Installing MS agents
Installation requirements
To install an MS agent, the following requirements must be satisfied:
-
Supported Windows server platform (2012, 2016, 2019, 2022)
-
MS Active Directory (AD)
As of version 4.0
, the agent no longer automatically installs the required AD CS role. You must manually install the AD CS role on the target server before installing the agent.-
AD CS role configured as Root Enterprise CA on the target server
For information on AD CS, see Active Directory Certificate Services (AD CS) Introduction. -
Server joined to the AD domain
-
Enterprise Administrator permissions
-
-
Hardware:
-
CPU — 1.4GHz 64-bit (minimum)
-
RAM — 4 GB (minimum)
-
Storage — 60 GB (minimum)
-
-
Internet access:
-
Outbound network access to
https://dist.sectigo.com
on TCP port443
-
Outbound network access to the appropriate SCM instance on TCP port
443
:-
https://cert-manager.com
-
https://hard.cert-manager.com
-
https://eu.cert-manager.com
-
-
Inbound ports for certificate enrollment:
-
Kerberos UDP/TCP port
88
— Used for authentication between clients and the domain controller -
LDAP TCP port
389
— Used for directory services, including querying for certificate templates and other directory information -
LDAPS TCP port
636
— Enables secure LDAP communication between clients, the domain controller, and the certificate server with MS AD certificate templates -
RPC TCP port
135
— Essential for various Windows networking functions, including autoenrollment and communication between clients and the certificate server with MS AD certificate templates -
Dynamic RPC TCP port
>1023
and>49151
— Ephemeral ports used for RPC communication between clients, the domain controller, and CA servers on Windows OS’s later than Windows Vista/2008
-
-
Add an MS agent to SCM
-
Navigate to
and click the Add icon. -
In the Add MS Agent dialog, provide a name to help identify the agent.
-
Select the organization and department to use for default enrollment requests.
-
Click Next.
-
Copy the installation token for use during installation.
-
Initiate the agent download with the Windows installation package link.
-
Click Save.
The agent should now be listed on the MS Agents page with a status of Pending.
Install an MS agent
-
Run the bootstrap application.
The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com. -
Read the EULA, select I agree to the license terms and conditions, and click Install.
-
Click Next.
-
Read the EULA, select I accept the terms in the License Agreement, and click Next.
-
(Optional) Specify an install location.
-
(Optional) Select the Proxy MS Enrollment Protocols to SCM feature.
-
Click Next, and paste the agent installation token.
If needed, you can retrieve the installation token from the Edit MS Agent dialog for your agent. This token is no longer available once the agent connects to SCM for the first time. -
Click Next.
-
(Optional) Select Use Proxy and enter your proxy details based on the information provided in the following table.
Field Description Proxy Host
The hostname or IP address of your proxy server.
Proxy Port
The port number used by your proxy server.
Proxy User
The username for accessing the proxy server, if configured to use credentials.
Proxy Password
The password for accessing the proxy server, if configured to use credentials.
-
Click Next.
-
(Optional) Disable Enable Auto Update if you do not want the agent to automatically update to new versions.
-
Click Next, Install, Finish, and then Close.
The agent should now be listed on the MS Agents page with a status of Connected.
To be notified in the event that an agent is disconnected, add the MS Agent Disconnected notification. For more information, see Adding notifications. |
-
Open the Windows command prompt.
-
In the command line, navigate to the download location of the bootstrap application.
The bootstrap application will download the Windows Installer package files (MSI) from https://dist.sectigo.com as necessary. If you’re using an HTTP proxy, ensure that your OS proxy settings have been configured to allow access to https://dist.sectigo.com. -
Modify the installation command as needed.
.\Sectigo_MS_Agent.exe /i /q PROPERTY_AUTOUPDATE=1 PROPERTY_TOKEN= PROPERTY_CA_PROXY= PROPERTY_USE_PROXY= PROPERTY_PROXY_PAC_URL= PROPERTY_PROXY_HOST= PROPERTY_PROXY_PORT= PROPERTY_PROXY_USER= PROPERTY_PROXY_PASSWORD=
Options without an included value are ignored. The command options are outlined in the following table.
Option Description /i
Initiates installation of the agent through the bootstrap application.
/q
Runs the installation in silent mode so no interaction is required.
PROPERTY_AUTOUPDATE
Indicates whether the agent should automatically update.
The possible values are:
-
1
(Yes) -
Empty (No)
PROPERTY_TOKEN
The mandatory installation token.
PROPERTY_CA_PROXY
Indicates whether the agent should act as a CA proxy.
The possible values are:
-
1
(Yes) -
Empty (No)
PROPERTY_USE_PROXY
Indicates whether you are using a proxy server.
-
1
(Yes) -
Empty (No)
PROPERTY_PROXY_PAC_URL
The address of your proxy auto-config (PAC).
This file contains your proxy configuration details and can be used instead of specifying values for the
PROPERTY_PROXY_HOST
,PROPERTY_PROXY_PORT
,PROPERTY_PROXY_USER
, andPROPERTY_PROXY_PASSWORD
options.PROPERTY_PROXY_HOST
The hostname or IP address of your proxy server.
PROPERTY_PROXY_PORT
The port number used by your proxy server.
PROPERTY_PROXY_USER
The username for accessing the proxy server, if configured to use credentials.
PROPERTY_PROXY_PASSWORD
The password for accessing the proxy server, if configured to use credentials.
-
-
Run the modified installation command.
The agent should now be listed on the MS Agents page with a status of Connected.
To be notified in the event that an agent is disconnected, add the MS Agent Disconnected notification. For more information, see Adding notifications. |