Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • 24 Building Webster’s Lab V2 – Create a ControlUp Management Server

    June 24, 2021

    Blog

    [Updated 8-Nov-2021]

    The next step is to create an additional management server VM from the Server 2019 template. We use the VM built in this article for an additional infrastructure server. My Lab’s infrastructure VMs reside in my XenServer pool, as explained in the Introduction article. Building a server VM from the Server 2019 template was covered earlier.

    From the introduction article, this is the VM we are building:

    Name Description IP Address
    LabControlUp ControlUp Management Server 192.168.1.207

    Before building the new server, we need to verify the hardware requirements for ControlUp.

    Request Trial

    ControlUp optimizes the digital experience with actionable insights captured through real-time observation. With accurate end-to-end analysis of the user’s digital journey, ControlUp enables IT admins to make faster decisions with actionable insights and enterprise-grade tools that troubleshoot and remediate user issues to deliver the best-in-class digital employee experience and productivity.

    ControlUp monitoring uses three parts, the Real-time console, the Monitor node, and Agents.

    • The ControlUp Real-Time console leverages the association and correlation logic of the real-time engine to generate aggregated views of multiple data sources. These powerful grids can be sorted by, grouped by, filtered by, or searched by any of the dozens of continuously updated real-time metrics.
    • The ControlUp Monitor is a component principally equivalent to ControlUp Console, but without an interactive user interface. Once installed and started, ControlUp Monitor signs into your ControlUp organization and connects to your managed computers.

    The Monitor starts receiving system information and performance updates from your organization, just like an additional ControlUp Console user. The primary difference between a Monitor and a Console is that the Monitor runs as a Windows Service 24/7, requiring no user interaction and allowing for continuous monitoring and auto-remediation of your environment.

    • ControlUp agents allow communication with the Console and the Monitor.

    To receive a free trial of ControlUp, use your internet browser and browse to https://ControlUp.com/ and click on Download Free Trial, as shown in Figure 1.

    Figure 1
    Figure 1

    Click Start Download, as shown in Figure 2.

    Figure 2
    Figure 2

    Here are the links needed with the information needed to build our ControlUp VM.

    https://support.controlup.com/hc/en-us/articles/115005534205-ControlUp-Hybrid-Cloud-Implementation-Requirements

    https://support.controlup.com/hc/en-us/articles/115001228945-Communication-Ports-Used-by-ControlUp-Hybrid-Cloud

    https://support.controlup.com/hc/en-us/articles/360000728405-Setting-permissions-for-ControlUp-in-VMware-vCenter

    https://support.controlup.com/hc/en-us/articles/206501579-Hypervisor-Monitoring-Requirements (Covers Citrix XenServer)

    https://support.controlup.com/hc/en-us/articles/360000532477-AV-Exclusions-for-ControlUp

    We are building a ControlUp server to handle the small number of VMs used for the future Citrix Virtual Apps and Desktops and VMware Horizon article series. Since the Lab will have minimal Citrix and VMware infrastructure servers and a minimal number of virtual desktops, the requirements are minimal for the ControlUp server VM.

    From this information, we learn the following about the ControlUp server’s VM:

    • It needs a static IP address
    • Increase the RAM to 16GB
      • We run the Console and Monitor on one server. Since there is no local database, ControlUp caches monitoring results in the server’s RAM.
    • Requires the installation of an additional internet browser
      • We don’t use Internet Explorer 11 for anything
    • Requires Windows firewall configuration
    • Requires Windows Defender configuration
    • Needs service accounts for VMware vCenter and Citrix XenCenter
      • These service accounts are not required, but we use specific service accounts for specific purposes

    Following the process used for the other lab servers built, create a new VM from the Server 2019 template and do not power it on.

    Change RAM

    VMware

    In vCenter, right-click the LabControlUp VM, click Edit Settings…, and change the Memory settings, as shown in Figure 3.

    Figure 3
    Figure 3

    Power on the VM, enter the required hostname, enter the required IP address information, and install Windows Updates. I also installed Google Chrome to use as my browser.

    XenServer

    Select the LabControlUp VM, click the Memory tab, and click Edit…, as shown in Figure 4.

    Figure 4
    Figure 4

    Select Set a fixed memory of and change the value to 16.0, as shown in Figure 5.

    Figure 5
    Figure 5

    Power on the VM, enter the required hostname, enter the required IP address information, and install Windows Updates. I also installed Google Chrome to use as my browser.

    Active Directory

    Join Active Directory

    First, we need to create an OU.

    If you remember, when we created Active Directory in Part 14, I placed all my infrastructure servers in a specific OU.

    Lab

    Infrastructure

    The ControlUp server is placed in an OU to apply GPOs for Windows Firewall and Windows Defender configurations.

    Lab

    Infrastructure

    ControlUp

    From the Lab’s management computer, start an elevated PowerShell session and type in the following, as shown in Figure 6.

    Get-ADOrganizationalUnit -filter {Name -eq "Infrastructure"}
    
    Figure 6
    Figure 6

    Create the ControlUp OU.

    Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 7.

    Remember to set the values you need.

    Note: Lines may wrap

    #create the ControlUp OU
    
    $ADDomain = "LabADDomain"
    $TLD = "com"
    $Protect = $True
    
    New-ADOrganizationalUnit -Name "ControlUp" `
    -Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
    -ProtectedFromAccidentalDeletion $Protect -verbose
    
    Get-ADOrganizationalUnit -filter {Name -eq "ControlUp"}
    
    Figure 7
    Figure 7

    Copy the DistinguishedName property to the clipboard.

    LabControlUp Server Work

    Verify that the server has a static IP address and uses the IP addresses of the domain controllers for the DNS servers, as shown in Figure 8.

    Figure 8
    Figure 8

    Verify that the server has the correct hostname, as shown in Figure 9.

    Figure 9
    Figure 9

    Use mstsc to remote into the VM that is our ControlUp server.

    Exit Server Manager and start an elevated PowerShell session.

    Copy and paste the following into the elevated PowerShell session and press Enter. The process took less than the blink of an eye to happen, which is why there is no screenshot.

    Remember to set the values you need.

    Note: Lines may wrap

    #Join the computer to the domain
    
    add-computer -Credential LabADDomain\Administrator `
    -DomainName "LabADDomain.com" `
    -OUPath "OU=ControlUp,OU=Infrastructure,OU=Lab,DC=LabADDomain,DC=com" `
    -Force `
    -Restart
    
    #server reboots
    

    After the VM restarts, log in using the domain’s Administrator account and password.

    Now to install the server certificate from the CA.

    Save the following to a file name c:\CertFiles\computer-request.inf.

    I want to thank Michael B. Smith for creating this INF file for me.

    Use the data needed for your environment.

    LabControlUp              = the name of your ControlUp server
    LabADDomain.com           = your domain name
    "LabCA\LabDomain CA Root" = the name of your CA server and the name of your CA.
    
    ;----------------- computer-request.inf -----------------
    ; LabControlUp.LabADDomain.com
    ;
    ; certreq -new computer-request.inf computer-request.req
    ; certreq -submit -config "LabCA\LabDomain CA Root" computer-request.req computer-request.cer
    ; certreq -accept -config "LabCA\LabDomain CA Root" computer-request.cer
    ;
    
    [Version]
    Signature="$Windows NT$"
    
    [NewRequest]
    Subject = "CN=LabControlUp.LabADDomain.com" ; replace with the FQDN of the File Server
    FriendlyName = "Computer (Machine) for LabControlUp.LabADDomain.com"
    KeyLength = 2048
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    KeySpec = 1                     ; AT_KEYEXCHANGE
    Exportable = TRUE               ; private-key is exportable
    MachineKeySet = TRUE            ; goes in machine store instead of user's personal store
    SMIME = False                   ; cannot be used for signing S/MIME messages
    PrivateKeyArchive = FALSE
    HashAlgorithm = sha256          ; "certutil -oid 1 | findstr pwszName" -- gives a list (including sha1)
    UserProtected = FALSE
    UseExistingKeySet = FALSE       ; we are not renewing a key that already exists
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12               ; for ProviderName and ProviderType, see "certutil -csplist"
    RequestType = PKCS10            ; if empty or set to "CERT" then a self-signed cert is created
    KeyUsage = 0xa0                 ; 0xa0 - CERT_DIGITAL_SIGNATURE_KEY_USAGE + CERT_KEY_ENCIPHERMENT_KEY_USAGE
    
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication - PKIX_KP_SERVER_AUTH
    
    [Extensions]
    ; Note: 2.5.29.17 is the OID for a SAN extension.
    
    2.5.29.17 = "{text}"
    _continue_ = "dns=LabControlUp.LabADDomain.com"
    
    [RequestAttributes]
    CertificateTemplate = "Server Template"
    
    ;-----------------------------------------------
    

    Open an elevated command prompt.

    Type in cd c:\CertFiles and press Enter.

    The three commands we need to run are at the top of the computer-request.inf file.

    Type in notepad computer-request.inf and press Enter.

    Copy the line certreq -new computer-request.inf computer-request.req, paste it in the elevated command prompt, and press Enter.

    Copy the line certreq -submit -config “LabCA\LabDomain CA Root” computer-request.req computer-request.cer, paste it in the elevated command prompt, and press Enter.

    Note: If you get a warning similar to the following, you can ignore the warning. The warning tells you that the certificate request validity period is past the lifetime of the CA’s root certificate lifespan.

    Certificate retrieved(Issued)Issued The certificate validity period will be shorter than the Server Template Certificate Template specifies because the template validity period is longer than the maximum certificate validity period allowed by the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.

    Copy the line certreq -accept -config “LabCA\LabDomain CA Root” computer-request.cer, paste it in the elevated command prompt, and press Enter.

    Figure 10 shows the results of running the certificate request commands.

    Figure 10
    Figure 10

    Create ControlUp Accounts

    Additional vCenter Configuration

    The vCenter Read-Only role created earlier is sufficient for all monitoring purposes. However, we want to use the built-in hypervisor-based VM power management functions. Therefore, we need to create a custom role based on the Read-Only role, adding the following permissions:

    • In the Virtual Machine/Interaction category:
      • Power Off
      • Power On
      • Reset

    First, we need to create an AD service account to assign the vCenter Custom Role.

    From the Lab’s management computer, start an elevated PowerShell session, copy and paste the following into the elevated PowerShell session, and press Enter, as shown in Figure 11.

    Remember to set the values you need.

    Note: Lines may wrap

    #Create the service account svc_VMwareControlUp for ControlUp vCenter permissions
    
    $ADDomain = "LabADDomain"
    $TLD = "com"
    $Protect = $False
    
    $UserPwd = Read-Host -AsSecureString -Prompt "Enter password"
    
    New-ADUser -AccountPassword $UserPwd `
    -CannotChangePassword $True `
    -ChangePasswordAtLogon $False `
    -Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
    -DisplayName "svc_VMwareControlUp" `
    -Enabled $True `
    -GivenName "svc_VMwareControlUp" `
    -Name "svc_VMwareControlUp" `
    -PasswordNeverExpires $True `
    -PasswordNotRequired $False `
    -Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
    -SamAccountName "svc_VMwareControlUp" `
    -UserPrincipalName "svc_VMwareControlUp@LabADDomain.com"
    
    Figure 11
    Figure 11

    Log in to vCenter.

    From the Menu dropdown, select Administration, as shown in Figure 12.

    Figure 12
    Figure 12

    In Roles, click the Read-only role and click the Clone role action icon, as shown in Figure 13.

    Figure 13
    Figure 13

    Enter a Role name, Description, and click OK, as shown in Figure 14.

    Figure 14
    Figure 14

    Click the new role and click the pencil Edit icon, as shown in Figure 15.

    Figure 15
    Figure 15

    In the left pane, scroll down to Virtual machine, and in the right pane, scroll down to Interaction, and click See more privileges, as shown in Figure 16.

    Figure 16
    Figure 16

    In the right pane, scroll down and select Power off, Power on, Reset, and click Next, as shown in Figure 17.

    Figure 17
    Figure 17

    Click Finish, as shown in Figure 18.

    Figure 18
    Figure 18

    In Global Permissions, click the “+“, as shown in Figure 19.

    Figure 19
    Figure 19

    Change the Domain to the AD domain, select the new ControlUp AD service account for User/Group, select the Custom Role, select Propagate to children, and click OK, as shown in Figure 20.

    Figure 20
    Figure 20

    The new ControlUp account is added to the list, as shown in Figure 21.

    Figure 21
    Figure 21

    Additional XenCenter Configuration

    The XenCenter Read-Only role created earlier is sufficient for all monitoring purposes. However, we want to use the built-in hypervisor-based VM power management functions. Therefore, we need to create a custom role based on the Read-Only role, adding the VM Operators permission.

    Start and, if required, connect or log in to XenCenter.

    First, we need to create an AD service account to assign the XenCenter Custom Role.

    From the Lab’s management computer, start an elevated PowerShell session, copy and paste the following into the elevated PowerShell session, and press Enter, as shown in Figure 22.

    Remember to set the values you need.

    Note: Lines may wrap

    #Create the service account svc_CitrixControlUp for ControlUp XenCenter permissions
    
    $ADDomain = "LabADDomain"
    $TLD = "com"
    $Protect = $False
    
    $UserPwd = Read-Host -AsSecureString -Prompt "Enter password"
    
    New-ADUser -AccountPassword $UserPwd `
    -CannotChangePassword $True `
    -ChangePasswordAtLogon $False `
    -Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
    -DisplayName "svc_CitrixControlUp" `
    -Enabled $True `
    -GivenName "svc_CitrixControlUp" `
    -Name "svc_CitrixControlUp" `
    -PasswordNeverExpires $True `
    -PasswordNotRequired $False `
    -Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
    -SamAccountName "svc_CitrixControlUp" `
    -UserPrincipalName "svc_CitrixControlUp@LabADDomain.com"
    
    Figure 22
    Figure 22

    In XenCenter, click the Resource Pool and in the right pane, click Users, click Add…, as shown in Figure 23.

    Figure 23
    Figure 23

    Enter the name of the new Citrix ControlUp account and click Grant Access, as shown in Figure 24.

    Figure 24
    Figure 24

    Click Close, as shown in Figure 25.

    Figure 25
    Figure 25

    Select the Citrix ControlUp account and click Change Role…, as shown in Figure 26.

    Figure 26
    Figure 26

    Select VM Operator and click Save, as shown in Figure 27.

    Figure 27
    Figure 27

    The account is ready for use, as shown in Figure 28.

    Figure 28
    Figure 28

    GPOs

    Before installing and configuring ControlUp, we need four GPOs created.

    1. One for the ControlUp server Windows Defender exclusions
    2. One for the ControlUp server Windows Firewall ports
    3. One for the monitored computers Windows Defender exclusions
    4. One for the monitored computers Windows Firewall ports

    On the Lab management computer, open the Group Policy Management Console (GPMC).

    In the Group Policy Objects node, create and name four GPOs. For example, I named mine as follows:

    • (C) ControlUp Agent Windows Defender Exclusions – linked at the domain level, Deny applied to LabControlUp
    • (C) ControlUp Agent Windows Firewall Ports – linked at the domain level, Deny applied to LabControlUp
    • (C) ControlUp Server Windows Defender Exclusions – linked to the ControlUp OU and applied only to the LabControlUp computer account
    • (C) ControlUp Server Windows Firewall Ports – linked to the ControlUp OU and applied only to the LabControlUp computer account

    Let’s work on the (C) ControlUp Server Windows Firewall Ports GPO first.

    We need the following Windows Firewall ports configured for the server.

    ControlUp Server

    • TCP 53 open outbound for name resolution
    • TCP 80 open outbound for communication to XenServer, XenDesktop, and NetScalers/ADCs
    • TCP 135 – 139, 445, and 49152 – 65535 for Agent deployment and upgrades via the console and specific OOB actions, such as restarting the agent.
    • TCP 389 open outbound for LDAP communication with domain controllers
    • TCP 443 opened outbound for communication to vSphere, Horizon, ControlUp Cloud servers, and NetScalers/ADCs
    • TCP 40705 open outbound for Console to agent communication via the WCF protocol.
    • TCP 40706 open outbound for Console to Monitor management port.

    A summary of these ports is 53, 80, 135 – 139, 389, 443, 445, 40705, 40706, 49152 – 65535.

    In the GPMC, right-click the (C) ControlUp Server Windows Firewall Ports GPO in the Group Policy Object node and click Edit, as shown in Figure 29.

    Figure 29
    Figure 29

    Expand Policies.

    Expand Windows Settings.

    Expand Security Settings.

    Expand Windows Defender Firewall with Advanced Security.

    Expand Windows Defender Firewall with Advanced Security.

    Right-click Outbound Rules and click New Rule…, as shown in Figure 30.

    Figure 30
    Figure 30

    Select Port and click Next, as shown in Figure 31.

    Figure 31
    Figure 31

    Select TCP, select Specific local ports, enter 53, 80, 135-139, 389, 443, 445, 40705, 40706, 49152-65535, and click Next, as shown in Figure 32.

    Note: There are no spaces before or after the dash in “135-139” and “49152-65535”. If you get an error message in the GPME about invalid characters, verify that the dash character (“-“) is not a copy and paste error from your browser and there are no spaces.

    Figure 32
    Figure 32

    Select Allow the connection and click Next, as shown in Figure 33.

    Figure 33
    Figure 33

    Click Next, as shown in Figure 34.

    Figure 34
    Figure 34

    Enter a Name, an optional Description, and click Finish, as shown in Figure 35.

    Figure 35
    Figure 35

    Exit the Group Policy Management Editor (GPME).

    This GPO applies only to the ControlUp server.

    In the middle pane, in Security Filtering, click on Authenticated Users and click Remove, as shown in Figure 36.

    Figure 36
    Figure 36

    Click OK, as shown in Figure 37.

    Figure 37
    Figure 37

    Click OK, as shown in Figure 38.

    Figure 38
    Figure 38

    Click Add, as shown in Figure 39.

    Figure 39
    Figure 39

    Click Object Types…, as shown in Figure 40.

    Figure 40
    Figure 40

    Select only Computers and click OK, as shown in Figure 41.

    Figure 41
    Figure 41

    Type in the name of the ControlUp server and click Check Names, as shown in Figure 42.

    Figure 42
    Figure 42

    Once the computer name is verified, click OK, as shown in Figure 43.

    Figure 43
    Figure 43

    Now onto the (C) ControlUp Server Windows Defender Exclusions GPO.

    Here are the exclusions needed for the ControlUp server.

    • ControlUp Server
      • Process Exclusions:
        • ControlUpConsole.exe
        • cuMonitor.exe

    Right-click the (C) ControlUp Server Windows Defender Exclusions GPO in the left pane and click Edit.

    Expand Policies.

    Expand Administrative Templates.

    Expand Windows Components.

    Expand Windows Defender Antivirus.

    Click on Exclusions.

    Double-click Process Exclusions, as shown in Figure 44.

    Figure 44
    Figure 44

    Select Enabled and click Show…, as shown in Figure 45.

    Figure 45
    Figure 45

    Enter the values shown in Figure 46, and click OK.

    Figure 46
    Figure 46

    Click OK, as shown in Figure 47.

    Figure 47
    Figure 47

    Exit the GPME.

    Follow the same process as shown in Figures 36 through 43 to remove Authenticated Users and add the ControlUp server, as shown in Figure 48.

    Figure 48
    Figure 48

    Scroll to the top in the GPMC.

    Expand Domains.

    Expand your AD domain.

    Expand the Lab OU.

    Expand the Infrastructure OU.

    Right-click the ControlUp OU and click Link an Existing GPO…, as shown in Figure 49.

    Figure 49
    Figure 49

    Select both ControlUp server GPOs and click OK, as shown in Figure 50.

    Figure 50
    Figure 50

    Now that we have the two ControlUp server GPOs created let’s move on to the GPOs for the monitored computers.

    Let’s work on the (C) ControlUp Agent Windows Firewall Ports GPO first.

    We need the following Windows Firewall ports configured for the monitored computers.

    ControlUp Agent

    • TCP 40705 open inbound for ongoing console/monitor communications. This is a permanent rule.
    • TCP 49152 – 65535 for Agent deployment and upgrades via the console and specific OOB actions, such as restarting the agent. We need these ports temporarily for deploying the agent.

    In the GPMC, right-click the (C) ControlUp Agent Windows Firewall Ports GPO in the Group Policy Object node and click Edit.

    Expand Policies.

    Expand Windows Settings.

    Expand Security Settings.

    Expand Windows Defender Firewall with Advanced Security.

    Expand Windows Defender Firewall with Advanced Security.

    First, we create the permanent rule for TCP port 40705.

    Right-click Inbound Rules and click New Rule…, as shown in Figure 51.

    Figure 51
    Figure 51

    Select Port and click Next, as shown in Figure 52.

    Figure 52
    Figure 52

    Select TCP, select Specific local ports, enter 40705, and click Next, as shown in Figure 53.

    Figure 53
    Figure 53

    Select Allow the connection and click Next, as shown in Figure 54.

    Figure 54
    Figure 54

    Click Next, as shown in Figure 55.

    Figure 55
    Figure 55

    Enter a Name, an optional Description, and click Next, as shown in Figure 56.

    Figure 56
    Figure 56

    Next, we have to create the temporary rule for TCP ports 49152-65535 (the high RPC ports).

    Right-click Inbound Rules and click New Rule…, as shown in Figure 57.

    Figure 57
    Figure 57

    Select Port and click Next, as shown in Figure 58.

    Figure 58
    Figure 58

    Select TCP, select Specific local ports, enter 49152-65535, and click Next, as shown in Figure 59.

    Note: There are no spaces before or after the dash in “49152-65535”. If you get an error message in the GPME about invalid characters, verify that the dash character (“-“) is not a copy and paste error from your browser and there are no spaces.

    Figure 59
    Figure 59

    Select Allow the connection and click Next, as shown in Figure 60.

    Figure 60
    Figure 60

    Click Next, as shown in Figure 61.

    Figure 61
    Figure 61

    Enter a Name, an optional Description, and click Next, as shown in Figure 62.

    Figure 62
    Figure 62

    Exit the Group Policy Management Editor (GPME).

    This GPO applies to the computers monitored by the ControlUp server.

    Now onto the (C) ControlUp Agent Windows Defender Exclusions GPO.

    Here are the exclusions needed for the monitored computers.

    • VMs/Servers with Agents on them (For example, Citrix machines, VMware Horizon machines, VMs.)
      • Process Exclusions:
        • AppLoadTimeTracer.exe
        • cuAgentexe
        • cuAgentHelper.exe

    In the left pane, right-click the (C) ControlUp Agent Windows Defender Exclusions GPO and click Edit.

    Expand Policies.

    Expand Administrative Templates.

    Expand Windows Components.

    Expand Windows Defender Antivirus.

    In the left pane, click on Exclusions, and in the middle pane, double-click Process Exclusions, as shown in Figure 63.

    Figure 63
    Figure 63

    Select Enabled and click Show…, as shown in Figure 64.

    Figure 64
    Figure 64

    Enter the values shown in Figure 65, and click OK.

    Figure 65
    Figure 65

    Click OK, as shown in Figure 66.

    Figure 66
    Figure 66

    Exit the GPME.

    Collapse the Lab OU.

    These two GPOs do not apply to the ControlUp server. To do that, we configure a GPO Deny Policy. A Deny right is not something you should do as a normal course of working with GPOs as it complicates GPO troubleshooting.

    Click on the (C) ControlUp Agent Windows Defender Exclusions GPO, and in the middle pane, click the Delegation tab and click Advanced, as shown in Figure 67.

    Figure 67
    Figure 67

    Click Add…, as shown in Figure 68.

    Figure 68
    Figure 68

    Click on Object Types…, as shown in Figure 69.

    Figure 69
    Figure 69

    Select only Computers and click OK, as shown in Figure 70.

    Figure 70
    Figure 70

    Type in the name of the ControlUp server and click Check Names, as shown in Figure 71.

    Figure 71
    Figure 71

    When the server name is validated, click OK, as shown in Figure 72.

    Figure 72
    Figure 72

    Verify that the ControlUp server is selected, and in the Permissions area, scroll down and select Deny for Apply group policy, as shown in Figure 73. Do NOT change any other permissions.

    Figure 73
    Figure 73

    Click Yes, as shown in Figure 74.

    Figure 74
    Figure 74

    Right-click the GPO and click Edit, as shown in Figure 75.

    Figure 75
    Figure 75

    Right-click the top level of the GPO and click Properties, as shown in Figure 76.

    Figure 76
    Figure 76

    Click the Comment tab. For the comment, type in Deny for the server <ControlUp server name>, and click OK, as shown in Figure 77. This comment makes it easier when troubleshooting the GPO later.

    Figure 77
    Figure 77

    Exit the GPME.

    Figure 78 shows the comment entered.

    Figure 78
    Figure 78

    Repeat the process to add the Deny permission to the other GPO.

    Scroll to the top in the GPMC.

    Expand Domains.

    Expand your AD domain.

    Right-click the domain and click Link an Existing GPO…, as shown in Figure 79.

    Figure 79
    Figure 79

    Select both ControlUp agent monitoring GPOs and click OK, as shown in Figure 80.

    Figure 80
    Figure 80

    The two GPOs are now linked at the domain level, as shown in Figure 81.

    Figure 81
    Figure 81

    To verify the GPOs work, log in to the file server and the ControlUp server.

    Tip: If the GPOs do not work at first, either restart the VM or do a Right-click Start, Run, gpupdate. Then log off and back on to see if it took effect. Gpupdate is a command-line utility from Microsoft that comes with all versions of the Windows operating system to refresh the Group Policy engine on the client. There are many ways of running gpupdate. As an administrator, you can even force a group policy refresh remotely using PowerShell or the GPMC.

    On the ControlUp server, right-click Start, Run, wf.msc, and Windows Defender Firewall with Advanced Security starts, as shown in Figure 82.

    Figure 82
    Figure 82

    Click Outbound Rules and verify that the Outbound Firewall Rule configured by the GPO is there, as shown in Figure 83.

    Figure 83
    Figure 83

    Exit Windows Defender Firewall with Advanced Security.

    To verify the Windows Defender Exclusions, click Start, Settings, Update & Security, Windows Security, and Virus & threat protection, as shown in Figure 84.

    Figure 84
    Figure 84

    Under Virus & threat protection settings, click Manage settings, as shown in Figure 85.

    Figure 85
    Figure 85

    Scroll down to Exclusions and click Add or remove exclusions, as shown in Figure 86.

    Figure 86
    Figure 86

    Figure 87 shows that the Exclusions are in place.

    Figure 87
    Figure 87

    Follow the same process to validate the GPO settings on the file server, as shown in Figures 88 and 89.

    Figure 88
    Figure 88
    Figure 89
    Figure 89

    Install ControlUp Performance Monitor

    Extract the downloaded ControlUp.zip file to the ControlUp server to C:\ControlUp, as shown in Figure 90.

    Figure 90
    Figure 90

    There is nothing to install for ControlUp. ControlUpConsole.exe is the ControlUp monitoring software.

    Before continuing, install a modern internet browser. For example, I installed Google Chrome because I could not get the installer for the new Microsoft Edge to work from Internet Explorer 11 (IE11). ControlUp Insights and Solve require a modern browser.

    Configuring ControlUp

    First Time Launch

    Click Create a new account, as shown in Figure 91.

    Figure 91
    Figure 91

    Enter the requested information, select I agree to the Terms of Use and Privacy Policy, and click SIGN UP, as shown in Figure 92.

    Figure 92
    Figure 92

    Verify that the email address is correct and click OK, as shown in Figure 93.

    Figure 93
    Figure 93

    Enter the passcode emailed and click Continue, as shown in Figure 94.

    Figure 94
    Figure 94

    Now you need to create a ControlUp organization. Enter a descriptive Organization Name and click Continue, as shown in Figure 95.

    Figure 95
    Figure 95

    The ControlUp Real-Time Console starts, as shown in Figure 96.

    Figure 96
    Figure 96

    Add Monitor

    On the toolbar, click Add Monitor, as shown in Figure 97.

    Figure 97
    Figure 97

    Click OK, as shown in Figure 98.

    Figure 98
    Figure 98

    Click Add Domain, as shown in Figure 99.

    Figure 99
    Figure 99

    Enter the AD domain’s FQDN, enter domain credentials, and click OK, as shown in Figure 100.

    Figure 100
    Figure 100

    Click Add Credentials Set, as shown in Figure 101.

    Figure 101
    Figure 101

    Enter the vCenter ControlUp account information, enter a Friendly Name, select Share credentials with authorized users, and click OK, as shown in Figure 102.

    Figure 102
    Figure 102

    Repeat the process shown in Figures 101 and 102 to add the XenCenter ControlUp account.

    The accounts are added. Click Next, as shown in Figure 103.

    Figure 103
    Figure 103

    Click Next, as shown in Figure 104.

    Figure 104
    Figure 104

    Click Next, as shown in Figure 105.

    Figure 105
    Figure 105

    Click Next, as shown in Figure 106.

    Figure 106
    Figure 106

    Click Next, as shown in Figure 107.

    Figure 107
    Figure 107

    Click Finish, as shown in Figure 108.

    Figure 108
    Figure 108

    Select the ControlUp server as the Monitor server and click Install, as shown in Figure 109.

    Figure 109
    Figure 109

    Click Finish, as shown in Figure 110.

    Figure 110
    Figure 110

    Wait a few minutes, click Refresh, and the Monitor should show Running-Master, as shown in Figure 111. If it doesn’t, either wait a few more minutes or contact ControlUp support.

    Click OK.

    Figure 111
    Figure 111

    Create Folders

    As in Windows Explorer, Folders in the ControlUp console allow you to organize monitored devices into manageable groups. So far, in this article series, only infrastructure computers exist. Folders allow the grouping of servers by function, action, type, use, or any criteria needed. Folders can mimic an existing AD OU structure or any structure desired.

    Right-click the Organization Name in the left pane of the ControlUp console, click Add, and click Folder, as shown in Figure 112.

    Figure 112
    Figure 112

    Enter a name for the folder and press Enter, as shown in Figure 113.

    Figure 113
    Figure 113

    Additional folders can exist at the same level or as sub-folders. I created additional sub-folders to mimic where servers reside in AD, as shown in Figure 114.

    Figure 114
    Figure 114

    Add Hypervisors

    In the toolbar, click Add Hypervisor, as shown in Figure 115.

    Figure 115
    Figure 115

    Enter the following information and click OK, as shown in Figure 116.

    • Type = VMware
    • URL = https://vCenter.FQDN/sdk (For me, that is https://vCenter.LabADDomain.com/sdk)
    • Name = vCenter
    • Credentials = From the dropdown list, select the VMware ControlUp account (For me, that is svc_VMwareControlUp
    Figure 116
    Figure 116

    Figure 117 shows vCenter added under the Hypervisors folder.

    Figure 117
    Figure 117

    As shown in Figure 115, click Add Hypervisor.

    Enter the following information and click OK, as shown in Figure 118.

    • Type = XenServer
    • URL = http://XenServerPoolMasterIPAddressorFQDN (For me, that is http://192.168.1.80)
    • Name = Automatically filled
    • Credentials = From the dropdown list, select the Citrix ControlUp account (For me, that is svc_CitrixControlUp
    Figure 118
    Figure 118

    Figure 119 shows the Pool added under the Hypervisors folder.

    Figure 119
    Figure 119

    Add Machines

    In my Lab, the XenServer pool holds all my infrastructure VMs.

    Right-click the hypervisor connection where the infrastructure machines reside and click Focus, as shown in Figure 120.

    Figure 120
    Figure 120

    Click on Machines and select the machines to install the ControlUp agent, as shown in Figure 121.

    Figure 121
    Figure 121

    Right-click a selected machine and click Deploy agent, as shown in Figure 122.

    Figure 122
    Figure 122

    Click OK, as shown in Figure 123.

    Figure 123
    Figure 123

    Click OK, as shown in Figure 124.

    Figure 124
    Figure 124

    As shown in Figure 125, after a few seconds, the selected computers show in the console.

    Figure 125
    Figure 125

    Now that computers are in the console, we can move them to the folders created earlier.

    Select the two domain controllers, right-click and click Move to…, as shown in Figure 126.

    Figure 126
    Figure 126

    Expand the top-level folder, select the folder created for the domain controllers, and click OK, as shown in Figure 127.

    Figure 127
    Figure 127

    In the list of folders, expand the domain controller’s folder, and the domain controllers are now in their folder, as shown in Figure 128.

    Figure 128
    Figure 128

    Move the other computers into their folders, as shown in Figure 129. You can also drag and drop computers into folders.

    Figure 129
    Figure 129

    Note: Now that the ControlUp agent is deployed, the temporary Windows Firewall rule, ControlUp Monitored Computer Inbound TCP Ports 49152-65535, can be disabled within the GPMC.

    Configure Security

    We need to allow others access to the Shared Credentials created when configuring the Monitor and configure our security groups with Admin and Helpdesk access to the console.

    On the bottom of the console, click Security Policy, as shown in Figure 130.

    Figure 130
    Figure 130

    Expand Perform organization-wide actions, as shown in Figure 131.

    Figure 131
    Figure 131

    Scroll down and expand Shared Credentials, as shown in Figure 132.

    Figure 132
    Figure 132

    For Use Shared Credentials, in both the Helpdesk and ControlUp Admins columns, click on Not set, and click Allow from the popup, as shown in Figures 133 and 134.

    Figure 133
    Figure 133
    Figure 134
    Figure 134

    Click Apply, as shown in Figure 135.

    Figure 135
    Figure 135

    Click Manage Roles, as shown in Figure 136.

    Figure 136
    Figure 136

    Click Helpdesk and then click Edit, as shown in Figure 137.

    Figure 137
    Figure 137

    Click Add Users/Groups, as shown in Figure 138.

    Figure 138
    Figure 138

    Since the AD security groups created for the helpdesk groups contain “helpdesk”, for the Search Filter, type in helpdesk, click Search, and all the helpdesk security groups appear, as shown in Figure 139.

    Figure 139
    Figure 139

    Select all the helpdesk groups and click OK, as shown in Figure 140.

    Figure 140
    Figure 140

    Click OK, as shown in Figure 141.

    Figure 141
    Figure 141

    Click ControlUp Admins and then click Edit, as shown in Figure 142.

    Figure 142
    Figure 142

    Click Add Users/Groups, as shown in Figure 143.

    Figure 143
    Figure 143

    Since the AD security groups created for the admin groups contain “admins”, for the Search Filter, type in admins, click Search, and all the admins security groups appear, as shown in Figure 144.

    Figure 144
    Figure 144

    Select the desired groups and click OK, as shown in Figure 145.

    Figure 145
    Figure 145

    Click OK, as shown in Figure 146.

    Figure 146
    Figure 146

    Click OK, as shown in Figure 147.

    Figure 147
    Figure 147

    Verify Monitor Activity

    Click My Organization on the bottom of the console, as shown in Figure 148.

    Figure 148
    Figure 148

    Click Monitoring Status, as shown in Figure 149.

    Figure 149
    Figure 149

    Click Refresh, and the Monitor should show a Last Upload status, as shown in Figure 150.

    Note: Please see this article on Monitor Alerts from ControlUp if there is no upload activity.

    Figure 150
    Figure 150

    Viewing the Console

    Right-click the Infrastructure folder and click Focus.

    What shows is the Default console view for the item in Focus. Figure 151 shows a partial view.

    Figure 151
    Figure 151

    Drag the scroll bar to the far right, and you can see many columns available, as shown in Figure 152.

    Figure 152
    Figure 152

    You can sort what you see by any column. For example, double-click the IP Addresses column heading to sort by IP Addresses, as shown in Figure 153.

    Figure 153
    Figure 153

    You can add or remove columns from the display by clicking Manage Columns, as shown in Figure 154.

    Figure 154
    Figure 154

    You can add or remove any column(s) you need, as shown in Figure 155.

    Figure 155
    Figure 155

    You can also display many ControlUp defined preset column selections by clicking the dropdown Column Preset, as shown in Figure 156.

    Figure 156
    Figure 156

    The console display changes to show columns (data) specific to the Preset selected, as shown in Figure 157.

    Figure 157
    Figure 157

    Please schedule time with ControlUp to get a detailed look into what all the ControlUp Real-Time Console can show.

    Uninstall Agents on Servers

    To see only machines with the ControlUp agent, click Display, as shown in Figure 158.

    Figure 158
    Figure 158

    Deselect Show Agentless Managed VMs and Show Agentless Managed Sessions, as shown in Figure 159.

    Figure 159
    Figure 159

    Click on the Organization Name, right-click and select Focus, as shown in Figure 160.

    Figure 160
    Figure 160

    Click Machines, as shown in Figure 161.

    Figure 161
    Figure 161

    To uninstall the agents installed using the console, select the computers with the agents to uninstall, right-click, click Agent Control, and click Uninstall Remote Agent, as shown in Figure 162.

    Figure 162
    Figure 162

    This process uninstalls the agent from the selected computers and removes the selected computers from the ControlUp console, as shown in Figure 163.

    Figure 163
    Figure 163

    Up next: Update ESXi Hosts using VMware Lifecycle Manager

    Landing page for the article series







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply