AMP Monitoring Requirements Applications

AVANADE
MANAGEMENT
PLATFORM
Monitoring Requirements
October 6th, 2020
Contents
1 Introduction ............................................................................................................................................................................................. 3
1.1 AMP Monitoring and the ServiceNow CMDB............................................................................................................................................................... 3
1.2 Determining Monitoring Accounts................................................................................................................................................................................... 3
2 Windows OS and Application Monitoring ......................................................................................................................................... 6

2.1 Microsoft Windows Server................................................................................................................................................................................................... 6
2.2 Microsoft Active Directory Domain Controller ............................................................................................................................................................. 9
2.3 Microsoft Exchange Server ............................................................................................................................................................................................... 10
2.4 Microsoft SharePoint Server ............................................................................................................................................................................................ 12
2.5 Microsoft Skype for Business Server ............................................................................................................................................................................. 14
2.6 Microsoft Lync Server ......................................................................................................................................................................................................... 15
2.7 Microsoft SQL Server .......................................................................................................................................................................................................... 16
2.8 Microsoft Office Online Server (OOS/OWA) .............................................................................................................................................................. 18
2.9 Microsoft Hyper-V Server ................................................................................................................................................................................................. 19
2.10 Microsoft System Center Data Protection Manager ............................................................................................................................................... 20
2.11 Blackberry Enterprise Server ............................................................................................................................................................................................ 21
2.12 Veritas Enterprise Vault...................................................................................................................................................................................................... 22
3 SNMP Device and Application Monitoring ................................................................................................................................... 23

3.1 General Requirements ........................................................................................................................................................................................................ 23
3.2 F5 BIG-IP Devices & Appliances ..................................................................................................................................................................................... 23
3.3 HPE Nimble Storage ........................................................................................................................................................................................................... 23
3.4 Cisco Networking hardware ............................................................................................................................................................................................. 23
3.5 Dell EMC Storage ................................................................................................................................................................................................................. 24
3.6 Blackberry Enterprise Server ............................................................................................................................................................................................ 24
3.7 AudioCodes Enterprise Voice Appliance ..................................................................................................................................................................... 24
3.8 VMware ESX Server ............................................................................................................................................................................................................. 24
3.9 Barracuda Load Balancer ................................................................................................................................................................................................... 24
3.10 Cisco Email Security Appliance ....................................................................................................................................................................................... 24
3.11 Hitachi Data Systems .......................................................................................................................................................................................................... 25
4 AMP Synthetic Transactions .............................................................................................................................................................. 26

4.1 Microsoft Exchange Synthetic Transactions ............................................................................................................................................................... 26
4.2 Microsoft Skype for Business Synthetic Transactions ............................................................................................................................................. 26
5 Appendices ............................................................................................................................................................................................. 27
5.1 Configuring Windows Server OS for WMI Least Permissions .............................................................................................................................. 27
5.2 What is the CredSSP Authentication Mechanism? .................................................................................................................................................. 29
6 Change Notes ........................................................................................................................................................................................ 31

1 Introduction
This document contains information regarding the account permissions, network port and protocol
requirements, and configuration requirements for monitoring supported applications, services, or devices
with the Avanade Management Platform monitoring agent.
1.1 AMP Monitoring and the ServiceNow CMDB
The Avanade Management Platform monitoring capability derives its monitoring

targets from the AMP ServiceNow Configuration Management Database (CMDB).
Inside the CMDB managed environments are modeled using Configuration Items.
Most of the systems being managed and monitored are server based systems
with both an operating system, such as Microsoft Windows, and a server
application or role such as Microsoft Exchange.
1.1.1 CMDB Configuration Item Examples
This example shows a generic application server broken out A real-world application server example could be a Microsoft
into managed components and then represented as Exchange Server.
Configuration Items (CI) in the ServiceNow CMDB.
In both examples you can see that the real world managed application server is logically expanded into its component parts:
the Windows operating system and the application running on that operating system.
Within the CMDB these two CI’s will have a logical relationship to each other. Typically this is Runs::RunsOn relationship where
the Windows operating system “Runs” the application and the application CI has an automatically inferred “Runs On”
relationship to the operating system.
1.2 Determining Monitoring Accounts

The information listed in this document is broken down by operating system, application, and device. Each of these types of
monitoring target has potentially different requirements when it comes to accounts and permissions. When it comes time to
determine which accounts and permissions are required to support AMP monitoring it will be important to review the individual
application and device requirements followed by a combined set of requirements to determine the final set of account and
permission requirements to be implemented.
With this in mind, it is important to remember that an account can be used for more than one purpose. For example, a single
Active Directory account could be granted all of the required monitoring permissions, and that single account would cover all
requirements for monitoring in a specific environment. In most cases, there will be more than one monitoring service account so
that separation of concerns and security can be managed.
In the following scenarios, we will review options for monitoring service accounts in an example environment with Windows
Server OS, Active Directory Domain Controllers, Exchange Servers, and SharePoint servers at a client named “Edanava.” Each
scenario will review a different monitoring service account configuration including:
• One Account – a single account for monitoring all targets in the environment
• Two Accounts – two accounts for segregated security concerns
• Multiple Accounts – expands on previous scenarios
• Standalone/Local Accounts – accounts which are local to a server OS, application, or device and are not directory managed
It is highly recommended to avoid splitting monitoring permissions between multiple accounts

for an application and associated Windows Server OS. A monitoring account should be able to
monitor both the Windows OS and the application running on that operating system.
It is recommended to settle on the smallest number of monitoring accounts necessary to cover all monitored targets in an
environment. Each additional monitoring account creates additional configuration and management complexity.
1.2.1 Scenario 1: One Account for All Monitoring
Account Title Example Account Name (domain\user) Example

Monitoring Account edanava\amp.monitoring
In this scenario, a single account will be granted all of the permissions required to monitor Windows Server OS, Active Directory
Domain Controllers, Exchange Servers, and SharePoint servers.
1.2.2 Scenario 2: Two Accounts – Application Monitoring & Domain Controller Monitoring
Account Title Account Name (domain\user) Example

Application Monitoring edanava\amp.monitoring
Domain Controller
Monitoring edanava\amp.ad.mon
In this scenario, application servers will be monitored with a single account. However, Domain Controllers need to be monitored
with a separate dedicated account for security reasons.
• The “Application Monitoring” account would be used to monitor Exchange servers, SharePoint servers, and their associated
Windows Server OS’s.
• The “Domain Controller Monitoring” account would be used to monitor Active Directory Domain Controllers and the
associated Windows Server OS’s.
1.2.3 Scenario 3: Multiple Accounts
Account Title Account Name (domain\user) Example

Exchange Monitoring edanava\amp.exch.mon
SharePoint Monitoring edanava\amp.sp.mon
Domain Controller
Monitoring edanava\amp.ad.mon
In this scenario, application servers must be monitored with dedicated accounts for security reasons.
• The “Exchange Monitoring” account would be used to monitor Exchange servers and their associated Windows Server OS’s.
• The “SharePoint Monitoring” account would be used to monitor SharePoint servers and their associated Windows Server
OS’s.
• The “Domain Controller Monitoring” account would be used to monitor Active Directory Domain Controllers and their
associated Windows Server OS’s.
1.2.4 Scenario 4: Standalone / Local Accounts
Account Title Account Name Example

Exchange Edge Servers exedgeserver\amp.monitoring
F5 Load Balancer SNMP
Polling ampsnmppoller
In this scenario, non-domain joined Exchange Edge application servers must be monitored with the local standalone account.
Additionally, there are F5 load balancers managing traffic to the Exchange servers which requires SNMP polling from AMP
monitoring.
• The “Exchange Edge Servers” account would be used to monitor Exchange Edge servers and their associated Windows
Server OS’s. Optimally the account would have a similar account name and password configured on all Exchange Edge
servers.
• The “F5 Load Balancer SNMP Polling” account would be used to monitor F5 Load Balancers.
2 Windows OS and Application Monitoring
The Avanade Management Platform monitoring functionality supports the following offerings.
2.1 Microsoft Windows Server

This section covers requirements for AMP monitoring of the Microsoft Windows Server operating system.
The specific settings in this section are known to be applicable to Microsoft Windows Server 2012 R2 only. Some security groups
and settings may not be available or present in older or newer versions of Microsoft Windows Server. These settings do not
consider custom security settings, group policies, or other environmental configurations that may be in place. Specific
requirements for Microsoft Windows Server 2008 R2 are available in a separate document.
Local Administrator permissions are the recommended and fully supported method for all versions of Microsoft Windows Server.
If the Windows Server being monitored acts as a Microsoft Active Directory Domain Controller,
please review the Microsoft Active Directory Domain Controller section for alternative
monitoring permission requirements.
2.1.1 Supported Product Versions
AMP monitoring supports the following major product versions:
• Microsoft Windows Server 2008 R2

• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2
2.1.2 Monitoring Account Permissions

Account Type: Domain or Local
2.1.2.1 Group Membership

• Windows Server
o Distributed COM Users
o Remote Management Users
o Event Log Readers
o Performance Log Users
o Performance Monitor Users
o WinRMRemoteWMIUsers__
• Active Directory
o N/A
• Application Specific
o N/A
2.1.2.2 Special Permission Requirements
• Permissions granted on the ‘\Root\CIMV2’ WMI Namespace. See Appendix for instructions.
o Execute Methods
o Enable Account
o Remote Enable
2.1.3 Configuration Requirements

• Windows Management Framework 3.0 or greater
o https://docs.microsoft.com/en-us/powershell/wmf/readme
• Windows Remote Management (WinRM/WSMan) enabled
• PowerShell Remoting enabled
• The WMI Performance Adapter service configured to start automatically to reduce event log noise
• CredSSP authentication mechanism for WSMan is enabled
Code Block - Powershell
Enable-WsManCredSSP -Role Server –Force
• WinRM session quota configurations

o Maximum Concurrent Users set to 25
o Maximum Shells per User set to 30
o Maximum Memory per Shell (MB) set to 1024
winrm set winrm/config/winrs '@{MaxConcurrentUsers="25"}'

winrm set winrm/config/winrs '@{MaxShellsPerUser="30"}'
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
2.1.4 Network Ports and Protocols

This table includes the port and protocol requirements for monitoring communications.
Source Use Port Direction Protocol Destination

Remote Procedure Call port mapper 135 (rpc)
Remote Procedure Call dynamic port RPC Dynamic
AMP Monitoring allocation Range Windows Server
Outbound TCP
Agent Target
Event Log subscription 445
Powershell Remoting / WinRM / CIM 5985
2.1.4.1 Operating System Firewall Rules
The following is a list of host firewall rules which need to be enabled.
• All Inbound rules are in the direction of AMP Agent Host to Managed System
• All Outbound rules are in the direction of Managed System to AMP Agent Host
Name Direction Protocol Local Port Remote Port

Remote Event Monitor (RPC) Inbound TCP RPC Any
Remote Event Monitor (RPC-EPMAP) Inbound TCP RPCEPMap Any
Windows Remote Management (HTTP-In) Inbound TCP 5985 Any
File and Printer Sharing (Echo Request - ICMPv4-In) Inbound ICMPv4 RPC Any
File and Printer Sharing (Echo Request - ICMPv6-In) Inbound ICMPv6 RPC Any
Remote Desktop - User Mode (TCP-In) Inbound TCP 3389 Any
Remote Desktop - User Mode (UDP-In) Inbound UDP 3389 Any
Remote Desktop - Shadow (TCP-In) Inbound TCP Any Any
Remote Event Log Management (RPC) Inbound TCP RPC Any
Remote Event Log Management (NP-In) Inbound TCP 445 Any
Remote Event Log Management (RPC-EPMAP) Inbound TCP RPCEPMap Any
Windows Management Instrumentation (WMI-In) Inbound TCP Any Any
Windows Management Instrumentation (WMI-Out) Outbound TCP Any Any
Windows Management Instrumentation (ASync-In) Inbound TCP Any Any
2.2 Microsoft Active Directory Domain Controller
This section covers requirements for AMP monitoring of a Microsoft Windows Server functioning as Active Directory Domain
controller.
These permissions cover two scenarios:

• Monitoring a domain controller where only the OS is under management
• Monitoring a domain controller where both OS and Domain Controller functionality are under
management

Please refer to the section on Microsoft Windows Server Supported Product Versions


• Windows Server
o N/A
o BUILTIN\Distributed COM Users
o BUILTIN\Remote Management Users
o BUILTIN\Event Log Readers
o BUILTIN\Performance Log Users
o BUILTIN\Performance Monitor Users
o N/A

• Permissions granted on the ‘\Root\CIMV2’ WMI Namespace. See Appendix for instructions.
o Execute Methods
o Enable Account
o Remote Enable

Please refer to the section on Microsoft Windows Server Configuration Requirements

No role specific ports or protocols are required to monitor this application, service, or device.
All ports and protocols included in the Microsoft Windows Server Network Ports and Protocols
section are required.
2.3 Microsoft Exchange Server

• Microsoft Exchange Server 2010

Account Type: Domain

• Windows Server
o Local Administrators
o View-Only Organization Administrator
o N/A
2.3.2.2 Special Permissions Requirements

Exchange servers running the Exchange Edge role are most commonly not joined to an Active Directory domain. In this case:
Account Type: Local
Group Membership
• Windows Server
o Local Administrator
o N/A
o N/A

The AMP monitoring service account for Exchange requires a custom Exchange Throttling Policy to allow the monitoring account
to function unimpeded by Exchange throttling.
Example configuration:
# Where “AMPMonitoring” is the example name of the monitoring service account
New-ThrottlingPolicy -Name AMPMonitoring -PowerShellMaxConcurrency Unlimited

Set-ThrottlingPolicy -Identity AMPMonitoring -PowerShellMaxConcurrency Unlimited
Set-ThrottlingPolicyAssociation -Identity AMPExchangeMon -ThrottlingPolicy AMPMonitoring

All ports and protocols included in the Microsoft Windows Server Network Ports and Protocols
section are required.
AMP Monitoring Agent Exchange Web Services 443 (https) Outbound TCP/HTTPS Exchange Server Target
2.4 Microsoft SharePoint Server

• Microsoft SharePoint Server 2013


• Windows Server
o N/A
o SharePoint Farm Administrators
 In all managed SharePoint farms
 Configured via SharePoint Central Administration under the Security section

o The monitoring service account requires ‘Full Read’ permissions on each web application
 Configured via SharePoint Central Administration under Application Management
o The monitoring service account requires the ‘SPDataAccess’ role on the SharePoint Configuration Database
 Locate the SQL instance name and Database name in SharePoint Central Administration by
accessing the Upgrade and Migration section and selecting Review Database Status
 Locate the item in the list where the Type field is equal to ‘Configuration Database’

N/A

All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.

443 (https) https/tcp
AMP Monitoring Agent SharePoint Website Test Outbound SharePoint Server
80 (http) http/tcp
Use of non-SSL secured HTTP over port 80 is optional and only used if the environment is configured without SSL. If all
SharePoint Web Application endpoints are secured by an SSL configuration, then AMP will use HTTPS.
2.5 Microsoft Skype for Business Server

• Microsoft Skype for Business Server 2015
• Microsoft Lync Server 2013
• Microsoft Lync Server 2010


• Windows Server
o N/A
o CSHelpDesk
o RTCUniversalReadOnlyAdmins
o N/A

Skype servers running the Skype Edge role are most commonly not joined to an Active Directory domain. In this case:
Account Type: Local
Group Membership
• Windows Server
o Local Administrator
o N/A
o N/A

Skype Pool monitoring uses what are referred to as Synthetic Transactions. These tests are used to verify that users can
complete everyday tasks.
Within Skype environments, it is possible to configure test users for pools via available Powershell cmdlets in the Skype
Powershell module. These test users are a pair of Skype-enabled user accounts which have been preconfigured for use
with synthetic transactions. Typically, these are test or service accounts and not accounts that belong to actual users.
For AMP to successfully monitor a Skype Pool, a minimum of two test user accounts are required.

2.6 Microsoft Lync Server
Please see the Microsoft Skype for Business Server section for requirements about Microsoft Lync
Server
2.7 Microsoft SQL Server

• Microsoft SQL Server 2012


• Windows Server
o N/A
o N/A
o N/A

• Granted the ‘sysadmin’ fixed server-level role on all managed SQL instances

N/A


1433
AMP Monitoring Agent SQL Connections 1434 Outbound TCP SQL Server Instance
Custom
2.8 Microsoft Office Online Server (OOS/OWA)

• Microsoft Office Web Apps Server 2013
• Microsoft Office Online Server


• Windows Server
o N/A
o N/A

N/A


443 (https) https/tcp
AMP Monitoring Agent OOS Farm URI Test Outbound OOS Server
80 (http) http/tcp
2.9 Microsoft Hyper-V Server

• Microsoft Windows Server Hyper-V 2008


• Windows Server
o Hyper-V Administrators
o N/A
o N/A

N/A

2.10 Microsoft System Center Data Protection Manager

• Microsoft System Center Data Protection Manager 2010
• Microsoft System Center Data Protection Manager 2012


• Windows Server
o N/A
o N/A
o N/A

N/A

2.11 Blackberry Enterprise Server

• Blackberry Enterprise Server 5
• Blackberry Enterprise Server 12


• Windows Server
o N/A
o N/A
o N/A

N/A

Full Blackberry Enterprise Server monitoring also includes SNMP trap monitoring. Please
see the SNMP monitoring section for Blackberry Enterprise Server for more information.
2.12 Veritas Enterprise Vault

• Enterprise Vault 10


• Windows Server
o N/A
o N/A
o N/A

N/A

3 SNMP Device and Application Monitoring
AMP Monitoring supports SNMP Traps/Informs and SNMP GET activities. The following sections cover the
general SNMP requirements along with support and configuration information for available managed target
types.
3.1 General Requirements
3.1.1 Supported SNMP Versions
3.1.2 Community String

AMP does not rely on an SNMP community string

Managed System SNMP Trap (Inform) 162 Outbound UDP AMP Monitoring
SNMP Agent SNMP Polling (GET) 161 Inbound UDP Agent
3.2 F5 BIG-IP Devices & Appliances

• TMOS 10.x or later
3.2.2 Configuration Steps

Configuration completed via the F5 Administration web interface.
3.3 HPE Nimble Storage
3.4 Cisco Networking hardware

• IOS 12.x or later
• NXOS - 4.x or later
Code Block - for Cisco IOS
snmp-server user <username> <groupname(AMPMON)> v3 auth sha <password> priv aes 128
<encryption>
Code Block - Cisco NX-OS
snmp-server user <SNMP Username> network-operator auth sha <password> priv aes-128
<password>
3.5 Dell EMC Storage
3.6 Blackberry Enterprise Server
3.7 AudioCodes Enterprise Voice Appliance
3.8 VMware ESX Server

VMware ESX 4.x
VMware ESX 5.x
3.9 Barracuda Load Balancer
3.10 Cisco Email Security Appliance
Formerly Cisco IronPort

Cisco Email Security Appliances have a hardcoded SNMPv3 username of 'v3get'
Begin by starting an SSH session to the device management IP address. When authenticated and at a
prompt type 'snmpconfig'. Configure the following settings when prompted:
• Choose the operation you want to perform: "SETUP"

• Do you want to enable SNMP? Y
• Please choose an AIP interface for SNMP requests: '1.' Management <MGMT IP Address of device>
• Which port shall the SNMP daemon listen on interface: 161
• Please select SNMPv3 authentication type: 2 SHA
• Please select SNMPv3 privacy protocol: 2 AES
• Enter the SNMP authentication passphrase: <SNMPv3 user password>
• Enter the SNMP privacy passphrase: <SNMPv3 user password>
• Service SNMP V1/V2c requests? No
• Enter the Trap target as a hostname, IP address, or list of IP addresses separated by commas: <IP addresses of
AMP agent host servers>
• Enter the Trap community string: <SNMP Trap string>
• In the next view the list of traps that are enabled/disabled are shown. Enable all but the FIPs based traps
• What threshold would you like to set for CPU utilization? 95
• What URL would you like to check for connectivity failures? default [http://downloads.ironport.com]
• What threshold would you like to set for Memory utilization? - 95
• Enter the system location string: <Location of Device>
• Enter the system contact string: <CMS Support Email address>
• Type 'commit' and hit enter.
3.11 Hitachi Data Systems

4 AMP Synthetic Transactions
This section is under development.
4.1 Microsoft Exchange Synthetic Transactions
4.2 Microsoft Skype for Business Synthetic Transactions

5 Appendices
5.1 Configuring Windows Server OS for WMI Least Permissions

To perform this task on the local computer, you must be logged on as a member of the local Administrators group.
1. Open the WMI Control console: Click Start, click Run, type wmimgmt.msc and then click OK.
2. In the console tree, right-click WMI Control, and then click Properties.
3. Click the Security tab.
4. Select the namespace for which you want to give a user or group access, and then click Security.
5. In the Security dialog box, click Add.
6. In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want
to add. Click Check Names to verify your entry and then click OK.
7. Select the user added in the previous step
8. In the Security dialog box, under Permissions, select the Monitoring Account Permissions and then click OK.
5.2 What is the CredSSP Authentication Mechanism?

Credential Security Support Provider in Windows PowerShell Remote Management
A common issue that is faced when using PowerShell remoting is the “double hop” problem. The Avanade Management
Platform (AMP) uses PowerShell remoting to connect to managed server targets and may on occasion, depending on the
monitoring probe being executed, attempt to connect from Server A to Server B. Without having the CredSSP
authentication mechanism enabled that second session creation or “second hop” will fail.
Client Server A Server B
Without
CredSSP Powershell Monitoring Managed Powershell Network Managed Powershell
AMP Site Session Account Server Session Account Server Session
Servers
By default, PowerShell remoting authenticates using a “Network Logon.” Network Logons work by proving to the remote
server that you have possession of the users credential without sending the credential to that server (Kerberos and NTLM
authentication). Because the remote server does not have possession of your credential, when the second hop is
attempted from Server A to Server B it fails because Server A does not have a credential with which to authenticate to
Server B. The solution is to enable CredSSP (Credential Security Support Provider) authentication.
The Credential Security Support Provider protocol (CredSSP) is a Security Support Provider that is implemented by using
the Security Support Provider Interface (SSPI). CredSSP lets an application delegate credentials from a client to a target
server for remote authentication. CredSSP provides an encrypted Transport Layer Security Protocol channel. The client is
authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either
Microsoft Kerberos or Microsoft NTLM.
Client Server A Server B
With
CredSSP Powershell Monitoring Managed Powershell Monitoring Managed Powershell
AMP Site Session Account Server Session Account Server Session
Servers
After the client and server are authenticated, the client passes the user's credentials to the server. The credentials are
doubly encrypted under the SPNEGO and TLS session keys.
Reference:
Security Support Provider Interface (SSPI)
• https://msdn.microsoft.com/en-us/library/windows/desktop/aa380497(v=vs.85).aspx
CMDLET: Enable-WSManCredSSP
• https://technet.microsoft.com/en-us/library/hh849872.aspx
6 Change Notes
Date Author Change Comments

06-10-2020 Edwin Hubley • Adjusted for Windows version scope

AMP Monitoring Requirements Applications

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AMP Monitoring Requirements Applications

Uploaded by

Copyright:

Available Formats

AVANADE

2 Windows OS and Application Monitoring ......................................................................................................................................... 6

3 SNMP Device and Application Monitoring ................................................................................................................................... 23

4 AMP Synthetic Transactions .............................................................................................................................................................. 26

6 Change Notes ........................................................................................................................................................................................ 31

1.1 AMP Monitoring and the ServiceNow CMDB

The Avanade Management Platform monitoring capability derives its monitoring

1.1.1 CMDB Configuration Item Examples

1.2 Determining Monitoring Accounts

It is highly recommended to avoid splitting monitoring permissions between multiple accounts

1.2.1 Scenario 1: One Account for All Monitoring

Account Title Example Account Name (domain\user) Example

Account Title Account Name (domain\user) Example

1.2.3 Scenario 3: Multiple Accounts

Account Title Account Name (domain\user) Example

1.2.4 Scenario 4: Standalone / Local Accounts

Account Title Account Name Example

2.1 Microsoft Windows Server

2.1.1 Supported Product Versions

AMP monitoring supports the following major product versions:

• Microsoft Windows Server 2008 R2

2.1.2 Monitoring Account Permissions

2.1.2.1 Group Membership

2.1.3 Configuration Requirements

Code Block - Powershell

Enable-WsManCredSSP -Role Server –Force

• WinRM session quota configurations

Code Block - Powershell

winrm set winrm/config/winrs '@{MaxConcurrentUsers="25"}'

2.1.4 Network Ports and Protocols

Source Use Port Direction Protocol Destination

Name Direction Protocol Local Port Remote Port

These permissions cover two scenarios:

2.2.1 Supported Product Versions

2.2.2 Monitoring Account Permissions

2.2.2.1 Group Membership

2.2.2.2 Special Permission Requirements

2.2.3 Configuration Requirements

2.2.4 Network Ports and Protocols

2.3.1 Supported Product Versions

2.3.2 Monitoring Account Permissions

2.3.2.1 Group Membership

2.3.2.2 Special Permissions Requirements

Account Type: Local

2.3.3 Configuration Requirements

Code Block - Powershell

# Where “AMPMonitoring” is the example name of the monitoring service account

New-ThrottlingPolicy -Name AMPMonitoring -PowerShellMaxConcurrency Unlimited

2.3.4 Network Ports and Protocols

2.4.1 Supported Product Versions

2.4.2 Monitoring Account Permissions

2.4.2.1 Group Membership

2.4.2.2 Special Permission Requirements

2.4.3 Configuration Requirements

2.4.4 Network Ports and Protocols

Source Use Port Direction Protocol Destination

2.5.1 Supported Product Versions

2.5.2 Monitoring Account Permissions

2.5.2.1 Group Membership

2.5.2.2 Special Permission Requirements

Account Type: Local

2.5.3 Configuration Requirements

2.5.4 Network Ports and Protocols

2.7.1 Supported Product Versions