edition.

ObserveIT Back-end Components (Application Server, Web Console, Website Categorization roles)

For each of the Application Server, Web Console, and Web Categorization module machine:

  • Verify System Requirements

  • Verify Supported Platforms

  • .NET Framework 4.7.2 or higher is installed.

  • ObserveIT Service Account is a member of the following local groups:

    • Administrators
    • IIS_IUSRS

  • ObserveIT Service Account has the following rights assigned to it

    Typically, making the ObserveIT Service Account a member of the local Administrators group should be enough, unless security restrictions were changed from default.

    • Logon as a service
    • Run as a batch job
    • Interactive logon for the duration of the installation or upgrade

    In cases where AD domain membership cannot be achieved, use a local user account that is member of the Administrators and IIS_IUSRS local groups on the machine. This user needs to be configured on the Application Pool(s) in IIS on those machines after installation of the web roles.
    Reach out to PS/Support for detailed instructions.

  • The IIS prerequisites are installed via PowerShell.

    Use the following PowerShell command to install IIS prerequisites:

    Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Mgmt-Compat, Web-Metabase, WAS, NET-WCF-HTTP-Activation45 –IncludeManagementTools

  • If needed, the Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting is disabled.

File server for image storage

  • Machine hosting the image storage must have the following disks attached to it:

    • For the Hot storage, formatted with NTFS using 4KB block size, located on fastest-tier storage

    • For the Warm storage, formatted with NTFS using 64KB block size, located on medium-tier storage

    • For the Archive storage, formatted with NTFS using 64KB block size, located on low-tier storage

  • Provision 3 CIFS shares on those disks:

    • A share for the Hot storage - for example \\FQDN\OITHot

    • A share for the Warm storage - for example \\FQDN\OITWarm

    • A share for the Archive storage - for example \\FQDN\OITArchive

  • On these 3 folders/shares, grant the following permissions for the ObserveIT Service Account:

    • At least Write share permissions

    • At least Modify security (NTFS) permissions

  • Make sure File and Object Access auditing is NOT enabled on any of the disks.

  • Disable indexing on the drives containing ObserveIT screen capture data.

  • Make sure any Anti-Virus software that is installed on this machine is configured to exclude the disks where the images are stored files from scanning.

    In cases where AD domain membership cannot be achieved, use a local user account that has the exact user name and password as the one on the other machines (Application Server and Web Console roles) and assign the permissions listed above.
    Reach out to PS/Support for detailed instructions.

ObserveIT Agents on endpoints

  • ObserveIT Agent must be installed on Supported Platforms

  • ObserveIT Agent machines must support the minimum System Requirements

  • When using the Agent API - local port 5050 is available and unblocked

ObserveIT Agent for Windows

  • ObserveIT Agent machines have .Net Framework 4.7.2 or higher

  • ObserveIT Updater software and Agent software are installed with an account with local administrator permissions using an elevated permissions

ObserveIT Agent for Unix/Linux

  • Make sure required libraries are installed

  • ObserveIT Agent is installed with an account with local root permissions

ObserveIT Agent for macOS

  • ObserveIT Agent is installed with an account with local root permissions.

ObserveIT Agent for Citrix

  • dlmonitor.exe process is added to the system registry according to Citrix KB CTX891671

Network load balancer

The network load balancer has the following configuration for the ObserveIT Application Servers farm:

  • Session persistence is enabled

    The persistence session timeout should be greater than the session timeout (default is 15 minutes)

  • The load balancing mechanism is least connections

  • The load balancer is configured to perform a health check following this URL template:

    • http://{App_Server_FQDN}:4884/ObserveitApplicationServer/v2/apis/health/_health

      Or:

    • https://{App_Server_FQDN}/ObserveitApplicationServer/v2/apis/health/_health

      Expected reply status: 200

DNS and name resolution

  • Create a DNS: A record that points the relevant FQDN to the IP address of the single Application Server, or to the virtual IP (VIP) address of the network load balancer when using multiple Application Servers.

  • To enable DNS auto-discovery for Agents: Create a DNS SRV record that points the "_OITS" resource record to that FQDN, and use TCP 443 (when using HTTPS), or "_OIT" resource record to that FQDN, and use TCP 4884 (when using HTTP).

  • When DNS changes are not possible (due to permissions or other) - use HOSTS files that have the same exact entries and records on ALL the machines that participate in the deployment - specifically on the back-end components.

    This configuration has a great administrative overhead and should be avoided.

Digital certificates

If data encryption is needed, you must issue one or more digital certificates. The digital certificates must be obtained from one of the following sources:

  • A local trusted Enterprise Certificate Authority (CA)

  • A commercial 3rd-party Certificate Authority (CA) such as GoDaddy, Rapid SSL, Verisign and others

  • Self-signed

All endpoints and back-end components of the ObserveIT deployment must trust the source of the digital certificate.

The following digital certificates must be issued based on the required encryption:

  • Data in transit

    • Agent traffic: Web Server certificate with the machine FQDN as the Common Name and DNS Name for the ObserveIT Application Server machine(s).
    • Admin access to the Web Console: Web Server certificate with the machine FQDN as the Common Name and DNS Name for the ObserveIT Web Console machine(s).
    • SQL traffic: Server Authentication certificate with the machine FQDN as the Common Name and DNS Name for the SQL Server machine(s).

    When using multiple Application Servers and/or multiple Web Consoles you must use a Subject Alternative Names (SAN) certificate that holds all names of all back-end components servers. For example, the certificate must include:

    • The FQDN of the Network Load Balancer VIP
    • The FQDN of each Application Server (App Server #1, App Server #2, App Server #3, etc.)
    • Optional: The NetBIOS name of each Application Server (App Server #1, App Server #2, App Server #3, etc.)

  • Requirements for TLS certificates

    • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
    • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
    • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

    TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

    • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
    • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
    • Using a ".LOCAL" domain name should be avoided.

  • Data at rest

    • SQL Server DBs: A digital certificate issued for the SQL Server computer account, with the server's FQDN as certificate's Common Name.

    If data at rest encryption is required for the SQL databases, the Transparent Data Encryption (TDE) feature is required. This requires SQL Server Enterprise Edition.

    • Images on the file share: A digital certificate issued for FILE ENCRYPTING purpose for the File Share computer account, with the server's FQDN as certificate's Common Name.

    Typically, this certificate is assigned from an internal CA.

  • Mutual authentication

    If using Mutual Authentication for endpoints:

    • On the endpoints install a client certificate with the following value in the DNS Subject Alternative Name: itAuth
    • The load balancer should trust the Certificate Authority issuing the client certificate.
    • The load balancer should trust the digital certificates for the upstream ObserveIT Application Servers.
    • The endpoints should trust the Certificate Authority issuing the digital certificate to the load balancer.

Firewall

If there is a firewall blocking network traffic, open the following ports. Same rules apply for the local Windows Firewall, based on the computer’s role in the deployment.

SourceDestinationProtocolPortDirectionNotes
ObserveIT Agent machinesObserveIT Application ServersTCP443One-wayEncrypted Agent traffic (HTTPS)
ObserveIT administrator workstationObserveIT Web ConsoleTCP443One-wayEncrypted Web Console access (HTTPS)
ObserveIT Application Servers ObserveIT Web Console SQL serverTCP1433One-wayDatabase access for ObserveIT components
ObserveIT Application Servers ObserveIT Web Console File serverTCP445One-wayFile share access for ObserveIT components (SMB)
ObserveIT Web ConsoleObserveIT Application ServersTCP443One-wayHealthcheck
ObserveIT Web ConsoleVIPTCP443One-wayScreenshot Storage Optimizer install
ObserveIT Application ServersObserveIT Web Categorization moduleTCP8000One-wayObserveIT Application Server access to the Web Categorization module
ObserveIT Web Categorization modulehttp://nsv10.netstar-inc.com/

http://dss.netstar-inc.com/

TCP443One-wayObserveIT Web Categorization module access require to update the categories database (HTTPS)
ObserveIT Application Server ObserveIT Web Console Active Directory domain controller(s)TCP

389

636

One-wayObserveIT user authentication and enumeration vs Active Directory (Only in case of manual LDAP connection. Regular AD domain membership requires regular traffic between member servers and DCs based on Microsoft best practices)
ObserveIT Application Server ObserveIT Web Console SQL Server Active Directory Domain ControllersTCPRPC trafficOne-wayThis traffic is NOT related to ObserveIT, but is mandatory for regular Windows-based domain membership and is needed when all back-end components machines are members of the same AD domain
File server hosting the screen capture data

ObserveIT Application load balancer

ObserveIT Application server Protocol: TCP

TCP443One-way 

SMTP and e-mail

  • The FQDN/IP address and a port for the SMTP relay server

  • If needed, login credentials for an account that has permissions to relay email

Backup

Ensure the following:

  • Make sure there is a full, working backup of the Active Directory

  • Make sure there is a full, working backup of the SQL Server

  • Make sure there is a full, working backup of the ObserveIT Application Server and Web Console machines

  • Make sure there is a full, working backup of the pilot ObserveIT Agent machines

Anti-Virus

  • When using AV/EDR software on the endpoints - exclude the relevant folders/processes from being scanned.

  • When using AV/EDR software on the back-end components machines (Application Servers, Web Console, Website Categorization Module roles) - exclude the relevant folders/processes from being scanned.

  • When using AV/EDR software on the SQL Server - exclude the relevant folders/processes for the DBs/Logs from being scanned.

  • When using AV/EDR software on the CIFS file share - exclude the relevant folders from being scanned.

System, Policy, Processes

If needed, make sure a change ticket has been opened, reviewed by the change board, and approved.

When restricted by freeze periods or other blocking restrictions - make sure changes to the machines and/or recorded endpoints are allowed.

If needed, make sure relevant requests have been made to infrastructure, networking, storage, Active Directory, DBA resources, having them available for the duration of the deployment, and facilitating the need to make changes (such as opening a firewall rule, editing a DNS record etc.).

Typically, a restart is not required to any machines related to ObserveIT. However, if needed, make sure you have the right SLA to do so.

Backups are the sole responsibility of the customer. Make sure they exist and have been properly tested.