Index

Hardware requirement:

ACE requires following for deployment and usage:


Recommended Configurations for optimum results are,

• Hardware: 2 core CPU, 8 GB memory
• Storage: 100 GB free


Operating-system requirement:

Currently ACE endpoint installer is only supported on Ubuntu Server 18.04 LTS

  • We recommend you to download latest ISO available for Ubuntu 18.04 LTS from release page
  • Here is a direct link to download ISO -> Download ISO link.

Important Note! Clients have to ensure ACE endpoint system remain compliant for applicable compliance program (e.g. applying system patches, Antivirus, system hardening etc.)


Does ACE support Internet proxy?

During installation: Yes, Can be installed using Internet proxy. HTTP/HTTPS outbound traffic (All) is required to be allowed during installation to ensure all dependencies are installed.

After installation/Application run: No, User shall need to provide direct access to ControlCase API’s as mentioned below in “Network Requirements”. Following are the steps,
1. Remove proxy after installation (if enabled).
2. Whitelist https://cs-dist.controlcase.com/ and https://cs-api.controlcase.com/ on TCP Port 443 on firewall for direct access from ACE machine.


Networking Requirement

Following is the Architecture for ACE Endpoint.

A) ACE to Host Machines

You will need to open firewall ports between ACE installed instance and target destinations.

Source IPSource PortTarget Destination IPTarget Destination PortDescription
ACE InstanceANY(To be scanned instances)445Windows target instances
ACE InstanceANY(To be scanned instances)22Linux target instances
ACE Instance ANY (To be scanned instances) 1521Oracle database
ACE Instance ANY (To be scanned instances) 1433MSSQL database
ACE Instance ANY (To be scanned instances) 3306MySQL database

*Note: Database ports mentioned above are default ports. If you are using custom port, open custom port on firewall between ACE instance and target instance.


B)  Access to API’s

You will need to open firewall ports between ACE installed instance and ControlCase API gateway.

  • ACE -> TCP Port 443 on https://cs-api.controlcase.com/ [Required]
  • ACE -> TCP Port 443 on https://cs-dist.controlcase.com/ [Required]
  • ACE -> TCP Port 443 & 80 on ALL (This is temporary access required only during ACE installation to install all the dependencies. Once ACE is installed, you can remove “ALL” access )

C) Your Local Machine or Jump Server to ACE End-Point machine

This permission is required to access ACE End-point application in your internal network.

Source IPSource PortTarget Destination IPTarget Destination PortDescription
User terminal/Jump serverANYACE Instance443To access ACE endpoint UI
User terminal/Jump serverANYACE Instance22To access ACE endpoint for installation


VM Configuration

Login to VM, take sudo using below command

sudo -i

Configure IP: Edit the /etc/netplan/01-netcfg.yaml file

vi /etc/netplan/01-netcfg.yaml

Make following changes to the file

Before:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens160:
      dhcp4: yes

After:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens160:
      dhcp4: no
      addresses: [<endpoint_lan_ip>/24, ]
      gateway4: <endpoint_gateway_ip>
      nameservers:
        addresses: [<endpoint_nameserver_1>, <endpoint_nameserver_2>]

Write changes to disk and exit

:wq

Apply changes made to netplan

netplan apply

Kindly note, in above configuration follow indentation as per yml standards, or else netplan apply will throw error.


ACE Installation

Check-list Before installation.

  1. VM is ready with Ubuntu 18 OS – (2 core CPU, 8 GB memory and 100 GB storage)
  2. VM has been given access to internet, port 443 (permit All – for installation only, as mentioned in Network Requirement section)

1. Once VM is up & all above configurations are in place.

2. Login to VM over SSH

3. Take sudo control using below command

sudo -i

4. Execute below command to invoke installer

wget -q -O - https://cs-dist.controlcase.com/ace-endpoint.sh | bash

Installation should take a few minutes depending on your internet connection.

Check-list After installation.

  1. VM has been given Outbound 443 access to ControlCase API’s
  2. Machines to be scanned have been given Inbound 445/22 access to ACE VM ( as mentioned in Network Requirement section )

Activating ACE Endpoint

Follow steps mentioned in the link to activate the endpoint. ACTIVATE ACE ENDPOINT


Credential Requirements

  • For Windows, the user should have administrator access
  • For Linux, the user should have sudo access without password prompt.

Some more details on windows permissions.

  • User should have administrative privileges, as it tries to execute some admin privileged command and opens SVCManager.
  • ACE to target Windows Machine should have target port 445 (TCP) communication enabled on each firewall/security group.
  • If Windows Machine has its own firewall running, then please configure inbound and outbound rule over port 445 for communication between ACE and running Windows machine.
  • If any Antivirus or Malware protection is running on target Windows Machine, then please whitelist all activities performed by process communicating over port no 445.
  • psexec copies a psexecsvc file to the admin share and then using remote management starts up a service using that file. It opens up named pipes and uses that for further communication. Please whitelist this as well, mainly psexecsvc executable file.
  • File and Printer sharing should be enabled.