ACE Enterprise – Azure Prerequisite and Installation
Index
- Hardware requirement
- Operating-system requirement
- Network requirement
- ACE Installation
- Credential requirements
- Activating ACE Endpoint
Hardware requirement:
ACE requires following for deployment and usage:
Recommended Configurations for optimum results are,
Minimum system specifications: 2 core CPU, 4 GB memory & 100 GB storage
• B2ms ( Recommended for small environments – Less than 200 machines to be scanned)
• B4ms ( Recommended for medium to large environments – More than 200 machines to be scanned)
Operating-system requirement:
Currently ACE endpoint installer is only supported on Ubuntu Server 18.04 LTS. You can select Ubuntu operating system while launching an instance, or you can choose available AMI from Azure MarketPlace.
While deploying VM, make sure we select Identity as On or else IAM Role assignment will not work as expected.
Important Note! Clients have to ensure ACE endpoint system remain compliant for applicable compliance program (e.g. applying system patches, Antivirus, system hardening etc.)
Does ACE support Internet proxy?
During installation: Yes, Can be installed using Internet proxy. HTTP/HTTPS outbound traffic (All) is required to be allowed during installation to ensure all dependencies are installed.
After installation/Application run: No, User shall need to provide direct access to ControlCase API’s as mentioned below in “Network Requirements”. Following are the steps,
1. Remove proxy after installation (if enabled).
2. Whitelist https://cs-dist.controlcase.com/ and https://cs-api.controlcase.com/ on TCP Port 443 on firewall for direct access from ACE machine.
Networking Requirement
Following is the Architecture for ACE Endpoint.
A) ACE to Host Machines
You will need to open firewall ports between ACE installed instance and target destinations.
| Source IP | Source Port | Target Destination IP | Target Destination Port | Description |
|---|---|---|---|---|
| ACE Instance | ANY | (To be scanned instances) | 445 | Windows target instances |
| ACE Instance | ANY | (To be scanned instances) | 22 | Linux target instances |
| ACE Instance | ANY | (To be scanned instances) | 1521 | Oracle database |
| ACE Instance | ANY | (To be scanned instances) | 1433 | MSSQL database |
| ACE Instance | ANY | (To be scanned instances) | 3306 | MySQL database |
*Note: Database ports mentioned above are default ports. If you are using custom port, open custom port on firewall between ACE instance and target instance.
C) Access to ControlCase gateway and IAM Role
You will need to open firewall ports between ACE installed instance and ControlCase API gateway.
- ACE -> TCP Port 443 on https://cs-api.controlcase.com/ [Required]
- ACE -> TCP Port 443 on https://cs-dist.controlcase.com/ [Required]
- ACE -> TCP Port 443 & 80 on ALL (This is temporary access required only during ACE installation to install all the dependencies. Once ACE is installed, you can remove “ALL” access )
B) Your Local Machine or Jump Server to ACE End-Point machine
This permission is required to access ACE End-point application in your internal network.
| Source IP | Source Port | Target Destination IP | Target Destination Port | Description |
|---|---|---|---|---|
| User terminal/Jump server | ANY | ACE Instance | 443 | To access ACE endpoint UI |
| User terminal/Jump server | ANY | ACE Instance | 22 | To access ACE endpoint for installation |
Attach IAM Role [Mandatory]
We need Contributor role assigned on Subscription level to VM instance.
Follow below process to do same.
Search subscription on search bar of Azure console.
Search subscription on search bar of Azure console.
Select Access Control (IAM)
Select Add a role assignment
Final details for Add role assignment
- Select
RoleasContributor - Select
Assign access toasVirtual Machine -
Subscriptionshould be auto-selected as per your selection in one of previous screen. - Select ACE VM Instance, by searching in 4th box.
- Click on
Savebutton and role should be assigned.
ACE Installation
Check-list Before installation.
- VM is ready with Ubuntu 18 OS – (2 core CPU, 8 GB memory and 100 GB storage)
- VM has been given access to internet, port 443 (permit All – for installation only, as mentioned in Network Requirement section)
1. Once VM (EC2 instance) is up & all above configurations are in place.
2. Login to VM over SSH
3. Take sudo control using below command
sudo -i4. Execute below command to invoke installer
wget -q -O - https://cs-dist.controlcase.com/ace-endpoint.sh | bashInstallation should take a few minutes depending on your internet connection.
Check-list After installation.
- VM has been given Outbound 443 access to ControlCase API’s
- Machines to be scanned have been given Inbound 445/22 access to ACE VM ( as mentioned in Network Requirement section )
Activating ACE Endpoint
Follow steps mentioned in the link to activate the endpoint. ACTIVATE ACE ENDPOINT
Credential Requirements
- For Windows, the user should have administrator access
- For Linux, the user should have sudo access without password prompt.
Some more details on windows permissions.
- User should have administrative privileges, as it tries to execute some admin privileged command and opens SVCManager.
- ACE to target Windows Machine should have target port 445 (TCP) communication enabled on each firewall/security group.
- If Windows Machine has its own firewall running, then please configure inbound and outbound rule over port 445 for communication between ACE and running Windows machine.
- If any Antivirus or Malware protection is running on target Windows Machine, then please whitelist all activities performed by process communicating over port no 445.
- psexec copies a psexecsvc file to the admin share and then using remote management starts up a service using that file. It opens up named pipes and uses that for further communication. Please whitelist this as well, mainly psexecsvc executable file.
- File and Printer sharing should be enabled.