System Requirements

You must meet the following requirements when installing the Security Controls console and performing actions on client machines.

Restrictions

An NTFS file system is required on the console machine

If you install the console on a domain controller that uses LDAP certificate authentication, you may need to configure the server to avoid conflict issues between the SSL certificate and the Security Controls program certificate.

If you install the console on two or more machines that share a database, all of the console machines must have unique security identifiers (SIDs) in order to prevent user credential problems. Machines are likely to have the same SIDs if you make a copy of a virtual machine or if you ghost a machine.

The console machine should be as fully patched as possible prior to installing Security Controls.

Processor

Minimum: 2 processor cores 2GHz or faster

Recommended: 4 processor cores 2GHz or faster (for 500 - 2500 seat license)

High performance: 8 processor cores 2GHz or faster (for 10000+ seat license)

Agentless Patch assessment: 8+ processor cores 2GHz or faster

Memory

Minimum: 2GB of RAM

Recommended: 4GB of RAM (for 500 - 2500 seat license)

High performance: 16GB of RAM (for 10000+ seat license)

Video

Minimum 1024 x 768 screen resolution

Recommended 1280 x 1024 or higher

Disk Space

500 MB for application

10GB minimum, 100GB or more recommended for patch repository

Operating System (one of the following)

Windows Server 2019 family, excluding Server Core and Nano Server (64-bit)

Windows Server 2016 family, excluding Server Core and Nano Server (64-bit)

Windows Server 2012 family R2 Cumulative Update 1 or later, excluding Server Core (64-bit)

Windows Server 2012 family, excluding Server Core (64-bit)

Windows 10 Pro, Enterprise or Education Edition (64-bit)

Windows 8.1 Cumulative Update 1 or later, excluding Windows RT (64-bit)

Note: It is recommended to use the latest available version where possible.

Database

Use of a Microsoft SQL Server database [SQL Server 2008 or later]. SQL Server 2008 will not be supported in future releases.

If you do not have a SQL Server database, the option to install SQL Server Express Edition will be provided during the prerequisite software installation process.

Recommended: Microsoft SQL Server 2016 SP1 or higher.

Minimum Size: 30GB

Medium Size: (500 - 2500 seat license) 30-60GB

Enterprise Size: (10000+ seat license) 60-100GB

SQL High Availability

If set up in accordance with Microsoft best practices, SQL mirroring is supported by Security Controls.

A witness server is required for automatic failover. Without the witness a manual changeover is required.

SQL mirroring is supported on SQL Server 2012 and 2014 but not SQL Express edition.

Prerequisite Software

Use of Microsoft SQL Server 2008 or later

Microsoft .NET Framework 4.8 or later

Microsoft Visual C++ Redistributable for Visual Studio 2013 (required for scanning offline VMs)

Microsoft Visual C++ Redistributable for Visual Studio 2015-2019

Windows Management Framework 5.1

Windows Account Requirements

You must add a number of web URLs to your firewall, proxy and web filter exception lists. The URLs are used by Security Controls to download patch content from third-party vendors.

For the complete list of URLs that you should add, see:

https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls

Operating Systems (32- and 64-bit versions of any of the following)

Windows XP Professional  (Note: Can deploy patches to Windows XP family SP3 or later)

Windows XP Embedded

Windows Server 2003, Enterprise Edition (Note: Can deploy patches to Windows Server 2003 family SP2 or later)

Windows Server 2003, Standard Edition

Windows Server 2003, Web Edition

Windows Server 2003 for Small Business Server

Windows Server 2003, Datacenter Edition

Windows Vista, Business Edition

Windows Vista, Enterprise Edition

Windows Vista, Ultimate Edition

Windows 7 Embedded

Windows 7, Professional Edition

Windows 7, Enterprise Edition

Windows 7, Ultimate Edition

Windows Server 2008, Standard

Windows Server 2008, Enterprise

Windows Server 2008, Datacenter

Windows Server 2008, Standard - Core

Windows Server 2008, Enterprise - Core

Windows Server 2008, Datacenter - Core

Windows Server 2008 R2, Standard

Windows Server 2008 R2, Enterprise

Windows Server 2008 R2, Datacenter

Windows Server 2008 R2, Standard - Core

Windows Server 2008 R2, Enterprise - Core

Windows Server 2008 R2, Datacenter - Core

Windows 8

Windows 8 Pro

Windows 8 Enterprise

Windows 8.1

Windows 8.1 Embedded

Windows 8.1 Enterprise

Windows Server 2012, Foundation Edition

Windows Server 2012, Essentials Edition

Windows Server 2012, Standard Edition

Windows Server 2012, Datacenter Edition

Windows Server 2012 R2, Essentials Edition

Windows Server 2012 R2, Standard Edition

Windows Server 2012 R2, Datacenter Edition

Windows 10 Pro

Windows 10 Enterprise

Windows 10 Education

Windows Server 2016, Essentials Edition

Windows Server 2016, Standard Edition (excluding Nano Server; Server Core supported with 32-bit subsystem)

Windows Server 2016, Datacenter Edition (excluding Nano Server; Server Core supported with 32-bit subsystem)

Windows Server 2019 family (excluding Nano Server; Server Core supported with 32-bit subsystem)

Configuration Requirements

Remote Registry service must be running

Server service must be running

NetBIOS (TCP 139) or Direct Host (TCP 445) ports must be accessible

Windows Update service must not be disabled; rather, it must be set to either Manual or Automatic in order to successfully deploy patches. In addition, the Windows Update setting on each target machine (Control Panel > System and Security > Windows Update > Change settings) should be set to Never check for updates.

Note: If using Windows 10 or Windows Server 2016, you can disable Automatic Updates by selecting Disable Configure Automatic Updates in the Group Policy Editor. Please refer to Microsoft Help for guidance on other methods to disable the service.

For additional requirements when performing patch scans of remote machines, see Patch Scanning Prerequisites.

Disk Space (for patch program)

Free space equal to five times the size of the patches being deployed

Supported Languages (for patch program)

See the Patch View download status indicator language list on the Display Options dialog.

An NTFS file system is required on agent machines.

Processor

500 MHz or faster CPU

Memory

Minimum: 256MB RAM

Recommended: 512MB RAM or higher

Disk Space

50 MB for Security Controls Agent client

Minimum: 2GB or more for patch repository

Recommended: 10GB

Operating Systems (any of the following except home editions)

Windows 7 SP1 or later

Windows 8 family, excluding Windows RT

Windows 10 family

Windows Server 2008 R2, SP1 or later with SHA-2 support

Windows Server 2012 family

Windows Server 2012 family R2

Windows Server 2016 family

Windows Server 2019 family

Configuration Requirements

Workstation service must be running

Compatible Tested platforms: https://forums.ivanti.com/s/article/Ivanti-Security-Controls-Supported-Platforms-Matrix

Operating Systems

All vendor-supported Server, Workstation, Client and Computer Node variants of the following systems (64-bit only).

CentOS 6 and Red Hat Enterprise Linux 6 (the libicu package and OpenSSL 1.0.1 or later are required)

Support for CentOS 6 Linux clients will end in a future release.

CentOS 7 and Red Hat Enterprise Linux 7 (the libicu package and OpenSSL 1.0.2 or later are required)

Red Hat Enterprise Linux 8 (the libicu package and OpenSSL 1.0.2 or later are required)

Port Requirements

Secure Shell (SSH) and Port 22 are used when push installing an agent to a Linux machine.

Configuration Requirements

In order to perform a push install of an agent from the Security Controls console to a Linux machine, you can connect to the machine using either the root account or passwordless sudo access. For security reasons, using sudo access is the recommended best practice. To implement sudo access, you must manually log on to each Linux machine as root, invoke visudo and then do the following:

Add the following command to the file.

<installUser> ALL=(ALL) NOPASSWD: /bin/sh /tmp/ivanti-[A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9]/install.sh *

This command uses sudo (super user do) to grant root privileges to the console so that it can do a push install of an agent to the Linux machine.

In the file, look for a line that reads Defaults requiretty and if it exists, change it to Defaults !requiretty.

This bypasses a known operating system bug by disabling the requiretty flag for every user on the machine, enabling sudo to run from means other than just a login session. If you prefer, you can disable the flag for just the install user by changing it to Defaults:><installuser> !requiretty.

This flag is not set in the most current versions of Red Hat and CentOS.

If you choose not to use either root or sudo access from the console to your Linux machines, you can manually install an agent on each machine.

If your Linux machines reside in a disconnected environment, you may want to perform the disconnected configuration steps at the same time that you configure each machine for sudo access.

These are the default port requirements. Several of the port numbers are configurable.

Protocol Port Source Destination Encrypted Description
UDP 9 Security Controls Console Agentless System(s) No For Wake-on-LAN (WoL) and error reporting
TCP 22 Security Controls Console Linux Agent System(s) Yes Allows the console to push install an agent to a Linux machine
TCP 80

Security Controls Console

Distribution Server: HTTP

No

Needed for distribution servers to sync patches with console only if using HTTP
Security Controls Console Distribution Server: HTTP No Needed for distribution servers to sync patches with console only if using HTTP
Agent System(s) Distribution Server: HTTP No Needed for distribution servers to sync patches with console only if using HTTP
Security Controls Console Patch Repositories / Patch Config No Patch downloads when HTTPS URLs are not available
TCP 135 Security Controls Console Agentless System(s) No Allows the WMI protocol, which is required for asset scans

UDP and

TCP

(Or substitute TCP 445 for all three ports)

137-138

139

Security Controls Console

Agentless System(s)

No

(Windows file sharing/directory services) required for agentless scan and deployment to work
Security Controls Console Distribution Server: UNC No (Windows file sharing/directory services) required for agentless scan and deployment to work
Agent System(s) Distribution Server: UNC No (Windows file sharing/directory services) required for agentless scan and deployment to work
Agentless System(s) Distribution Server: UNC No (Windows file sharing/directory services) required for agentless scan and deployment to work
TCP 443

Security Controls Console

Distribution Server: HTTPS

No

Needed for distribution servers to sync patches with console; only if using HTTPS (Cloud sync)
Agent System(s) Distribution Server: HTTPS No Needed for distribution servers to sync patches with console; only if using HTTPS (Cloud agents)
Security Controls Console Patch Repositories / Patch Config No Patch and content downloads
Security Controls Console VMware vCenter No Used when making a connection to the vCenter Server
Security Controls Console VMware ESXi Hypervisor No Used when making a connection to the ESXi hypervisor

TCP

(Or substitute with UDP 137-138 and TCP 139)

 445

Security Controls Console

Agentless System(s)

Yes (SMBv3)

(Windows file sharing/directory services) required for agentless scan and deployment to work
Security Controls Console Distribution Server: UNC Yes (SMBv3) (Windows file sharing/directory services) required for agentless scan and deployment to work
Agentless System(s) Distribution Server: UNC Yes (SMBv3)

(Windows file sharing/directory services) required for agentless scan and deployment to work
TCP 3000 Chrome browser extension Agent System(s)   Allows communication from browser extensions to an Application Control agent; configurable via the BrowserCommsPort setting
TCP 3001 Chrome browser Agent System(s)   Allows the Chrome browser control extension to be installed; configurable via the BrowserAppStorePort setting
TCP 3121

Agent System(s)

Security Controls Console

Yes

 

Required for Deployment Tracker status updates for patch deployment and agent communication back to console

Agentless System(s)

Security Controls Console

Yes

 

Required for Deployment Tracker status updates for patch deployment and agent communication back to console
TCP 4155 Security Controls Console Agent System(s) Yes Allows listening agents to receive commands from console
TCP 5120 Security Controls Console Agentless System(s) Yes Allows the scheduler to receive commands from console machine for agentless deployments
TCP 5985 Security Controls Console Agentless System(s) Yes Allows you to use the ITScripts feature

Configurable Ports

TCP 3000: Chrome browser extension communication with AC agent

TCP 3001: Chrome browser extension installation

TCP 3121: Data rollup functions

TCP 4155: Listening agents

TCP 5120: Scheduler

TCP 5985: ITScripts