Hybrid Agent Technical Requirements
Modified on Mon, 03 Jul 2023 at 05:29 PM
Categories
-
What's New
-
Release Information
- CoreView Release Notes September 2023
- CoreView Release Notes August 2023
- CoreView Release Notes July 2023
- CoreView Release Notes June 2023
- CoreView Release Notes May 2023
- CoreView Release Notes April 2023
- CoreView Release Notes March 2023
- CoreView Release Notes February 2023
- CoreView Release Notes January 2023
- CoreView December 2022 Release Notes
- CoreView November 2022 Release Notes
- CoreView October 2022 Release Notes
- September 2022 Release Notes
- August 2022 Release Notes
- Release 22.06 Key Features
- Release 22.05 Key Features
- Release 22.04 Key Features
- Release 22.03 Key Features
- Release 22.01 Key Features
- Release 21.12 Key Features
- Release 21.11 Key Features
- Release 21.10 Key Features
- Release 21.09 Key Features
- Release 21.08 Key Features
- Release 21.07 Key Features
- Release 21.05 Key Features
- Release 21.04 Key Features
- Release 21.03 Key Features
- Release 21.02 Key Features
- Release 21.01 Key Features
-
Release Information
- Getting Started with Customer Care
-
Getting Started with CoreView
-
Configuring
- Configuration Overview
- Creating CoreView Tenant Administrators
- CoreView Operator Uses Cases & Dependencies
- Creating a License Pool
- Understanding Virtual Tenants
- "Send As" DNS Requirements for CoreAdoption Campaigns (Optional)
- How to enforce MFA on CoreView service accounts
- Creating a License Pool
- How to ensure security for CoreView service accounts
- Disabling MFA for CoreView service accounts
- Set Conditional Access to grant access only inside the CoreView data center
-
Configuring
-
How to
-
Exchange Online
- How to check and analyze the Message Trace
- How To Configure Email Forwarding
- How to convert a Shared Mailbox to a User Mailbox
- How to convert a user mailbox to a shared mailbox in Exchange Online
- How to Create Microsoft 365 Groups for Improved Collaboration
- How To Create Shared Mailbox
- How To Create User Mailbox
- How To Grant Access To Mailbox
- How to List all the Mailboxes a User has access to in Microsoft 365
- How to remove delegates from Mailbox
- How to remove user access to Mailbox
- How to review and manage Exchange online mailbox permissions
- How to verify if a user has updated the Password
- Read Permission for Mailbox
- What are security groups and How to create it
- What is a Distribution Group and How to create it
-
Exchange Online
- Custom Actions Library
- Getting Started with CoreHybrid
-
Knowledge Resources
-
Understanding CoreView - Quick Start Guides.
- CoreView Quick Start Guide Overview and Index - Tenant Admins
- CoreView Quick Start Guide Overview and Index - Operators
- Understanding CoreView Tenant Configuration – Management
- Understanding the CoreView Operator Profile
- Understanding CoreView Operator Roles (New UX)
- Understanding CoreView Operator Roles
- Understanding CoreView Operator Delegation
- Understanding CoreView - Report Column Filtering
- Understanding CoreView Tenant Configuration - V-Tenant User Filters
- Understanding CoreView Tenant Configuration - Portal Information
- Understanding CoreView Tenant Configuration Options
-
Troubleshooting Common Issues
- Unable to see OneDrive, SharePoint and Exchange Data
- Remote Office 365 PowerShell session can Conflict CoreView Management Actions
- Why I cannot save the changes on existing License pool?
- Error when attempting to perform a Management Action
- Unable to modify the Assigned Licenses in my License Pool Report
- Enabling Permission for Endpoint Manager Actions
- How to enable permission for BitLocker keys report
-
Tenant Administration
- How to recreate Admins Read-only
- How to add an operator to the portal?
- How to enable and configure CoreView management session
- How to provide a consent to activate Azure AD Reports Feature and activate Partial Import?
- Tips & Tricks: Leverage Pivot Reports to Prototype License Pool Criteria Filter
- Tips & Tricks - How to manage email notifications for newly added Operators.
- Disable MFA from Read Only Service Accounts
- How To: Report on "Consumed Portal Licenses"
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- Tips & Tricks: How to merge License Pools
- How to Use CoreView's Global Report Filters
- How to use the What If tool to check Azure AD conditional access policies
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- How to Archive a Teams Group
- How to Restore a Teams Group
- On-demand Import for a Single Device in Endpoint Manager (Intune)
- Custom Actions using the Microsoft Graph API
- How to set up your tenant for the switch to Microsoft Graph API
- GraphAPI configuration: How to get Client ID and Client Secret
- How to provide consent to import exchange information
-
Reporting and Analytics
- How do I Check and Manage Calendar Permissions for a User?
- How CoreView can help you with your Microsoft 365 Chargeback Goals.
- New UX: Understanding the new License Centers
- Understanding the Savings Opportunities Dashboard
- Understanding the License Optimization center
- Understanding License Pool Snapshots report
- Understanding Call quality dashboard
- Understanding Call quality report
- Understanding User call quality report
- Understanding Teams groups activity report
- Understanding Teams Adoption Growth Report
- Understanding Endpoint Manager reports
- Understanding Teams dashboard
- Understanding Risky Users report
- Understanding Storage Dashboard
- Troubleshoot Active Users (License Usage) data
- Legacy Protocol Management
- Report Columns: Is active 30/60/90
- Quarantined Messages Report - Understanding The Reports
-
Managing and Administration
- Teams Voice: Direct Routing Support
- How to enable management function?
- Forward SMTP Address vs Forward Address management actions
- How to add the users in bulk while executing Users management actions?
- How to Create & Manage Custom Actions
- How to schedule a report to be sent automatically, and how to modify its scheduling options?
- How to schedule an alert report for the License Count
- Tips & Tricks – How to read and modify license pool report?
- Overview of CoreView Workflow
- How to delegate Workflow management using roles
- How to configure CoreView and ServiceNow integration
- How to Enable Multi Factor Authentication for Operators and Admins who Access the CoreView Portal
- How Can I Migrate from Group-Based Licenses to Direct Licenses Managed by CoreView?
- Naming convention rules
- Custom Actions: Forbidden and Warning Values
- How to add users to Distribution Group in bulk using via CSV
- Not able to manage licenses error
- Using custom action json output as an input in the workflow
- Setting the Sensitivity Label on SharePoint as a Mandatory Field
- DistinguishedName vs OnPremisesDistinguishedName
-
Understanding CoreView - Quick Start Guides.
- CoreView Product Manual
- Health Check
- Actions
-
Playbooks
-
Out-of-the-Box playbooks
- Introduction
- Overview
- Configuring predefined policies
- Edit policy settings: Set and monitor thresholds
- Edit remediation settings: Manual and automatic remediation
- Edit remediation settings: Configure attestation
- Remediation settings: Security & Identity policies
- Remediation settings: Teams Management policies
- Remediation settings: License Management policies
- Remediation settings: SharePoint & OneDrive Management policies
- Remediation settings: Exchange Management policies
-
Out-of-the-Box playbooks
- Workflows
- Learning Platform
- Internal Customer Care Resources
- Archive
- PowerShell
- Webinars and Events
- CoreVoice
- Internal Support
TABLE OF CONTENTS
- Infrastructure Requirements
- Network / Firewall Requirements
- Security Requirements
- Software Requirements
Infrastructure Requirements
The following requirements apply to the key infrastructure components that support CoreView On Premises functionality.
All the prerequisites must be completed and validated before a deployment meeting can be conducted. |
| Architecture Component | Minimum Requirement | |
|---|---|---|
| Hybrid Agent Server | Hardware1 | Virtual or Physical Wintel Server |
| CPU | 2 Core | |
| RAM | 8 Gb | |
| Storage | 200 Gb | |
| OS | Windows Server 2019 | |
| Domain Member | Optional | |
| Active Directory | Topology | Single Forest: Multi-Domain Single Forest: Single-Domain Resource Forest (*) |
| Functional Level | Windows 2003 | |
| Azure AD Connect | Synchronization | Version 2.x |
| Exchange Services | CAS Server2 | Exchange Server 2013 |
| Docker | Version | Docker Community Edition (CE) runtime environment - most updated available version |
(*) For any detail about the resource forest model, please refer to https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/forest-design-models
Network / Firewall Requirements
The following requirements apply to network traffic that supports CoreView’s OnPremises functionality. Please note that these network requirements pertain only to traffic between the on-premises agent and CoreView or the Microsoft Azure Service Bus infrastructure.
The CoreView On-premises Agent will also need to communicate with the customer’s Active Directory and, optionally, a select Exchange Server.
Please note that some hostnames listed below could include more subdomain names. For example, “*.usgovcloudapi.net" could include something like “cvgov.blob.core.usgovcloudapi.net". Please configure your firewall to allow traffic for all subdomain names reported in the list below.
Customer registered in CoreView commercial data centers:
| Network components | Target | Hostname | Port Requirement |
|---|---|---|---|
| Windows Services | CoreView API Service | *.4ward365.com | 443 (TCP) |
| Windows Services | CoreView API Service | *.loginportal.online | 443 (TCP) |
| Windows Services | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Windows Services | Azure Container Registry | *.azurecr.io | 443 (TCP) |
| Hybrid Agent | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Hybrid Agent | Azure Blob Storage | *.windows.net *.usgovcloudapi.net | 443 (TCP) |
| Hybrid Agent | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Hybrid Agent | Visual Studio Services | *.visualstudio.com | 443 (TCP) |
| Hybrid Agent | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
| Hybrid Agent | Azure AD | *.windows.net *.microsoftonline.com *.microsoft.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | MSOL | *.microsoftonline.com *.windows.net | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange Online | *.office365.com *.outlook.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Teams | *.lync.com *.digicert.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Hybrid Agent | CoreView All Services | *.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 51.104.176.249 52.138.125.123 52.155.24.120 52.227.224.106 | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Azure Blob Storage | cvhybridtool.azurecr.io | 80, 443 (TCP) |
| Diagnostic Tool | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Diagnostic Tool | Azure Blob Storage | *.windows.net *.usgovcloudapi.net | 443 (TCP) |
| Diagnostic Tool | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Diagnostic Tool | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
| Diagnostic Tool | Azure AD | *.windows.net *.microsoftonline.com *.microsoft.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | MSOL | *.microsoftonline.com *.windows.net | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange Online | *.office365.com *.outlook.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Teams | *.lync.com *.digicert.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Diagnostic Tool | CoreView All Services | *.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 51.104.176.249 52.138.125.123 52.155.24.120 52.227.224.106 | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Customers registered in CoreView Gov data centers:
| Network components | Target | Hostname | Port Requirement |
|---|---|---|---|
| Windows Services | CoreView API Service | *.4ward365.com | 443 (TCP) |
| Windows Services | CoreView API Service | *.coreview.com | 443 (TCP) |
| Windows Services | Azure Service Bus | *.usgovcloudapi.net | 443, 5671, 9354 (TCP, AMQP) |
| Windows Services | Azure Container Registry | *.azurecr.us | 443 (TCP) |
| Hybrid Agent | Azure Service Bus | *.usgovcloudapi.net | 443, 5671, 9354 (TCP, AMQP) |
| Hybrid Agent | Azure Blob Storage | *.usgovcloudapi.net | 443 (TCP) |
| Hybrid Agent | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Hybrid Agent | Azure AD | *.windows.net *.microsoftonline.com *.microsoft.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | MSOL | *.microsoftonline.com *.windows.net | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange Online | *.office365.com *.outlook.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Teams | *.lync.com *.digicert.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Hybrid Agent | CoreView All Services | *.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 51.104.176.249 52.138.125.123 52.155.24.120 52.227.224.106 | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Azure Blob Storage | cvhybridtool.azurecr.io | 80, 443 (TCP) |
| Diagnostic Tool | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Diagnostic Tool | Azure Blob Storage | *.windows.net *.usgovcloudapi.net | 443 (TCP) |
| Diagnostic Tool | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Diagnostic Tool | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
| Diagnostic Tool | Azure AD | *.windows.net *.microsoftonline.com *.microsoft.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | MSOL | *.microsoftonline.com *.windows.net | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange Online | *.office365.com *.outlook.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Teams | *.lync.com *.digicert.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Diagnostic Tool | CoreView All Services | *.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 51.104.176.249 52.138.125.123 52.155.24.120 52.227.224.106 | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
For additional information on the requirements for accessing the Azure Service Bus, please refer to the following resource: https://blogs.msdn.microsoft.com/servicebus/2017/11/07/open-port-requirements-and-ip-address-whitelisting/
Security Requirements
The following security requirements apply to CoreView’s OnPremises functionality.
| Type | Minimum Permissions |
|---|---|
| CoreView Configuration | Tenant Admin |
| Hybrid Agent Deployment | Local or Domain Administrator |
| Active Directory Service Account | Domain Administrator (**) |
| Exchange Service Account | Organization Administrator Role |
| Exchange PowerShell Virtual Directory | Set to Basic or Integrated Authentication (*) |
Important note about Exchange Virtual Directory configuration (*):
There are two methods for configuring authentication when setting up the PowerShell virtual directory for remote access. If Basic authentication is enabled, SSL must also be enabled and configured with a valid public certificate.
(**) If your company has security policies that don't allow setting service accounts with domain admin permission, please refer to the chapter “Hardening CoreView Hybrid Agent service accounts’ permissions” below.
If SSL is not enabled, then Windows Authentication should be set. In this scenario, you must configure gMSA for the hybrid agent hosting server and configure your CoreView hybrid agent to support the gMSA settings.
More information about the settings of Exchange Powershell virtual directory can be found here: https://learn.microsoft.com/en-us/exchange/clients/default-virtual-directory-settings?view=exchserver-2019
Important note about Multi-Factor Authentication
If you have implemented Multi-Factor Authentication (MFA) for accessing your Microsoft 365 cloud services, please create a conditional access policy that prevents your on-premises hybrid agent IP address from asking for any second-factor authentication for the CoreView service account named “4ward365.admin@yourdomain.onmicrosoft.com”.
Without this exception policy, your CoreView tenant won't be able to open any management session.
Please be aware that your hybrid agent IP address may be behind a NAT applied by your network gateway for connecting to public networks such as the Internet. We recommend checking with your network specialist to identify your public IP address used by your on-premises for connecting to the public networks.
For more information about conditional access exception policy, please refer to the Official Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
Software Requirements
The following software requirements apply to CoreView’s OnPremises functionality.
| Software or Services | Minimum Requirements | |
|---|---|---|
| CoreView SaaS Solution | SKUs | CoreSuite, ONPREM SKU, OS2019 SKU |
| CoreView Hybrid Agent | Version | > 1.0.6 |
| Docker | Version | See chapter below |
Docker engine installation
Please read the following article for the instructions on how to deploy docker service in your hosting server: https://learn.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=dockerce#windows-server-1