...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Contents
...
GYTPOL Validator
...
System Requirements for on-Prem installations
Doc: GYT-TEC-003
Date: 29th September 2023
...
Confidential: GYTPOL and approved recipients
...
GYTPOL Limited 2023. All rights reserved. PROPRIETARY AND CONFIDENTIAL.
This document may include reference to technologies that use patents (pending or granted) which are owned by GYTPOL Limited or third parties. The use of such patents shall be subject to express written license terms. You shall not copy, disclose, reproduce, store in a retrieval system, or transmit in any form or by any means whether in whole or in part this document. GYTPOL Limited accepts no liability and offers no warranty in relation to the use of this document, or any technology referenced herein as well as associated intellectual property rights except as it has otherwise agreed in writing.
All trademarks and brands are the property of their respective owners, and their use is subject to license terms.
Easy heading | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
This document serves the purpose of providing essential system prerequisites and requirements that must be met before initiating the installation process for the GYTPOL Validator product.
Audience
This User Guide is primarily intended for IT system and infrastructure teams responsible for implementing, managing, and maintaining servers and Active Directory within their organizations. It provides clear instructions and explanations suitable for technical users, ensuring that these teams can effectively utilize the software for their specific needs.
Checklist
Before proceeding with the installation of GYTPOL Validator software, it is crucial to verify that all the following requirements are met:
...
Ensure that a web browser is available and compatible for use as the admin interface by end-users of GYTPOL Validator.
Verify that servers and workstations covered by GYTPOL Validator meet the required clientSensor-side specifications.
DNS - Routing to GYTPOL Server:
...
Determine and open the specific ports on both the server and client Sensor sides as required by GYTPOL Validator to facilitate communication and functionality.
...
Find additional help in Detailed Configuration Instructions when required.
System Architecture
...
Server Architecture
...
Server Sizing
Up to 3,000 Devices / PoC
...
Customers managing more than 50,000 devices are advised to contact support@gytpol.com for specialized sizing recommendations.
If you are using the Nutanix hypervisor, please contact support@gytpol.com forfurther guidance and support tailored to your specific setup.
Operating System and Language
A dedicated physical or virtual server is required, running Windows Server 2016 Standard or a later version.
Windows Server language settings (detailed checks are here):
The Windows Server operating system must be set to use the English (United States) language.
The Windows Server language for non-Unicode programs must be set to use the English (United States) language.
Customers who use a separate database server should install SQL Server 2016 Standard or a later version. For detailed instructions on configuring MS SQL, please consult Appendix 1.
Users and Groups
To create a domain user with the specified permissions and ensure the password adheres to the given criteria, follow these steps:
...
By following these steps, you will have created a domain user, set a password that adheres to your criteria, and established a security group for GYTPOL UI access, all in compliance with your requirements.
Permissions
Follow the below table to set the permissions regarding the user and the group (follow hyperlinks for how to’s):
...
Type | Name | Permission set |
AD User | GytpolSvc | Domain level: Member of Domain Group: “Performance Log Users” GYTPOL Server local settings: Local admin on GYTPOL server Logon as a service GPMC permissions |
Server software and general settings
Requirement | How to Verify |
Web Browser supports Chromium | We recommend using the latest version of either MS Chromium Edge or Google Chrome browsers. However, in offline or closed environments, a minimum version of 100 is required. |
.NET 4.7.2 installed (Installed by default on Server 2019) | https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net472-web-installer |
Notepad++ installed (Optional, yet strongly advised to simplify configuration management) | |
The minimum required version of PowerShell is 5.1. (Installed by default on Server 2016 and later) Ensure that the PowerShell script execution policy is not set to "Restricted" in any of its categories. | |
IPv6 disabled (Optional) | |
Configure Windows Firewall inbound ports - or - Turn Windows Firewall OFF (service should be up and running) | |
IE enhanced disabled | How to Disable Internet Explorer Enhanced Security Configuration |
Proxy is not configured | |
After committed changes - restart the remote machine (GYTPOL server) |
Admin Interface
You need a physical or virtual machine running at least Windows 7 SP1.
It is recommended to use the latest version of either MS Chromium Edge or Google Chrome browsers for optimal compatibility.
...
Sensor Requirements
Ensure that Task Scheduler is enabled for both user and computer.
Enable Event Viewer for both user and computer.
RSOP (Resultant Set of Policy) should be allowed.
PowerShell version requirements:
PowerShell 2.0 or later is required, with support for detection and auto-upgrade.
PowerShell 5.1 and later are preferred, as they support detection, auto-upgrade, remediation, and revert.
It is recommended to set PowerShell scripts to "All Signed" (or any option besides "Restricted" or "Remote Signed"), preferably via Group Policy (GPO).
Enable the ability for users to run PowerShell scripts.
DNS
Here are the instructions for setting up a CNAME record from a server running DNS or an IT admin computer:
...
If you are not using Microsoft DNS and are using a different DNS service such as Infoblox or any other, please get in touch with us for further guidance and assistance regarding the setup of CNAME records and DNS configurations specific to your DNS service provider. We will provide you with tailored instructions and support to ensure proper integration with GYTPOL.
Ports
From | To | Port number | Purpose |
All devices and OS | GYTPOL App Server | 9093 | HTTPS |
9090 (Windows7 only) | HTTP (Data is compressed and encrypted) | ||
All Computers (In case GYTPOL cloud service connection is desired for external devices and Remote Employees) | GYTPOL Cloud Service EMEA & Asia: https://<customer-tenant>.execute-api.eu-central-1.amazonaws.com/prod https://gytpol-re-<customer-tenant>-tasks.s3. eu-central-1.amazonaws.com | 443 | HTTPS |
Americas: https://<customer-tenant>.execute-api.us-east-2.amazonaws.com/prod https://gytpol-re-<customer-tenant>-tasks.s3. us-east-2.amazonaws.com | |||
Specific customer tenant URL that requires whitelisting is specified in the appsettings.json file, which will be provided after the client Sensor is generated. | |||
GYTPOL App Server | GYTPOL DB server (Required for deployments over 3,000 devices) | 1433, 1434 | SQL queries |
GYTPOL App Server | DC’s | 389, 9389, 636, 135, 138-139, 445, 464, 53, 3268, 3269 + Dynamic ports (49152-65535) | GP PS queries + GP modeling queries |
GYTPOL App Server | GYTPOL Cloud Service EMEA & Asia: https://<customer-tenant>.execute-api.eu-central-1.amazonaws.com/prod https://gytpol-re-<customer-tenant>-tasks.s3. eu-central-1.amazonaws.com | 443 | HTTPS (In case GYTPOL cloud service connection is desired for external devices and Remote Employees) |
Americas: https://<customer-tenant>.execute-api.us-east-2.amazonaws.com/prod https://gytpol-re-<customer-tenant>-tasks.s3. us-east-2.amazonaws.com | |||
Specific customer tenant URL that requires whitelisting is specified in the appsettings.json file, which will be provided after the client Sensor is generated. | |||
IT Admin Computers | GYTPOL App Server | 3389 9093 | RDP UI – HTTPS |
Local Ports on GYTPOL server should be free and not used. | 5000, 8080, 8082, 8083, 9090, 9093, 9370 | Ports needed for GYTPOL to run properly. |
Antivirus
Exclude the following directory for GYTPOL App server only:
<GYTPOLSERVER> \ (Gytpol installation drive – i.e. ‘C’ or ‘D’ drive) \ Gytpol
Detailed Configuration Instructions
Windows Server language settings
To verify whether the server language is configured as English (United States) in Powershell, you can execute the following commands:
...
After following these steps, your server's locale settings should be updated to the selected locale, in this case, "English (United States)."
...
...
Important note: When installing on the latest Server 2022 builds, please ensure that the Beta checkbox is not selected.
...
How to check if Windows Firewall is at ‘off’ state
To configure the Windows Firewall settings on the GYTPOL server, follow these steps:
...
By following these steps, you will configure the Windows Firewall settings on the GYTPOL server to meet the specified requirements.
In case of using the Windows Firewall
To configure the Windows Firewall settings for GYTPOL on the server, please follow these detailed steps:
...
By following these steps, you will have configured the Windows Firewall to allow inbound connections on TCP ports 9090 and 9093 for GYTPOL, ensuring that it functions as intended on your server.
...
How to Check if IPv6 is disabled (Optional)
To check if IPv6 is disabled on the GYTPOL server, you can follow these steps:
...
Replace the New Value #1 with DisabledComponents
Double click on DisabledComponents and set the value to ffffffff and press OK
...
How to Disable Internet Explorer Enhanced Security Configuration
To disable Internet Explorer Enhanced Security Configuration (IE ESC) on the GYTPOL server, please follow these steps:
...
Click "OK" to confirm and apply the changes.
...
How to Disable Proxy Settings
To configure Internet Explorer proxy settings on the GYTPOL server, please follow these steps:
...
Click "OK" to save the changes and close the "Local Area Network (LAN) Settings" window.
Click "OK" again to close the "Internet Options" window.
How to Check PowerShell Version and Restriction Mode
Anchor | ||||
---|---|---|---|---|
|
...
By following these steps, you can confirm the PowerShell version and review the execution policies to ensure that scripts are not restricted on the GYTPOL server.
Add the GYTPOL user to the Domain group: “Performance Log Users”
To add the GYTPOL user to the Domain group "Performance Log Users" using Active Directory tools (RSAT), follow these steps:
...
Back in the "Performance Log Users Properties" window, click "OK" to save the changes and add the GYTPOL user to the group.
Click "OK" again to close the group's properties.
Adding a Local Administrator
To add a local admin on the GYTPOL server, follow these steps:
...
In the "Enter the object names to select" field, type "gytpoSvcgytpolSvc."
Click on "Check Names" and wait for the name to be validated. It should appear with an underline and with the domain name.
...
Once the name is validated, click "OK" to confirm and add the "gytpoSvcgytpolSvc" user to the Administrators group.
Logon as a batch
GYTPOL utilizes several tasks in the task scheduler to execute hourly, daily, and weekly routines using GYTPOLSVC account created earlier. To ensure these tasks operate without any limitations, it is essential to add the "Logon as a batch" privilege to the GYTPOLSVC account.
If there are no Group Policies with "logon as a batch" restrictions, you can follow these steps to add the user "GytpolSvc" to the "Log on as a batch" policy on a server where GYTPOL is installed:
Open Local Group Policy Editor:
Go to a server where GYTPOL is installed.
Open Command Prompt as an administrator.
Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.
Navigate to "Log on as a batch" Policy:
In the Local Group Policy Editor window, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment
Edit "Log on as a batch" Policy:
Double-click on the "Log on as a batch" policy.
Add User or Group:
In the "Log on as a batch Properties" window, click on the "Add User or Group" button.
Specify Domain and User:
In the "Select Users or Groups" dialog, select your domain from the "Locations" field.
Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.
Ensure that "GytpolSvc" is the selected user and click "OK."
Save Changes:
Click "OK" in the "Log on as a batch Properties" window to save the changes.
If there are Group Policies with "logon as a batch" restrictions, and you need to add the "GytpolSvc" user to this policy, follow these steps using the Group Policy Management Console (GPMC):
Open Group Policy Management Console (GPMC):
...
Click "OK" in the "Log on as a batch Properties" window to save the changes.
Logon as a service
GYTPOL runs several services and microservices using the GYTPOLSVC account created earlier. To ensure these services operate without any limitations, it is crucial to add the "Logon as a service" privilege for the GYTPOLSVC account.
If there are no Group Policies with "logon as a service" restrictions, you can follow these steps to add the user "GytpolSvc" to the "Log on as a service" policy on a server where GYTPOL is installed:
Open Local Group Policy Editor:
Go to a server where GYTPOL is installed.
Open Command Prompt as an administrator.
Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.
Navigate to "Log on as a service" Policy:
In the Local Group Policy Editor window, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment
Edit "Log on as a service" Policy:
Double-click on the "Log on as a service" policy.
Add User or Group:
In the "Log on as a service Properties" window, click on the "Add User or Group" button.
Specify Domain and User:
In the "Select Users or Groups" dialog, select your domain from the "Locations" field.
Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.
Ensure that "GytpolSvc" is the selected user and click "OK."
Save Changes:
Click "OK" in the "Log on as a service Properties" window to save the changes.
If there are Group Policies with "logon as a service" restrictions, and you need to add the "GytpolSvc" user to this policy, follow these steps using the Group Policy Management Console (GPMC):
Open Group Policy Management Console (GPMC):
...
Click "OK" in the "Log on as a service Properties" window to save the changes.
Network access: Do not allow storage of passwords and credentials for network authentication
To configure the "Network access: Do not allow storage of passwords and credentials for network authentication" policy for GYTPOL, follow these steps:
...
You can validate the setting by running the following PowerShell command as an administrator on the GYTPOL server:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name disabledomaincreds -ErrorAction Stop | Select-Object -ExpandProperty disabledomaincreds
The expected output should be "0," indicating that the "Network access: Do not allow storage of passwords and credentials for network authentication" policy is not enforced or is disabled on the GYTPOL server.
DB Creator - external SQL only (for Installations of more than 3,000 devices)
To create a database user with the "dbcreator" role in SQL Server for installations of more than 3,000 devices, follow these steps:
...
To perform group policy validation through GPO modeling, GYTPOLSVC requires delegation rights to execute GPO planning.
Active Directory Delegation – Group Policy Permission
To delegate Group Policy permission in Active Directory, follow these steps:
...
Click "Next" to proceed through any remaining steps.
Finally, click "Finish" to complete the delegation process.
How to Test Permissions
To test permissions for Group Policy Objects (GPOs) using the GYTPOLSVC user, follow these steps:
...
By following these steps, you can test permissions and verify that the GYTPOLSVC user has the required access to Group Policy Objects and can perform Group Policy Modeling as needed.
Windows Features installation
To install Windows Features on the GYTPOL server, including Group Policy Management and Remote Server Administration Tools, follow these steps:
...
Once the installation is complete, the selected features, including Group Policy Management and Remote Server Administration Tools, will be installed on the GYTPOL server.
Automatic pre-checker tool
To use the Automatic Pre-checker tool for GYTPOL, follow these steps:
...
The results may include:
Red X sign (error): Indicates an error that needs to be fixed before installation. Hover over the question mark (?) for details on what needs to be done.
Yellow Exclamation mark (warning): Indicates a non-critical issue that can be addressed, but it's not required for installation.
Defender icon: Indicates that the check has passed.
...
By following these steps, you can use the Automatic Pre-checker tool to ensure that your GYTPOL server meets the necessary requirements and configurations before installation.
Appendix 1 – SQL Technical Requirements
In this appendix, you will find the technical requirements for SQL Server in the context of GYTPOL installation:
...