Install Windows Server

Ensure prerequisites are in place before you begin the installation.

It is important to have a fresh Windows server for a new install of Application Control for Linux.

Installing the Server

Following are the steps for installing the backend Windows Server:

Deploy Master installer from your AC for Linux installation kit.
The installer will check for C++ redistributable and if not found, this will be automatically installed.
Mosquitto will be automatically installed.

Please ensure that no previous installations of Mosquitto are present on your server, also any residual folder ( C:\Program Files\mosquitto ) need to be deleted prior to Application Control for Linux installation.
.NET 5 Windows Server Hosting will be automatically installed.

Microsoft .NET 5.0.13 Windows Server Hosting bundle is needed, please uninstall. Microsoft .NET 5.0.15 Windows Server Hosting bundle version, if present on the server.
At this step, please enter the SQL connection string per the following:
1. If you opt for Windows Authentication, your DB admin needs to create an valid login for the backend machine that looks like this: Domain\server_name$ . Below are the steps to create a valid login for the backend (the main Windows server).
  
  Please note that the admin installing Ivanti Application Control for Linux also must have a valid login with at least a public role on the database server and instance.
  1. On the database server, open a SQL manager with your sysadmin login; expand Security; expand Logins. Right click on Logins and choose New Login.
  2. Choose Windows Auth as the connection method and complete Login Name with your Domain\backend_name$
    
    Don't use Search as AD will not resolve the name.
  3. On Server Roles assign public and dbcreator roles.
  4. Once the setup on the database server is finished, the Validate step appears. Insert the following:
    
    Data Source=Instancename;;Trusted_Connection=True
2. If you opt for SQL auth (with sa and password):
  
  An example for SA: Data Source=Instancename;;User Id=sa;;Password=myPassword;
3. If you are running a local database, Ivanti Relay service will not start automatically. There is a post-install action that will set it to automatic so you don't have to make the change manually. This forces Active Directory usage in the form of Machinename$ as the user for WINAUTH on the database as well as the usage of Network Service for permissions.
  
  Post Install actions :
  
  1. Modify the Login Method on the Ivanti Relay service, from Network Service to admin user of the backend (the admin that installed Ivanti AC preferably).
  
  2. Next, modify the identity of the netcorepool component in IIS from network service to admin user of the backend (the admin that installed Ivanti AC preferably).
  
  3. Make sure that the admin who installed Ivanti Application Control for Linux on the backend also has a public role and creator role on the local database instance.

Press the Validate button .

Once validation is successful, the next button will became available. Application Control for Linux is now installing all the necessary bits, such as certificates, and the IIS site is configured for your convenience.

Once the installation is complete you will be prompted to close the installer and to open install log if you wish to do so. If not, once you press "close" the installer will exit.

The following ports are set automatically during installation for active firewall configuration, allowing connections on some of the important, default-configured ports. They are mentioned here for the purpose of troubleshooting by admins, if needed:

•8883 – MQTT over SSL communication (Mosquitto Broker).

•3123 – AFS over SSL communication (Application Control Server, Application Framework (AF) Server and AC Agent).

•5001 – Self-hosted user interface over SSL communication (Application Control for Linux Web Console).

Interface Access and Database Auto Configuration

If you have opted for DB WIN AUTH with remote database server --or-- DB SA AUTH:

Open up a browser and type in https://localhost:5001/home

This should open up the UI WEB Console for Application Control for Linux.
Once the Interface has popped up, the database, called AcDatabase, has also been generated and can be accessed and interrogated on your SQL server.

If you opted for DB WIN AUTH but with a local database instance, where the database instance is installed on the same WIN Server as your Backend, use the following steps:

Open the IIS Manager

Expand Application Pools

Select NetcorePool

Choose Advanced Settings from the right panel

Modify Identity to Admin User because you are running a local DB instance.

Modify the Login Method on the Ivanti Relay service, from Network Service to admin user of the backend (preferably, the admin that installed Ivanti Application Control)
Open up a browser and type in https://localhost:5001/home

This should open up the Ivanti Application Control for Linux Console.

Once the console has appeared, the database, called AcDatabase, has also been generated and can be accessed and interrogated on your SQL server.

Testing the Install

Navigate to the location of this log and open it:

C:\ProgramData\Ivanti\ACServer\ AC.ServerRelay.txt

Following is a log example of what should appear:

2022-04-05 08:55:09.049 +01:00 [WRN] AuthorizationCodeStore not configured - falling back to InMemory

2022-04-05 08:55:09.096 +01:00 [WRN] TokenHandleStore not configured - falling back to InMemory

2022-04-05 08:55:09.096 +01:00 [WRN] ConsentStore not configured - falling back to InMemory

2022-04-05 08:55:09.096 +01:00 [WRN] RefreshTokenStore not configured - falling back to InMemory

2022-04-05 08:55:09.534 +01:00 [INF] Message received at 4/5/2022 7:55:09 AM with value ==> Started OAuth Service.

2022-04-05 08:55:09.534 +01:00 [INF] Started apis at https://+:3123/st/console/privateapi

2022-04-05 08:55:09.768 +01:00 [INF] Detected a fresh install, reinstalling policy

2022-04-05 08:55:13.018 +01:00 [INF] Message received at 4/5/2022 7:55:13 AM with value ==> Started Registration Service.

2022-04-05 08:55:13.018 +01:00 [INF] Message received at 4/5/2022 7:55:13 AM with value ==> Started Agent State Service.

2022-04-05 08:55:13.018 +01:00 [INF] Message received at 4/5/2022 7:55:13 AM with value ==> Started Results Service.

2022-04-05 08:55:13.018 +01:00 [INF] Message received at 4/5/2022 7:55:13 AM with value ==> Started Custom Results Service.

In the Application Control for Linux Console > Advanced Settings / Server logs should start logging Server actions. This shows that the server is working properly.

Finishing

At this point, if the above steps have been followed :

Ivanti ACServer Relay Windows Service has been created and configured.
The Application Control for Linux Console has been started in your browser by accessing https://localhost:5001
The application database, called AcDatabase, has been created and configured and can be interrogated via an MSSQL management tool.

Warning: if the Advanced settings/server logs are not appearing in the console (they are not being pulled), do the following: stop Application Control for Linux in IIS, stop the IvantiACServerRelay Windows Service, start Application Control for Linux in IIS. Then open up Windows Services, look for and start IvantiACServerRelay Windows Service, refresh the page in the Application Control for Linux console.

Next Steps

Transfer the tar archives to your Linux endpoints, using scp or a scp like transfer tool (example: winscp).

.tar archives can be found on your backend under this path:

C:\Program Files\Ivanti\ACServer\ACServer\HostedFiles