System Requirements
You must meet the following requirements when installing the Security Controls console and performing actions on client machines.
CONSOLE
Restrictions
•An NTFS file system is required on the console machine
•If you install the console on a domain controller that uses LDAP certificate authentication, you may need to configure the server to avoid conflict issues between the SSL certificate and the Security Controls program certificate.
•If you install the console on two or more machines that share a database, all of the console machines must have unique security identifiers (SIDs) in order to prevent user credential problems. Machines are likely to have the same SIDs if you make a copy of a virtual machine or if you ghost a machine.
•The console machine should be as fully patched as possible prior to installing Security Controls.
Processor
•Minimum: 2 processor cores 2GHz or faster
•Recommended: 4 processor cores 2GHz or faster (for 500 - 2500 seat license)
•High performance: 8 processor cores 2GHz or faster (for 10000+ seat license)
•Agentless Patch assessment: 8+ processor cores 2GHz or faster
Memory
•Minimum: 2GB of RAM
•Recommended: 4GB of RAM (for 500 - 2500 seat license)
•High performance: 16GB of RAM (for 10000+ seat license)
Video
•Minimum 1024 x 768 screen resolution
•Recommended 1280 x 1024 or higher
Disk Space
•500 MB for application
•10GB minimum, 100GB or more recommended for patch repository
Operating System (one of the following)
•Windows Server 2022 family
•Windows Server 2019 family, excluding Server Core and Nano Server (64-bit)
•Windows Server 2016 family, excluding Server Core and Nano Server (64-bit)
•Windows Server 2012 family R2 Cumulative Update 1 or later, excluding Server Core (64-bit)
•Windows Server 2012 family, excluding Server Core (64-bit)
•Windows 11 family
•Windows 10 Pro, Enterprise or Education Edition (64-bit)
Note: It is recommended to use the latest available version where possible. Support for Windows Server 2012 R2 is scheduled to end in 2023.
Database
•Use of a Microsoft SQL Server database [SQL Server 2012 or later]
If you do not have a SQL Server database, the option to install SQL Server Express Edition will be provided during the prerequisite software installation process.
•Recommended: Microsoft SQL Server 2016 SP1 or higher
•Minimum Size: 30GB
•Medium Size: (500 - 2500 seat license) 30-60GB
•Enterprise Size: (10000+ seat license) 60-100GB
SQL High Availability
If set up in accordance with Microsoft best practices, SQL mirroring is supported by Security Controls.
A witness server is required for automatic failover. Without the witness a manual changeover is required.
SQL mirroring is supported on SQL Server 2012 and 2014 but not SQL Express edition.
Prerequisite Software
•Use of Microsoft SQL Server 2012 or later
•Microsoft .NET Framework 4.8 or later
•Microsoft Visual C++ Redistributable for Visual Studio 2013 (required for scanning offline VMs)
•Microsoft Visual C++ Redistributable for Visual Studio 2015-2022
•Windows
Management Framework 5.1
Windows Account Requirements
In order to access the full capabilities of Security Controls, you must run under an account with administrator privileges.
Configuration Requirements
•You must add a number of web URLs to your firewall, proxy and web filter exception lists. The URLs are used by Security Controls to download patch content from third-party vendors.
For the complete list of URLs that you should add, see:
https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls
•When performing an asset scan of the console machine, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine. In Windows Firewall, on Windows XP/Windows 2003 machines the service is called Remote Administration, and on more recent Windows machines the service is called Windows Management Instrumentation (WMI)/Remote Administration.
Supported Languages
See the Languages list on the Display Options dialog.
WINDOWS CLIENTS (AGENTLESS)
Operating Systems (32- and 64-bit versions of any of the following)
•Windows 7 Embedded
•Windows 7, Professional Edition
•Windows 7, Enterprise Edition
•Windows 7, Ultimate Edition
•Windows Server 2008, Standard
•Windows Server 2008, Enterprise
•Windows Server 2008, Datacenter
•Windows Server 2008, Standard - Core
•Windows Server 2008, Enterprise - Core
•Windows Server 2008, Datacenter - Core
•Windows Server 2008 R2, Standard
•Windows Server 2008 R2, Enterprise
•Windows Server 2008 R2, Datacenter
•Windows Server 2008 R2, Standard - Core
•Windows Server 2008 R2, Enterprise - Core
•Windows Server 2008 R2, Datacenter - Core
•Windows 8.1
•Windows 8.1 Embedded
•Windows 8.1 Enterprise
•Windows Server 2012, Foundation Edition
•Windows Server 2012, Essentials Edition
•Windows Server 2012, Standard Edition
•Windows Server 2012, Datacenter Edition
•Windows Server 2012 R2, Essentials Edition
•Windows Server 2012 R2, Standard Edition
•Windows Server 2012 R2, Datacenter Edition
•Windows 10 Pro
•Windows 10 Enterprise
•Windows 10 Education
•Windows Server 2016, Essentials Edition
•Windows Server 2016, Standard Edition (excluding Nano Server; Server Core supported with 32-bit subsystem)
•Windows Server 2016, Datacenter Edition (excluding Nano Server; Server Core supported with 32-bit subsystem)
•Windows Server 2019 family (excluding Nano Server; Server Core supported with 32-bit subsystem)
•Windows 11 family
•Windows Server 2022 family
Virtual Machines (offline virtual images created by any of the following)
Only applicable for Patch Management
•VMware ESXi 6.0 or later (VMware Tools is required on the virtual machines)
•VMware vCenter (formally VMware VirtualCenter) 6.0 or later (VMware Tools is required on the virtual machines)
•VMware Workstation 9.0 or later
Configuration Requirements
•Remote Registry service must be running
•Server service must be running
•NetBIOS (TCP 139) or Direct Host (TCP 445) ports must be accessible
•Windows Update service must not be disabled; rather, it must be set to either Manual or Automatic in order to successfully deploy patches. In addition, the Windows Update setting on each target machine (Control Panel > System and Security > Windows Update > Change settings) should be set to Never check for updates.
Note: If using Windows 10 or Windows Server 2016, you can disable Automatic Updates by selecting Disable Configure Automatic Updates in the Group Policy Editor. Please refer to Microsoft Help for guidance on other methods to disable the service.
•
•For additional requirements when performing patch scans of remote machines, see Patch Scanning Prerequisites.
•
Products Supported (for patch program)
•See https://www.ivanti.com/en-US/support/supported-products for the current list
Disk Space (for patch program)
•Free space equal to five times the size of the patches being deployed
Supported Languages (for patch program)
See the Patch View download status indicator language list on the Display Options dialog.
WINDOWS CLIENTS RUNNING WITH AN AGENT
An NTFS file system is required on agent machines.
Processor
•500 MHz or faster CPU
Memory
•Minimum: 256MB RAM
•Recommended: 512MB RAM or higher
Disk Space
•50 MB for Security Controls Agent client
•Minimum: 2GB or more for patch repository
•Recommended: 10GB
Operating Systems (any of the following except home editions)
On Windows 7 SP1 machines, the agent client requires .NET 5.0. Any patches required to support .NET 5 are the responsibility of the user to install.
•Windows 7 SP1 or later
•Windows 8.1 family
•Windows 10 family
•Windows 11 family
•Windows Server 2008 R2, SP1 or later with SHA-2 support
•Windows Server 2012 family
•Windows Server 2012 family R2
•Windows Server 2016 family
•Windows Server 2019 family
•Windows Server 2022 family
Configuration Requirements
•Workstation service must be running
•Compatible Tested platforms: https://forums.ivanti.com/s/article/Ivanti-Security-Controls-Supported-Platforms-Matrix
LINUX CLIENTS RUNNING WITH AN AGENT
Operating Systems
All vendor-supported Server, Workstation, Client and Computer Node variants of the following systems (64-bit only).
•CentOS 7 and Red Hat Enterprise Linux 7 (the libicu package and OpenSSL 1.0.2 or later are required)
•Red Hat Enterprise Linux 8 (the libicu package and OpenSSL 1.0.2 or later are required)
Port Requirements
Secure Shell (SSH) and Port 22 are used when push installing an agent to a Linux machine.
Configuration Requirements
In order to perform a push install of an agent from the Security Controls console to a Linux machine, you can connect to the machine using either the root account or passwordless sudo access. For security reasons, using sudo access is the recommended best practice. To implement sudo access, you must manually log on to each Linux machine as root, invoke visudo and then do the following:
•Add the following command to the file.
<installUser> ALL=(ALL) NOPASSWD: /bin/sh /tmp/ivanti-[A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9]/install.sh *
This command uses sudo (super user do) to grant root privileges to the console so that it can do a push install of an agent to the Linux machine.
•In the file, look for a line that reads Defaults requiretty and if it exists, change it to Defaults !requiretty.
This bypasses a known operating system bug by disabling the requiretty flag for every user on the machine, enabling sudo to run from means other than just a login session. If you prefer, you can disable the flag for just the install user by changing it to Defaults:><installuser> !requiretty.
This flag is not set in the most current versions of Red Hat and CentOS.
If you choose not to use either root or sudo access from the console to your Linux machines, you can manually install an agent on each machine.
If your Linux machines reside in a disconnected environment, you may want to perform the disconnected configuration steps at the same time that you configure each machine for sudo access.
PORT REQUIREMENTS
These are the default port requirements. Several of the port numbers are configurable.
In some locked down environments, you may also need to specifically allow traffic over the default dynamic port range: 49152 - 65535.
| Protocol | Port | Source | Destination | Encrypted | Description |
|---|---|---|---|---|---|
| UDP | 9 | Security Controls Console | Agentless System(s) | No | For Wake-on-LAN (WoL) and error reporting |
| TCP | 22 | Security Controls Console | Linux Agent System(s) | Yes | Allows the console to push install an agent to a Linux machine |
| TCP | 80 |
Security Controls Console |
Distribution Server: HTTP |
No |
Needed for distribution servers to sync patches with console only if using HTTP |
| Security Controls Console | Distribution Server: HTTP | No | Needed for distribution servers to sync patches with console only if using HTTP | ||
| Agent System(s) | Distribution Server: HTTP | No | Needed for distribution servers to sync patches with console only if using HTTP | ||
| Security Controls Console | Patch Repositories / Patch Config | No | Patch downloads when HTTPS URLs are not available | ||
| TCP | 135 | Security Controls Console | Agentless System(s) | No | Allows the WMI protocol, which is required for asset scans |
|
UDP and TCP (Or substitute TCP 445 for all three ports) |
137-138 139 |
Security Controls Console |
Agentless System(s) |
No |
(Windows file sharing/directory services) required for agentless scan and deployment to work |
| Security Controls Console | Distribution Server: UNC | No | (Windows file sharing/directory services) required for agentless scan and deployment to work | ||
| Agent System(s) | Distribution Server: UNC | No | (Windows file sharing/directory services) required for agentless scan and deployment to work | ||
| Agentless System(s) | Distribution Server: UNC | No | (Windows file sharing/directory services) required for agentless scan and deployment to work | ||
| TCP | 443 |
Security Controls Console |
Distribution Server: HTTPS |
Yes |
Needed for distribution servers to sync patches with console; only if using HTTPS (Cloud sync) |
| Agent System(s) | Distribution Server: HTTPS | Yes | Needed for distribution servers to sync patches with console; only if using HTTPS (Cloud agents) | ||
| Security Controls Console | Patch Repositories / Patch Config | Yes | Patch and content downloads | ||
| Security Controls Console | VMware vCenter | Yes | Used when making a connection to the vCenter Server | ||
| Security Controls Console | VMware ESXi Hypervisor | Yes | Used when making a connection to the ESXi hypervisor | ||
|
TCP (Or substitute with UDP 137-138 and TCP 139) |
445 |
Security Controls Console |
Agentless System(s) |
Yes (SMBv3) |
(Windows file sharing/directory services) required for agentless scan and deployment to work |
| Security Controls Console | Distribution Server: UNC | Yes (SMBv3) | (Windows file sharing/directory services) required for agentless scan and deployment to work | ||
| Agentless System(s) | Distribution Server: UNC | Yes (SMBv3) |
(Windows file sharing/directory services) required for agentless scan and deployment to work |
||
| TCP | 902 | Security Controls Console | VMware vCenter / ESXi Hypervisor | Yes (TLS) | Used for disk mounting on offline virtual machines and templates |
| TCP | 3000 | Chrome browser extension | Agent System(s) | Allows communication from browser extensions to an Application Control agent; configurable via the BrowserCommsPort setting | |
| TCP | 3001 | Chrome browser | Agent System(s) | Allows the Chrome browser control extension to be installed; configurable via the BrowserAppStorePort setting | |
| TCP | 3121 |
Agent System(s) |
Security Controls Console |
Yes
|
Required for Deployment Tracker status updates for patch deployment and agent communication back to console |
|
Agentless System(s) |
Security Controls Console |
Yes
|
Required for Deployment Tracker status updates for patch deployment and agent communication back to console |
||
| TCP | 4155 | Security Controls Console | Agent System(s) | Yes | Allows listening agents to receive commands from console |
| TCP | 5120 | Security Controls Console | Agentless System(s) | Yes | Allows the scheduler to receive commands from console machine for agentless deployments |
| TCP | 5985 | Security Controls Console | Agentless System(s) | Yes | Allows you to use the ITScripts feature |
Configurable Ports
•TCP 3000: Chrome browser extension communication with AC agent
•TCP 3001: Chrome browser extension installation
•TCP 3121: Data rollup functions
•TCP 4155: Listening agents
•TCP 5120: Scheduler
•TCP 5985: ITScripts