- A Windows virtual machine to install the connection manager. Recommended specs: Windows 2012, 8GB, 4 Core.
- .NET framework version 4.5.2 or higher
- Microsoft Visual C++ 2015 Redistributable package (for Windows CM v4.19.0 and higher) - linked on UpGuard Download Site
- PowerShell (Windows Management Framework) version 3 or higher installed on both the connection manager and the target nodes.
- WinRM to be enabled in your environment. Each target node that you wish to scan agentlessly will need to have port 5985/5986 exposed for the connection manager.
Creating a Connection Manager Group
Connection manager groups help you logically organize connection managers and a connection manager group can include one or more connection managers of the same type.
Connection manager groups should only contain one type of connection manager, either all WinRM or all SSH.
To configure the UpGuard website to communicate with a connection manager click the Discover button on the top toolbar and choose Connection Managers.
Click the Add Group button on the left bar. You will see the following screen:
Give the Connection Manager group a unique name that makes sense to you.
Click the green Add Group button and you will be given an API Key. Copy the key as you will need this during the Windows connection manager installer setup.
To ease with setup and node scanning, it is highly recommended that a Windows connection manager is installed and registered with the UpGuard appliance for each domain in your environment. These connection managers can be a part of the same connection manager group or different groups corresponding to the different domains in your environment.
Connection managers attempting to issue WinRM requests to machines in a different domain will need to have a TrustedHosts rule configured.
Downloading and Installing
- Download and install the latest Windows connection manager to the provisioned virtual machine.
- You will be prompted to choose a Configuration Directory. This is where the service, logs and configuration will live.
- The Target URL is the URL of your UpGuard Web UI instance. For hosted users, this will look like https://you.upguard.com. For on-prem users, this will be the URL of your instance you use to log into UpGuard.
- If you are an on-prem user and have either installed a self-signed certificate, or a certifiacte that
doesn’t have a cert-chain back to a trusted CA, then you can check the Ignore SSL Certificate Warnings
option. All connections between the connection manager and appliance will still be encrypted over HTTPS, however
the connection manager not perform any host verification steps. (Hosted users should always leave this unchecked).
- You will be prompted for a “Group API Key”. Paste in the key generated for you in step 4. “Creating a Connection Manager Group” (see above).
- Click next to continue. The connection manager will proceed with the installation process and will attempt to register against the “Target URL” with the “Group API Key” you provided.
If the connection manager has been successfully installed and registered, you will see the connection manager listed in the connection manager group that you created earlier. This connection manager group can now be used when adding additional nodes to UpGuard. You will also see the UpGuard Service listed in your Services panel.
The connection manager registration process (a step of the installation process) will fail if a self-signed certificate is detected on the UpGuard website (target URL). This is a security mechanism that prevents the connection manager from being vulnerable to man-in-the-middle attacks. Please contact firstname.lastname@example.org to speak to a Customer Success Engineer who can guide you through an alternative installation process. Alternatively, if you feel comfortable that your connection is internal only and you are using a self-signed certificate you can ignore the certificate check - see the Adjusting Settings section below.
To successfully scan remote systems, the UpGuard connection manager service needs to be configured to run as a service user.
- Open the Services management snap-in as an Administrator and locate the UpGuard service in the list.
- Right-click the UpGuard service and select ‘Properties.’
- Switch to the Log On tab.
- Input the credentials for the service user and click ‘OK.’
- Restart the UpGuard service.
Also confirm that the Windows Service is configured to automatically start on reboot. While in the properties tab, under General, make sure the Startup type is set to Automatic.
You can update the UpGuard connection manager by installing a new version right over the top of an existing install.
- Visit our downloads page to obtain the latest installer.
- New versions of the UpGuard connection manager can then be installed in-place.
The UpGuard connection manager can be uninstalled either through “Add/Remove Programs” or via the
“UpGuard Uninstaller” link located in the install directory. By default this is
C:\Program Files (x86)\UpGuard.
Adjusting Settings When Adding Connection Managers via Command Line
You can adjust the Settings for Connection Managers via appending the following to
upguard -r --target_url=<URL> --api_key=<KEY>
Enable Debug Mode
Disable Debug Mode
Change Timeout Settings when Adding New CMs
30 seconds is the default timeout; change number to the desired amount in seconds.
Ignore SSL Certificate Check
You might see the following error message during Agent or Connection Manager installation if you are using a self-signed certificate or your UpGuard instance’s certificate chain back to a trusted CA isn’t configured correctly:
Error SSL certificate could not be trusted: RemoteCertificateChainErrors
You can ignore this cert check by adding this command line option: