Windows Agent

The Windows Agent is a service provided by Cloudhouse Guardian (Guardian) for the Agent-based scanning of Windows nodes. The following topic describes how to download, install, and configure the Windows Agent. For more information about Agent nodes, see Guardian Agent.

Tip: Agents and Connection Managers are comprised of the same software; the difference between the two is defined by how that software is deployed on the node. As a result, some Agent-specific functionality may display references to Connection Managers.

System Requirements

To install the Windows Agent, the following system requirements must be met:

Requirement	Description
Microsoft Windows Virtual Machine	Recommended specifications: Windows 2012, 8GB, 4 Core.
Microsoft .NET Framework	Version 4.5.2 (or above).
Microsoft Visual C++ 2015 Redistributable Package	For Windows CM v4.19.0 (and above). Package download link provided on the Guardian Downloads page.
PowerShell (Windows Management Framework)	Version 3 (or above). Installed on both the Connection Manager and the target nodes.
WinRM	Enabled in your Guardian environment. For more information, see Enable WinRM via Group Policy.
WinRM Port 5985/5986	Connection Manager must be able to reach the Guardian instance over this port. Note: This is the default port. If you are using a different port, make sure that the Connection Manager can reach the port that the administrator is using to run their WinRM server.

Note: If you do not meet any of the requirements described above, please contact your Cloudhouse Representative for assistance.

Acceptance Criteria

To install the Windows Agent, the following acceptance criteria must be met:

Criteria	Description
Operating System	Windows. For more information, see Supported Devices.
Connection Protocol	WinRM or remote PowerShell configured on all target nodes.
Windows Service User	Service account set up to use WinRM. The account should be a local administrator on the target nodes, or a domain administrator.

Deployment

The following procedure describes how to deploy your Windows Agent. By default, the Agent is distributed as an .exe file. First, you are required to download the package from the Install Agent for Windows page, install the virtual machine via the Windows Installer, and then configure the Agent service to run as a service user.

Download

First, you need to download the Guardian Agent Installer for your operating system (OS) of choice.

In the Guardian web application, navigate to the Add Nodes tab (Inventory > Add Nodes). The Add Nodes page is displayed.
Type 'Windows' in the search bar. The supported Windows hosts are displayed.
Select the OS you plan to host the Guardian Agent on, then click to Use Agent. The Install Agent for Windows [Server] page is displayed.
Click to Download Agent.
Take note of the values displayed in the API key and Target URL fields, as they will be required to install and register the Windows Agent to your Guardian instance.

The 'Guardian-v5.exe' file is downloaded to your device. Open the file to begin the process of installing the Windows Agent, see below for more information.

Install and Register

Next, you need to install the Windows Agent and register it to your Guardian instance. Cloudhouse provide a Guardian Agent Installer to facilitate the installation and registry process.

To launch the Windows installer for your OS, open the 'Guardian-v5.exe' file. The User Account Control confirmation dialog is displayed.
Click Yes to save the Guardian Agent Installer to your computer’s hard drive. The Cloudhouse Guardian Connection Manager dialog is displayed.
Click Next to begin the installation process. The License Agreement screen is displayed.
After reading the Software License Agreement, select the ‘I accept the agreement’ radio button and click Next to proceed. The Installation Directory screen is displayed.
Enter the location you want the Agent to be installed in the Installation Directory field, then click Next. The Connection Manager Registration screen is displayed.
Enter the location you want the Agent's configuration files to be stored in the Configuration Directory field, then click Next. The second Connection Manager Registration screen is displayed.
Here, the following options are displayed:
- Target URL field – The URL of your Guardian appliance or hosted instance, see the next step for instructions on how to source this information.
- Ignore SSL Certificate Warnings checkbox – If selected, SSL certificate warnings are ignored. If your Guardian server instance is installed with a self-signed certificate, Cloudhouse recommend that you choose this setting.
Return to the Install Agent for Windows page in Guardian, and copy the Target URL displayed in the Run Installer section, then paste it in the field provided.
Once you have completed the options displayed in the second Connection Manager Registration screen, click Next to proceed. The third Connection Manager Registration screen is displayed.
Here, you need to enter the Group API Key for the Connection Manager group you want to add the Agent to.
Return to the Install Agent for Windows page in Guardian, and copy the API key displayed in the Run Installer section, then paste it in the field provided.
Once you have completed the options displayed in the third Connection Manager Registration screen, click Next to proceed. The Ready to Install screen is displayed.
Click Next to begin installing the Agent.

Note: If the Connection Manager Registration screen is displayed with an error message, see Registration Failed for more information on how to resolve the issue.
Once the installation is complete, click Next. The final Cloudhouse Guardian Connection Manager screen is displayed.
Click Finish to close the dialog.
If the correct values were set, the Agent is installed on the node and a scan is automatically triggered. Return to the Install Agent for Windows page in Guardian.
Once the scan is complete, the View Scan button is displayed and the Agent node is registered to your Guardian instance. Click to display the Agent node in Guardian.

The Agent node is displayed in the Monitored tab (Inventory > Monitored) of your Guardian instance. Here, you can access the results of the first node scan and begin to organize your node into node groups. For more information, see Node Groups.

If the node is not displayed in Guardian, you need to confirm whether the Agent is running under the correct user account. For more information, see Connect and Scan below.

Connect and Scan

To begin scanning remote systems, you are required to provide the credentials for the user account that is configured to use WinRM for scanning. You can choose to provide them each time you add a node, or you can configure the Guardian service to run as a Windows service user, meaning that you only need to set them once. The following section describes how to configure the service, assuming that you already have a Windows service user configured with the correct permissions. For more information, see Acceptance Criteria.

In the Windows Search box, type 'Services'. Then, click to Run as administrator. The Services dialog is displayed.
Locate the 'Guardian' service and check that the Status is set to 'Running'.

If the Status is set to 'Running', the Agent has been installed successfully. If the 'Guardian' service is not displayed, the Agent installation has failed, see Registration Failed for more information.
Right-click on the 'Guardian' service and select Properties. The Guardian Properties dialog is displayed.
In the General tab, make sure that the Startup type is set to 'Automatic'.
Then, in the Log On tab, select the This account radio button to display the following fields:
- This account – The name of the account holder.
- Password – Account password.
- Confirm password – Account password.
Enter the correct value in each of the fields and click Browse. The Select User dialog is displayed.
Click Check Names to search your device for the Windows service user account.

Note: If no results are displayed when you enter the account information, you may not have a Windows service user account set up. Cloudhouse recommend asking your Guardian Representative for more information. If you are unable to create a Windows service user account with the correct permissions, contact your Cloudhouse Representative for assistance.
Select the Windows service user account and click OK to return to the Log On tab.
In the Log On tab, make sure that the Password and Confirm password fields are populated correctly. Then, click to Apply and OK to close the Guardian Properties dialog.
Finally, you need to restart the Guardian service to apply your changes. In the Services dialog, right-click on the 'Guardian' service and select Restart.
Once complete, the Agent service is configured to run as a Windows service user. If the service user has the correct permissions, you can trigger the first scan of the node in the Monitored tab of your Guardian instance.

Registration Failed

After completing Step 1 - 8 of the Install procedure, if you received the following error message 'Installation was successful but there was a problem registering the Agent with the Target URL. Please review the install log for further details', remediation is required to proceed with registering the Agent to the Guardian appliance.

Install Log

First, Cloudhouse advise that you check the install log within the installation directory folder. By default, this is 'C:\Program Files\Cloudhouse Guardian'.

In the File Explorer, locate the installation directory for the Agent.

Here, the 'install' file is displayed.
Click to display the 'install' log and check what error messages are displayed. For more information on how to remediate these errors, see below.

Common Problems and Solutions

The following section describes the possible points of failure that may occur when attempting to register the Agent to the Guardian appliance.

Ignore SSL Certificate Warnings

The most common failure is caused by an untrusted certificate being detected on the Guardian appliance. To resolve the issue, re-run the Cloudhouse Guardian Connection Manager installer and select the Ignore SSL Certificate Warnings checkbox.

Network and DNS

The second most common failure is caused by the network and/or DNS being configured incorrectly. Check if your Guardian instance is accessible from your browser on your Agent host. If it is not accessible, check that the network and DNS is configured correctly and there are no firewall rules blocking the connection.

Group API Key

Another common failure is caused by the Group API Key being copied incorrectly from the Install Agent for Windows page. To resolve the issue, re-run the Cloudhouse Guardian Connection Manager installer and provide the correct Group API Key.

Post-Deployment

Once the Agent has been deployed, you can update or uninstall it by following the procedures described below.

Update

To update the Windows Agent, you can install a new version via the same process. The new version will be available to download from the Guardian Application Downloads page, labeled 'Windows Connection Manager'.

Note: Make sure that the correct service user account is signed in before restarting the 'Guardian' service.

Uninstall

To uninstall the Windows Agent, you can choose between two methods.

Control Panel

First, you can uninstall the Agent via the Control Panel.

In the Windows Search box, type 'Add or remove programs'. Then, click to Open. The Installed apps dialog is displayed.
Locate the 'Cloudhouse Guardian' application. Then, click the Ellipsis () to display the drop-down list. Here, you can click to Uninstall the application.

Guardian Uninstaller

Alternatively, you can uninstall the Agent via the Guardian Uninstaller that is stored within the installation directory. By default, this is 'C:\Program Files\Cloudhouse Guardian'.

In the File Explorer, locate the installation directory for the Agent.

Here, the 'uninstall.exe' application is displayed.
Click to launch the uninstaller. The User Account Control authentication dialog is displayed.
click Yes to proceed with uninstalling the Agent.