...
A. All data from the Agent to our cloudamize servers is encrypted using TLS 1.2 as a minimum (1.3 is preferred where available).
Q: What is the list of servers that must be reachable for the agents? am-de.cloudamize.commonly?
A. It depends on the region chosen for the assessment, but if you’re using our EU collector then only am-de.cloudamize.com is required, traffic is not sent to/from anywhere else. The list of servers that must be reachable for the Cloudamize agents to our servers at am.cloudamize.com for US infrastructure, am-de.cloudamize.com for EU infrastructure, am-ae.cloudamize.com for UAE infrastructure over the port 443, either directly or through a corporate proxy.
Q: When installing the Linux agent packages, does the install process use the os package installer and will there be additional dependencies (packages) installed?
A. The Install script requires wget to retrieve content and curl to test/verify access to our data collection servers at am.cloudamize.com for US infrastructure, am-de.cloudamize.com for EU infrastructure, or am-ae.cloudamize.com for UAE infrastructure over port 443, either directly or through a corporate proxy. wget and curl come packaged with the installer so it can still run if they aren’t installed. No additional packages are used beyond these.
Q: When deploying agentless approach “Servers (windows and linux) are located in same subnet. Can we add whole IP subnet / range containing every operating systems to "Add Windows Hosts" and exclude linux operating systems afterwards? when there are no separate IP ranges for Windows and Linux systems?
A. If the user adds a subnet using the “Add Windows Hosts” function, the ADC will attempt to connect to any servers it finds in that subnet with the provided credentials using WMI over RPC. Since Linux servers don’t use these protocols, they would not be added by this sweep of the subnet. Using “Add Linux Hosts” attempts the same thing but using SSH instead, so Linux hosts would be responsive to this. Assuming all servers on the subnet have a single login that has been enabled specifically for Cloudamize, another precaution that can be in this scenario is to use one login for Windows servers and another for Linux servers.
Q: The Linux install recommends installing via online shell script that dynamically downloads a compressed tarball. Are agent install binaries static/self-contained without external dependencies? Is a packaged installer available for all platforms without manually maintaining the installCloudamizeAgentV2.sh script and ccagent-v2.tgz tarball?
A. The linux agent does not use static linking for the C/C++ runtime, and that is one of the reasons we have minimum OS versions. We do use static link some other libraries though (they believe libpcap, and we also use static link openssl and zlib for the version of curl we ship). We do have a packaged installer available - cloudamize_agent.tgz..It is used by extracting and running the install.sh script it contains. It is platform independent, but still has our minimum OS requirements (rhel 7 or later).
Q: How are the credentials protected when ADC is used for the data collection(encryption\obfuscation\hash)?
A. Passwords are encrypted.
Q: For Agentless Data collector, where will the credentials be stored which are used for systems discovery?
A. Credentials will be stored on C:\Program Files (x86)\CloudamizeAgentlessDC\HostInfo.xml or HostInfoBackup.xml, and only on the data collector VM with the passwords being encrypted.
Q: Agentless - Are there any domain-join requirements for the discovery server, or can it be standalone? When we have multiple domains, will remote discovery work to domain-joined Windows servers if the discovery server is off domain or on a different domain to the targets, and domain accounts are used to connect?
A. The Agentless Data Collector can collect from multiple domains with proper setup, though we usually recommend using one ADC per domain, hosted on a server within the domain, to simplify the process. For Windows servers, the ADC uses remote WMI over RPC so going cross-domain may require remote DCOM privileges be configured separately depending on the current setup; this may not be an issue though, so it may be the simplest to install, test and only deploy multiple ADCs if there are issues adding hosts to the one.
Q: Is there a way for Cloudamize to use SSH keys vs. passing credentials? when we use Duo MFA?
A. The Cloudamize Agentless Data Collector is not designed to use public keys, and only supports the username/password method for now. If the servers cannot support username/password authentication at all then data can still be collected from them using the Cloudamize Agent instead of the Agentless Data Collector.
Q: Does Agent support use of an aggregator proxy like a syslog server in between the On Prem server and Cloudamize server?
A. The Agent requires direct communication to Cloudamize endpoint servers, or communication via an http proxy. No other setup is currently supported.
Q. Can the agents be uninstalled without leaving any residue?
A. Yes, normal uninstallation procedures will normally suffice, plus removing any remaining Cloudamize install directory.
Q: Are there functional differences in the implementation with agents or agentless?
A. Yes, due to the remote aspect of the agentless; Agentless requires additional firewall rules and additional permissions on both Windows and Linux (Eg:- on Windows a Domain Admin account is required and remote DCOM permissions may need to be enabled, on Linux an account that allows commands to be run remotely via SSH is required, usually set up via sudoers). However, results are almost entirely the same.