Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

GYTPOL Validator

System Requirements for on-Prem installations

Doc: GYT-TEC-003

...

Easy heading
linkText1
linkText4
linkText10
linkText3linkText10
linkText6
linkText5
relatedLinksLabels
linkText2
linkText1
headingTagsH1,H2,H3
sidebarMaxHeight450
linkType2Page
linkType3Page
linkType1Page
linkType10Page
sidebarTitleON THIS PAGE
linkUrl3
linkUrl4
linkUrl1
linkUrl2
linkUrl10
includedPageModeDisable_Included_Pages
linkText8
linkText7
relatedLinksOrderLabels_First
linkText7sidebarModeOpened
headingNumberingModeDisable_Numbering
linkText9
sidebarMarginRight20
relatedLinksTargetNew_Window
relatedLinksTitleRELATED LINKS
linkUrl9
linkUrl7
linkUrl8linkUrl5
numberedHeadingTagsH1,H2,H3
linkUrl5
linkUrl6
linkType8Page
linkType9Page
linkType6Page
headingLinkTextModeWrap
linkType6linkType7Page
linkType7linkType4Page
linkType4linkType5Page
sidebarWidth240linkType5Page
sidebarTop160
headingLinkExpandModeCollapse_All_By_Default
headingLinkIndent10

Introduction

This document serves the purpose of providing essential system prerequisites and requirements that must be met before initiating the installation process for the GYTPOL Validator product.

Audience

This User Guide is primarily intended for IT system and infrastructure teams responsible for implementing, managing, and maintaining servers and Active Directory within their organizations. It provides clear instructions and explanations suitable for technical users, ensuring that these teams can effectively utilize the software for their specific needs.

Checklist

Before proceeding with the installation of GYTPOL Validator software, it is crucial to verify that all the following requirements are met:

...

Ensure that a web browser is available and compatible for use as the admin interface by end-users of GYTPOL Validator.

Client Sensor Requirements:

Verify that servers and workstations covered by GYTPOL Validator meet the required clientSensor-side specifications.

DNS - Routing to GYTPOL Server:

...

Determine and open the specific ports on both the server and client Sensor sides as required by GYTPOL Validator to facilitate communication and functionality.

...

Find additional help in Detailed Configuration Instructions when required.

System Architecture

...

Server Architecture

...

Server Sizing

Up to 3,000 Devices / PoC

...

  • Customers managing more than 50,000 devices are advised to contact support@gytpol.com for specialized sizing recommendations.

  • If you are using the Nutanix hypervisor, please contact support@gytpol.com forfurther guidance and support tailored to your specific setup.

Operating System and Language

  • A dedicated physical or virtual server is required, running Windows Server 2016 Standard or a later version.

  • Windows Server language settings (detailed checks are here):

    • The Windows Server operating system must be set to use the English (United States) language.

    • The Windows Server language for non-Unicode programs must be set to use the English (United States) language.

  • Customers who use a separate database server should install SQL Server 2016 Standard or a later version. For detailed instructions on configuring MS SQL, please consult Appendix 1.

Users and Groups

To create a domain user with the specified permissions and ensure the password adheres to the given criteria, follow these steps:

...

By following these steps, you will have created a domain user, set a password that adheres to your criteria, and established a security group for GYTPOL UI access, all in compliance with your requirements.

Permissions

Follow the below table to set the permissions regarding the user and the group (follow hyperlinks for how to’s):

...

Type

Name

Permission set

AD User

GytpolSvc

Domain level:

Member of Domain Group: “Performance Log Users”

GYTPOL Server local settings:

Local admin on GYTPOL server

Logon as a service

Logon as a batch job

GPMC permissions

Server software and general settings

Requirement

How to Verify

Web Browser supports Chromium

We recommend using the latest version of either MS Chromium Edge or Google Chrome browsers.

However, in offline or closed environments, a minimum version of 100 is required.

.NET 4.7.2 installed

(Installed by default on Server 2019)

https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net472-web-installer

Notepad++ installed

(Optional, yet strongly advised to simplify configuration management)

https://notepad-plus-plus.org/downloads/

The minimum required version of PowerShell is 5.1.

(Installed by default on Server 2016 and later)

Ensure that the PowerShell script execution policy is not set to "Restricted" in any of its categories.

How to Check PowerShell Version and Restriction Mode

IPv6 disabled (Optional)

How to Check if IPv6 is disabled

Configure Windows Firewall inbound ports

- or -

Turn Windows Firewall OFF (service should be up and running)

In case of using the Windows Firewall

How to check if Windows Firewall is at ‘off’ state

IE enhanced disabled

How to Disable Internet Explorer Enhanced Security Configuration

Proxy is not configured

How to Disable Proxy Settings

After committed changes - restart the remote machine (GYTPOL server)

Admin Interface

  • You need a physical or virtual machine running at least Windows 7 SP1.

  • It is recommended to use the latest version of either MS Chromium Edge or Google Chrome browsers for optimal compatibility.

...

Sensor Requirements

  • Ensure that Task Scheduler is enabled for both user and computer.

  • Enable Event Viewer for both user and computer.

  • RSOP (Resultant Set of Policy) should be allowed.

  • PowerShell version requirements:

    • PowerShell 2.0 or later is required, with support for detection and auto-upgrade.

    • PowerShell 5.1 and later are preferred, as they support detection, auto-upgrade, remediation, and revert.

    • It is recommended to set PowerShell scripts to "All Signed" (or any option besides "Restricted" or "Remote Signed"), preferably via Group Policy (GPO).

    • Enable the ability for users to run PowerShell scripts.

DNS

Here are the instructions for setting up a CNAME record from a server running DNS or an IT admin computer:

...

If you are not using Microsoft DNS and are using a different DNS service such as Infoblox or any other, please get in touch with us for further guidance and assistance regarding the setup of CNAME records and DNS configurations specific to your DNS service provider. We will provide you with tailored instructions and support to ensure proper integration with GYTPOL.

Ports

From

To

Port number

Purpose

All devices and OS

GYTPOL App Server

9093

HTTPS

9090 (Windows7 only)

HTTP

(Data is compressed and encrypted)

All Computers

(In case GYTPOL cloud service connection is desired for external devices and Remote Employees)

GYTPOL Cloud Service

EMEA & Asia:

https://<customer-tenant>.execute-api.eu-central-1.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. eu-central-1.amazonaws.com

443

HTTPS

Americas:

https://<customer-tenant>.execute-api.us-east-2.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. us-east-2.amazonaws.com

Specific customer tenant URL that requires whitelisting is specified in the appsettings.json file, which will be provided after the client Sensor is generated.

GYTPOL App Server

GYTPOL DB server

(Required for deployments over 3,000 devices)

1433, 1434

SQL queries

GYTPOL App Server

DC’s

389, 9389, 636, 135, 138-139, 445, 464, 53, 3268, 3269 +

Dynamic ports (49152-65535)

GP PS queries +

GP modeling queries

GYTPOL App Server

GYTPOL Cloud Service

EMEA & Asia:

https://<customer-tenant>.execute-api.eu-central-1.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. eu-central-1.amazonaws.com

443

HTTPS

(In case GYTPOL cloud service connection is desired for external devices and Remote Employees)

Americas:

https://<customer-tenant>.execute-api.us-east-2.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. us-east-2.amazonaws.com

Specific customer tenant URL that requires whitelisting is specified in the appsettings.json file, which will be provided after the client Sensor is generated.

IT Admin Computers

GYTPOL App Server

3389

9093

RDP

UI – HTTPS

Local Ports on GYTPOL server should be free and not used.

5000, 8080, 8082, 8083, 9090, 9093, 9370

Ports needed for GYTPOL to run properly.

Antivirus

Exclude the following directory for GYTPOL App server only:

<GYTPOLSERVER> \ (Gytpol installation drive – i.e. ‘C’ or ‘D’ drive) \ Gytpol

Detailed Configuration Instructions

Windows Server language settings

To verify whether the server language is configured as English (United States) in Powershell, you can execute the following commands:

...

After following these steps, your server's locale settings should be updated to the selected locale, in this case, "English (United States)."

...

Important note: When installing on the latest Server 2022 builds, please ensure that the Beta checkbox is not selected.

...

How to check if Windows Firewall is at ‘off’ state

To configure the Windows Firewall settings on the GYTPOL server, follow these steps:

...

By following these steps, you will configure the Windows Firewall settings on the GYTPOL server to meet the specified requirements.

In case of using the Windows Firewall

To configure the Windows Firewall settings for GYTPOL on the server, please follow these detailed steps:

...

By following these steps, you will have configured the Windows Firewall to allow inbound connections on TCP ports 9090 and 9093 for GYTPOL, ensuring that it functions as intended on your server.

...

How to Check if IPv6 is disabled (Optional)

To check if IPv6 is disabled on the GYTPOL server, you can follow these steps:

...

  • Replace the New Value #1 with DisabledComponents

  • Double click on DisabledComponents and set the value to ffffffff and press OK

...

How to Disable Internet Explorer Enhanced Security Configuration

To disable Internet Explorer Enhanced Security Configuration (IE ESC) on the GYTPOL server, please follow these steps:

...

Click "OK" to confirm and apply the changes.

...

How to Disable Proxy Settings

To configure Internet Explorer proxy settings on the GYTPOL server, please follow these steps:

...

  • Click "OK" to save the changes and close the "Local Area Network (LAN) Settings" window.

  • Click "OK" again to close the "Internet Options" window.

How to Check PowerShell Version and Restriction Mode

Anchor
_heading=h.ihv636
_heading=h.ihv636
To check the PowerShell version and execution policy on the GYTPOL server, please follow these steps:

...

By following these steps, you can confirm the PowerShell version and review the execution policies to ensure that scripts are not restricted on the GYTPOL server.

Add the GYTPOL user to the Domain group: “Performance Log Users”

To add the GYTPOL user to the Domain group "Performance Log Users" using Active Directory tools (RSAT), follow these steps:

...

  • Back in the "Performance Log Users Properties" window, click "OK" to save the changes and add the GYTPOL user to the group.

  • Click "OK" again to close the group's properties.

Adding a Local Administrator

To add a local admin on the GYTPOL server, follow these steps:

...

  • In the "Enter the object names to select" field, type "gytpoSvcgytpolSvc."

  • Click on "Check Names" and wait for the name to be validated. It should appear with an underline and with the domain name.

...

Once the name is validated, click "OK" to confirm and add the "gytpoSvcgytpolSvc" user to the Administrators group.

Logon as a batch

GYTPOL utilizes several tasks in the task scheduler to execute hourly, daily, and weekly routines using GYTPOLSVC account created earlier. To ensure these tasks operate without any limitations, it is essential to add the "Logon as a batch" privilege to the GYTPOLSVC account.

If there are no Group Policies with "logon as a batch" restrictions, you can follow these steps to add the user "GytpolSvc" to the "Log on as a batch" policy on a server where GYTPOL is installed:

  1. Open Local Group Policy Editor:

    1. Go to a server where GYTPOL is installed.

    2. Open Command Prompt as an administrator.

    3. Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.

  2. Navigate to "Log on as a batch" Policy:

    1. In the Local Group Policy Editor window, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment

  3. Edit "Log on as a batch" Policy:

    1. Double-click on the "Log on as a batch" policy.

  4. Add User or Group:

    1. In the "Log on as a batch Properties" window, click on the "Add User or Group" button.

  5. Specify Domain and User:

    1. In the "Select Users or Groups" dialog, select your domain from the "Locations" field.

    2. Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.

    3. Ensure that "GytpolSvc" is the selected user and click "OK."

  6. Save Changes:

    1. Click "OK" in the "Log on as a batch Properties" window to save the changes.

If there are Group Policies with "logon as a batch" restrictions, and you need to add the "GytpolSvc" user to this policy, follow these steps using the Group Policy Management Console (GPMC):

Open Group Policy Management Console (GPMC):

...

Click "OK" in the "Log on as a batch Properties" window to save the changes.

Logon as a service

GYTPOL runs several services and microservices using the GYTPOLSVC account created earlier. To ensure these services operate without any limitations, it is crucial to add the "Logon as a service" privilege for the GYTPOLSVC account.

If there are no Group Policies with "logon as a service" restrictions, you can follow these steps to add the user "GytpolSvc" to the "Log on as a service" policy on a server where GYTPOL is installed:

  1. Open Local Group Policy Editor:

    1. Go to a server where GYTPOL is installed.

    2. Open Command Prompt as an administrator.

    3. Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.

  2. Navigate to "Log on as a service" Policy:

    1. In the Local Group Policy Editor window, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment

  3. Edit "Log on as a service" Policy:

    1. Double-click on the "Log on as a service" policy.

  4. Add User or Group:

    1. In the "Log on as a service Properties" window, click on the "Add User or Group" button.

  5. Specify Domain and User:

    1. In the "Select Users or Groups" dialog, select your domain from the "Locations" field.

    2. Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.

    3. Ensure that "GytpolSvc" is the selected user and click "OK."

  6. Save Changes:

    1. Click "OK" in the "Log on as a service Properties" window to save the changes.

If there are Group Policies with "logon as a service" restrictions, and you need to add the "GytpolSvc" user to this policy, follow these steps using the Group Policy Management Console (GPMC):

Open Group Policy Management Console (GPMC):

...

Click "OK" in the "Log on as a service Properties" window to save the changes.

Network access: Do not allow storage of passwords and credentials for network authentication

To configure the "Network access: Do not allow storage of passwords and credentials for network authentication" policy for GYTPOL, follow these steps:

...

You can validate the setting by running the following PowerShell command as an administrator on the GYTPOL server:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name disabledomaincreds -ErrorAction Stop | Select-Object -ExpandProperty disabledomaincreds

The expected output should be "0," indicating that the "Network access: Do not allow storage of passwords and credentials for network authentication" policy is not enforced or is disabled on the GYTPOL server.

DB Creator - external SQL only (for Installations of more than 3,000 devices)

To create a database user with the "dbcreator" role in SQL Server for installations of more than 3,000 devices, follow these steps:

...

To perform group policy validation through GPO modeling, GYTPOLSVC requires delegation rights to execute GPO planning.

Active Directory Delegation – Group Policy Permission

To delegate Group Policy permission in Active Directory, follow these steps:

...

  • Click "Next" to proceed through any remaining steps.

  • Finally, click "Finish" to complete the delegation process.

How to Test Permissions

To test permissions for Group Policy Objects (GPOs) using the GYTPOLSVC user, follow these steps:

...

By following these steps, you can test permissions and verify that the GYTPOLSVC user has the required access to Group Policy Objects and can perform Group Policy Modeling as needed.

Windows Features installation

To install Windows Features on the GYTPOL server, including Group Policy Management and Remote Server Administration Tools, follow these steps:

...

Once the installation is complete, the selected features, including Group Policy Management and Remote Server Administration Tools, will be installed on the GYTPOL server.

Automatic pre-checker tool

To use the Automatic Pre-checker tool for GYTPOL, follow these steps:

...

  • The results may include:

    • Red X sign (error): Indicates an error that needs to be fixed before installation. Hover over the question mark (?) for details on what needs to be done.

    • Yellow Exclamation mark (warning): Indicates a non-critical issue that can be addressed, but it's not required for installation.

    • Defender icon: Indicates that the check has passed.

...

By following these steps, you can use the Automatic Pre-checker tool to ensure that your GYTPOL server meets the necessary requirements and configurations before installation.

Appendix 1 – SQL Technical Requirements

In this appendix, you will find the technical requirements for SQL Server in the context of GYTPOL installation:

...