Categories

TABLE OF CONTENTS



This article is designed to provide our customers with information on the requirements, prerequisites, and the steps and tasks required to successfully deploy the CoreView Diagnostic Tool in your organization, as well as perform the available tests to check for CoreView Hybrid Agent required configurations.   


The intended audience for this document and the performance of the activities here described would typically require the participation of one or more of your organization’s senior technology staff who support enterprise services.  


It is critically important that the appropriate individuals within your organization review the information provided in this document and reach out to CoreView with any questions prior to scheduling a deployment.




Overview

The CoreView Diagnostic Tool is a Docker container instance that provides you with the ability to simulate the same tasks performed by the CoreView Hybrid Agent and check for any issues while executing them.


You will be able to run it and enter a menu composed of nine different options, where you can select which part of your environment should be tested to verify if it is supported by the CoreView Hybrid Agent.


While the requirements to download and run the CoreView Diagnostic Tool are the same as for the CoreView Hybrid Agent, it is highly recommended that you run it before installing the CoreView Hybrid Agent. This will help identify and correct any unsupported behavior in your on-premises environment, such as Active Directory and Exchange Server.


Furthermore, please note that there are two versions of the CoreView Diagnostic Tool: 2016 and 2019. We recommend using the same version as your Windows operating system. The following chapters provide instructions for running both the 2016 and 2019 versions, but you only need to execute the ones related to the version you plan to set up.




Network / Firewall Requirements

The following requirements apply to network traffic that supports CoreView's On-premises functionality. Please note that these network requirements pertain only to traffic between the on-premises agent, CoreView, and the Microsoft Azure infrastructure.


The CoreView Diagnostic Tool will also need to communicate with the customer's Active Directory and, optionally, a selected Exchange Server.


Network ComponentsTargetHostnamesPort Requirement
Diagnostic ToolAzure Blob Storagecvhybridtool.azurecr.io80, 443 (TCP)
Diagnostic ToolAzure Service Bus*.windows.net443, 5671, 9354 (TCP, AMQP)
Diagnostic ToolAzure Blob Storage*.windows.net
*.usgovcloudapi.net		443 (TCP)
Diagnostic ToolAD Domain ControllerTBD by Customer443 (TCP) , 5985 (TCP), 5986 (TCP)
Diagnostic ToolExchange PowerShell HostTBD by Customer80, 443 (TCP)
Diagnostic ToolSectigo Certification Authority*.sectigo.com80, 443 (TCP)
Diagnostic ToolMicrosoft O365 workloads*.microsoft.com80, 443 (TCP)
Diagnostic ToolAzure AD

*.windows.net 

*.microsoftonline.com 

*.microsoft.com 

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic ToolMSOL

*.microsoftonline.com 

*.windows.net 

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic ToolExchange Online

*.Office365.com 

*.outlook.com 

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic ToolSharePoint Online*.sharepoint.com80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic ToolTeams

*.lync.com 

*.digicert.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic ToolGoDaddy Certification Authority*.godaddy.com80 (TCP), 443 (TCP)
Diagnostic ToolCoreView All Services

*.4ward365.com  

*.loginportal.online  

*.windows.net  

*.sectigo.com  

*.azurecr.io  

*.windows.net  

*.usgovcloudapi.net  

51.104.176.249 

52.138.125.123 

52.155.24.120 

52.227.224.106

80 (TCP), 443 (TCP) , 5985 (TCP), 5986 (TCP)




Download and Run

As mentioned above, the CoreView Diagnostic Tool utilizes the Docker Runtime Environment (RTE) to operate.


Please refer to the Software Requirements chapter in the CoreView - Hybrid Agent Technical Requirements guide for installation recommendations regarding Docker RTE.


We recommend running the CV Diagnostic Tool from the same server where you plan to deploy the CV Hybrid Agent. This allows you to perform connection tests from the same host that will run the CV Hybrid Agent in your production environment.


Please note that if you're running the CoreView Hybrid Agent behind a proxy, you'll first need to verify if your proxy settings are assigned to your Windows PowerShell session. If you're unsure, please run the following command for the HTTP proxy:


$env:http_proxy = "http://xxx.xxx.xxx.xxx:port"


Or the following for the HTTPS proxy:


$env:https_proxy = "https://xxx.xxx.xxx.xxx:port" 


To download the latest container image of the CV Diagnostic Tool, please open a PowerShell session with administrative rights and execute the following commands:


docker login -u 62f8c18f-5326-430e-ac17-2fdd8f0c280e -p l8K8Q~bnBU5d8feNR5ABfB6PGRGD-j2XvuiHzcGu cvhybridtool.azurecr.io


Once you've completed the previous steps, you should proceed to download the Docker Diagnostic Tool image. For the 2016 version, please execute the following command:


docker pull cvhybridtool.azurecr.io/cvdiagnostictool:2016


For the 2019 version, please execute the following command:


docker pull cvhybridtool.azurecr.io/cvdiagnostictool:2019


Please be aware not to use PowerShell ISE, as it is not supported by the CV Diagnostic Tool. We also recommend expanding your PowerShell window to full screen to avoid any issues with the command-line tool.





When you see the messages displayed in the above picture, please execute the following command to run the CV Diagnostic Tool for the 2016 version:


docker run -v c:\temp:c:\temp --rm -it cvhybridtool.azurecr.io/cvdiagnostictool:2016 


If you have previously downloaded the 2019 version of the CV Diagnostic Tool, please run the following command instead:


docker run -v c:\temp:c:\temp --rm -it cvhybridtool.azurecr.io/cvdiagnostictool:2019  


You will now see the following screen, where you can select your data center. In the image below, I have entered "EU" and pressed enter to connect to the European CoreView Datacenter:




From the above menu, you can select any test you would like to perform to evaluate if your CV Hybrid Agent will work in your environment:


  • Option (1) will test your configuration of the WinRM protocol used for connecting to your Active Directory domain controller.
  • Option (2) will simulate connections to internet endpoints used by the CoreView Hybrid Agent.
  • Option (3) will test connectivity, authentication method, and protocols used for connecting to your Exchange Server.
  • Option (4) will test connectivity and the protocol used for connecting to your Active Directory domain controller.
  • Option (5) will let you switch between different CoreView DataCenters.
  • Option (6) will open a PowerShell runspace without any PowerShell module already loaded, where you can manually input the cmdlets you would like to test.
  • Option (7) should be used in combination with other tests and it will save the results of the executed tests in a file located in the C:\temp directory.
    For example, you can run 1,2,7 and you will find the results also displayed in a JSON file saved on your C drive.




  • Option (8) will close the CV Diagnostic Tool session.
  • Option (9) will display detailed information about the above options.

When prompted, please ensure to provide the same credentials you plan to configure on the CV Hybrid Agent as service accounts (please see Chapter 8 – Hybrid Account Permission of the CoreView - Hybrid Agent Deployment Guide).



Option (6) - Powershell Runspace

You may be interested in performing some additional tests that are not natively available within the native options of the CV Diagnostic Tool Menu.


By selecting option (6), you will have the opportunity to open a PowerShell runspace similar to the one opened by the CV Hybrid Agent.


Please note that runspace "6" does not have any installed PowerShell modules. So, if you are going to test a specific command-let that requires a module, please remember to import it beforehand.


Refer to this article (section named Required PowerShell Versions) for a list of PowerShell module versions installed on the CV Hybrid Agent. Download and install the same version on the CV Diagnostic Tool when using option (6).


That module will be available only in your runspace until you exit from it. In fact, closing a runspace by typing "exit" and pressing enter will erase everything you previously imported and executed.


Below, you can find some command-lets useful for testing additional connections made by the CV Hybrid Agent through option (6) of the CV Diagnostic Tool: 



# Enable Tls protocol to perform https connection tests
 [Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3" 

# Test Microsoft Connection
 Invoke-webrequest -uri https://www.microsoft.com -UseBasicParsing 

# Test SSL Certificate revokation list 
Invoke-webrequest -uri https://sectigo.com -UseBasicParsing 

 

# Test Exchange Online Connection 
$adUsername = "domain\username" 

$adPassword = "password" | ConvertTo-SecureString -AsPlainText -Force 

$Credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $adUsername, $adPassword 

$cs = Get-Credential -Credential $Credentials  

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.4 -Confirm:$false -Scope AllUsers -Force 

#$ProxyOptions = New-PSSessionOption -ProxyAccessType IEConfig 

Connect-ExchangeOnline -Credential $cs -Loglevel all -PSSessionOption $ProxyOptions 

#for further connection tests you can run the following – if you get unauthorized message means you are able to connect to exchange online endpoint: 

#Invoke-webrequest -uri https://outlook.office365.com/adminapi/beta/ -UseBasicParsing 

 

# Test Teams Connection 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 

$adPassword = "password" 

$adUsername = "username" 

$adPassword = $adPassword | ConvertTo-SecureString -AsPlainText -Force 

$Credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdUsername, $adPassword 

$cs = Get-Credential -Credential $Credentials 

Connect-MicrosoftTeams -Credential $cs -LogFilePath "c:/temp/teams-logs.txt" 

Get-CsApplicationAccessPolicy | convertTo-Json 




Frequently Asked Questions


Q. Can I run the CV Diagnostic Tool using a proxy?


A. Yes. Please follow the instructions described in Chapter 9 – Proxy Configuration of the Hybrid Agent Deployment Guide, and export your proxy.reg into the c:\temp folder.


Then, please run the CV Diagnostic Tool using the following command:


docker run -v c:\temp:c:\temp --rm -it --entrypoint powershell cvhybridtool.azurecr.io/cvdiagnostictool:xxxx


(xxxx is the agent version you would like to run)


After that, please type the following commands to import the proxy configuration and run the CV Diagnostic Tool menu:


cd.. 

cd temp 

regedit.exe -S c:\temp\proxy.reg 

cd.. 

cd app 

.\diagnostic.ps1 


Now, you should be able to see the CV Diagnostic Tool main menu and run all the available tests using the imported proxy configuration.



Q. Can I test if my gMSA accounts work using the CV Diagnostic Tool?


A. Yes. Please run the following script to import your credential spec file associated with the gMSA account when running the CV Diagnostic Tool:


docker run -v c:\temp:c:\temp --security-opt "credentialspec=file://yourcredentialspecfilename.json" --hostname your_gMSA_account_to_test --rm -it cvhybridtool.azurecr.io/cvdiagnostictool:2019


Credential spec files are usually saved in: C:\ProgramData\Docker\CredentialSpecs





Compliance Notice

CoreView seeks to conform with the standards set forth by the International Organization for Standardization (ISO), as well as the standards published as part of the IT Infrastructure Library (ITIL).   


ISO/IEC Compliance: 19941:2017, 1:2012, 2000-1:2018, 20000-11:2015  


 

Version Control 


Date Published: 06/30/2023 

Publication Version: V3.0