Skip to main content

Configuring Windows Hosts for Monitoring

Before configuring the IPM Microsoft Windows Integration, you need to properly prepare the Windows environment for access by the integration.

Following are the tasks you need to complete on each Windows host server. The tasks can be performed in any order, but must be successfully completed prior to configuring the Windows Integration in IPM for discovery.

  • Create a Domain User Service Account

  • Add the Domain User Service Account to the Performance Monitor User Group

  • Windows Management Instrumentation (WMI) Configuration

  • Windows Remote Management (WinRM) Configuration

  • Windows Firewall Configuration

  • Optional:

    • Create the HTTPS (WinRM) Certificate

    • Download (Export) the HTTPS Certificate

About These Tasks

You must create a domain user that IPM can use to access Windows to gather monitoring data.

Prerequisites

  • You must be running a supported version of 64-bit Windows Server: 2012, 2012R2, 2016, or 2019.

    If you are running an earlier version of Windows, contact Virtana Support.

  • You must be logged in as a domain administrator to perform these tasks.

  • You need the IP address and subnet for IPM.

Notice

The instructions provided in this section are suggestions for how to proceed to configure a Windows Server for connectivity with IPM. If these instructions do not work for your particular Windows Server system, please reach out to Microsoft Support for assistance.

Create a Domain User Service Account in Active Directory

  1. Enter a password and do the following:

    Deselect: User must change password at next logon

    Select: User cannot change password

    Select: Password never expires

  2. Click Next and Finish.

Set Permissions for a User with Non-Administrator Privileges

Log in as a domain administrator on each server that will be monitored by IPM.

  1. Navigate to Administrative Tools and access Computer Management.

  2. Navigate to Local Users and Groups and select Groups.

  3. Double-click Performance Monitor Users and add the Domain User Service account created in the previous section.

  4. Click Apply and OK to close the properties page.

Windows Management Instrumentation (WMI) Configuration

A Domain User Service account that accesses the Windows host to gather monitoring data must be configured in WMI.

You must be logged in to the server as a domain administrator to perform this task.

  1. Open Windows PowerShell and enter the following command:

    wmimgmt.msc

    Alternatively, you can navigate in the UI to Control Panel > Administrative Tools > Computer Management > More Actions > WMI Control.

  2. Under Actions/WMI Control (right pane), click More Actions to open the WMI Control Properties wizard.

  3. Click the Security tab and select Root.

  4. Click the Security button and, in "Group or user names", select the domain user service account you previously created.

    If the domain user is not listed, click Add, enter the username in the text field, and click OK.

  5. Select the domain user service account and select the following permissions:

    Execute Methods
    Provider Write
    Remote Enable
  6. Click Advanced section, select the domain user service account, and then click Edit.

  7. Choose the following:

    Applies to = This namespace and subnamespaces

  8. Ensure the permissions selected previously are also selected on this window:

    Execute Methods, Provider Write, Remote Enable

  9. Click Apply and OK to all open dialog boxes.

This completes configuration of the user in WMI.

Windows Remote Management (WinRM) Configuration

A Domain User Service account that accesses the Windows host to gather monitoring data must also be configured in WinRM. This is the same user that was configured in WMI.

  1. Access Windows Powershell and enter the following command:

    Enable-PSRemoting

  2. Open PowerShell and enter the following command:

    winrm configSDDL default

    Alternatively, you can navigate in the UI to Control Panel > Administrative Tools > Computer Management > More Actions > WMI Control.

    A Permissions for Default property windows will be displayed.

  3. Select the domain user service account and select the following permissions for the user:

    Read (Get, Enumerate, and Subscribe)
    Execute (Invoke)

    If the domain user is not listed, click Add, enter the username in the text field, and click OK.

  4. Click Apply and OK to exit the window.

This completes configuration of the user in WinRM.

Configure the Windows Firewall

If a firewall is enabled, you might need to configure the firewall with an exception to permit communication between the IPM Appliance and the Windows server. 

  1. Open PowerShell and enter the following command:

    wf.msc

    A firewall properties page will be displayed.

  2. Click Inbound Rules (left pane) and click New Rule (right pane).

    The New Inbound Rules wizard opens to the Rule Type tab.

  3. Modify the configuration as follows:

    Note

    Virtana recommends that you do not limit Local and Remote ports or local IP addresses, but instead define firewall connection rules by remote IP address. The remote IP address defined should be that of the IPM Appliance.

    Clicking Next moves you through the wizard tabs, identified in the left pane.

    1. On the Rule Type tab: Select Custom and click Next.

    2. On the Program tab: Ensure All programs is selected and click Next.

    3. On the Protocol and Ports tab: Leave the defaults and click Next.

    4. On the Scope tab:

      • In the Which remote IP addresses does this rule apply to field, select These IP addresses and click Add.

      • In the This IP address or subnet field, type the IP address of the IPM Appliance and click Next.

    5. On the Action tab: Ensure Allow the connection is enabled and click Next.

    6. On the Profile tab: Ensure Domain is selected and deselect Private and Public (as required), and then click Next.

    7. On the Name tab: Enter a name and description for the firewall rule and click Finish.

  4. Restart services:

    1. Open Services using the PowerShell command:

      services.msc

    2. Select Windows Management Instrumentation service to restart.

      Note: This will also restart User Access Logging and IP Helper.

    3. Click Yes in the popup to restart the three services.

This completes configuration of the Windows firewall in WMI.

Optional: Create the HTTPS (WinRM) Certificate

During configuration of the Windows Integration, you can select to use either HTTP or HTTPS for WinRM. If you use HTTPS, then you need to create and upload a certificate so that you can start the WinRM service on HTTPS port 5986.

  1. Access the Windows Powershell and enter the following command:

    New-SelfSignedCertificate -DnsName "SERVER_FQDN" -CertStoreLocation Cert:\LocalMachine\My

    Example:

    PS C:\Users\Administrator> New-SelfSignedCertificate -DnsName "win2019lab" -CertStoreLocation Cert:\LocalMachine\My

    The output displays ParentPath, Thumbprint, and Subject.

  2. Enter the following command, using the certificate Thumbprint entry from the previous output:

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="YOUR_DNS_NAME"; CertificateThumbprint="THUMB_PRINT_FROM_PREVIOUS_COMMAND"}'

    Example:

    PS C:\Users\Administrator> winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="win2019lab"; CertificateThumbprint="071EE2A7E83985C86A82149308B1E763B3A8DCFC"}'

    Output displays ResourceCreated, ReferenceParameters, and SelectorSet.

This completes creation of a certificate. The certificate must now be downloaded from the browser.

Optional: Download (Export) the HTTPS Certificate

After creating the certificate, you must download the certificate to a location available to the IPM Appliance. You then upload the certificate file during configuration of the Windows Integration, if you are using HTTPS.

The steps for downloading (some browsers call it exporting) a certificate can vary depending on the browser and browser version used. If you need instructions about how to export a certificate for a specific browser, visit the browser's documentation site.

To export a certificate directly from a server, see the server’s documentation.

Following is an example of using the certmgr.msc command to download the certificate.

  1. In PowerShell, run the following command:

    certmgr.msc

  2. In the window, select Intermediate Certification Authorityin the left-hand column, and then select Certificates.

  3. Right-click the certificate in the right-hand pane and select Open.

  4. In the Details tab, click on the Copy to File button and then click on Next.

  5. Select Base-64 encoded x.509 (.CER) and then click on Next.

  6. Name the file, being certain that the file location is accessible from IPM, and then click on Next and then Finish. Click OK.

This completes the preparation and download of the certificate file. If you select to use HTTPS during the configuration of the Windows Integration, this is the file you must upload to IPM.

Instructions Specific to Windows 2008 R2 Enterprise Edition

In some situations with Windows 2008 R2, TCP port 5985 does not connect properly. If you encounter this problem, perform the following steps.

  1. Access Windows Powershell and enter the following command:

    Enable-PSRemoting

    WinRM Quick Configuraton displays.

  2. Enter Y (yes) to continue.

    A message states that WinRM is already set up.

  3. Confirm configuration by typing Y (yes) again.

    This should fix the connection problem.