Registering multiple Connection Managers within the same Connection Manager Group helps spread the load of node scanning. This guide walks through how to create a Windows CM Group with multiple Connection Managers.


Registering multiple Connection Managers within the same Connection Manager Group is a great way to spread the load when it comes to scanning a large number of nodes. This guide walks through some of the design considerations behind having multiple CMs within the one group as opposed to having multiple groups, each with a single Connection Manager. The guide then goes on to provide step-by-step instructions on setting up a multi-CM group.

Design Considerations

All agentless nodes are assigned to exactly one Connection Manager Group. A Group can contain one of more Connection Managers (CMs). Therefore, if you have multiple CMs within a group, then any one of them can be selected to perform a node scan, and the CM could be different each time a scan is requested.

If you have slighly different network topologies or zones among your Windows nodes then it might be better to have separate Connection Manager Groups for each of these zones, each with a single Connection Manager registered.

When the first Windows Connection Manager is registered into a Group it generates a public/private key pair. It keeps the private key locally with the Connection Manager and sends the public key to the appliance during registration. Any sensitive pieces of data required later for a node scan (for example login passwords) are encrypted at the appliance and can only be decrypted by this particular connection manager - since it is the only holder of the associated private key.

An important item to note here is that, since the first Connection Manager to register into a group generates the private key, all subsequent Connection Managers registered into this group will need to have a copy of the private key manually copied over to their configuration directories so that they can function as a homogenous member of the same Connection Manager Group. Please see steps below.

If you misplace the private key generated and stored with the first Connection Manager and you have not saved a backup with a peer Connection Manager in the same group, then a new Connection Manager Group will need to be created. This way we can register a new “first” Connection Manager into the group to generate the private key and then manually copy this new key to the other peer Connection Managers.

How to set up multiple Windows Connection Managers in the same Group

Follow normal installation instructions found with our guide on the Windows Connection Manager for the first Connection Manager. This includes creating a fresh Connection Manager Group and noting down the Group’s API Key. After installation, the UpGuard configuration directory should contain a file called ssh_agent.priv. Please remember where this file is.


Proceed using the same steps above to register a subsequent Connection Manager into the Group. This will involve the same exe file and the same “Group API Key”. The Connection Manager will also appear in the Discover > Connection Managers interface in the appliance after installation and registration.

The last step requires you to manually copy the ssh_agent.priv file from the first Connection Manager’s configuration folder to the subsequent Connection Manager’s configuration folder. If you register a third and fourth Connection Manager in the same group you will need to repeat the same process.