From the Field, Episode II: The PoC Awakens

Welcome, gentle reader, to Day 3,720 (bonus points for knowing the significance of that number) of the same four walls, Zoom meetings, the same blank void, and the same sitting on your backside for entirely too long every day. 

There is light at the end of the tunnel, though. I need one more person in my household to get vaccinated and we’ll be good to go (thank you, Science). Not gonna lie: I’m soooo looking forward to traveling again and seeing my friends and peers. I actually miss going to conferences! 

Now that I’ve joined the team here at ControlUp, having the vendor role at industry conferences will be interesting. I helped staff the Citrix booth at AWS re:Invent for two years and greatly enjoyed the interaction with customers that might not have known what Citrix does. I’m betting those same sorts of conversations will happen at the ControlUp booth (in-person: YAY!) at events coming soon. 

Interestingly, the same conversation happens during demonstrations of ControlUp to new customers. The demo is just the first step though; the real magic happens during the Proof of Concept (PoC) phase. 

Since ControlUp is a non-intrusive monitoring tool, we deploy PoCs directly into the customer’s production environment. This way, the customer can immediately realize the value (almost all do!) of the information that ControlUp provides. What comes as a surprise to most people is exactly how easy the setup is. Also, once set up, the customer is mostly done, except for customization within their own environment. ControlUp is already set up and ready to go once they are fully licensed.

Anyone can download our software and run through all of these steps themselves. No credit card, no sales pressure; seeing is believing! We want you to try our software, and see exactly how easy it is to get started and find issues in your environment. Five minutes is all it takes to get you up and running. Heck! In as little as an hour, you can have data sources configured, alerts running and start learning things about your EUC environment that you never knew! Head over to https://www.controlup.com/trial/ and click the “Start Download” button.

Figure 1: Get up and running with ControlUp in as little as five minutes.

 

As Sales Engineers, we have the experience (even me, only six months in!) to give you that extra leg up to realize even MORE value from your PoC. Yes, I’m about to open the kitchen and tell you how the sausage is made. 

Let’s take an hour of your time, and turn that trial download into a proper Proof of Concept!

Preparation & Prerequisites

Luck is the intersection of opportunity and preparation. — Seneca

You have now downloaded ControlUp. Congratulations! Now, you have an opportunity. 

Here’s what you need to get started:

  • Prepare two domain-joined Windows server machines with two vCPUs and 16GB of RAM and .NET 4.5 installed: one will be used for running the ControlUp Real-Time Console, the other one will be used as the monitor and data collector.
    • Note: you can run everything on a single machine if needed, but it’s recommended to have two if possible. The rest of this write up assumes you have two machines.
  • Both machines need to have internet connectivity to various ControlUp cloud-based resources (orange section in Figure 2), so make sure that both machines have access to the URLs listed here.
  • Open up relevant TCP ports as listed here for communication between the Console and Monitor machines (blue section in Figure 2) and console/monitor and monitored agentless resources and monitored machines that will run the ControlUp Agent (green section in Figure 1).
  • Download the trial software by going to https://www.controlup.com and clicking on the “Download Free Trial” button. After the download completes, extract the console .exe file from the ZIP file and save it to the machine that you’ll use to run the Console.
  • Though you can use existing accounts to connect to monitored resources, we recommend the creation of dedicated ControlUp service accounts. A service account that can query LDAP and has local admin privileges on the machines you are planning to monitor is required. In addition to this account, you will need additional service accounts for accessing agentless resources, such as your hypervisor, your EUC environment, Citrix Gateway, and other resources you’re planning to monitor with ControlUp.
  • If you have an on-prem Citrix Virtual Apps & Desktops deployment you are planning to monitor, make sure you have the required Citrix PowerShell SDK components installed on both machines. Details and downloads are available from this article.
Figure 2: ControlUp Architectural Diagram highlighting prerequisites, full details can be found here.

Account & Organization Creation

On the Console machine, run the Console .exe file and select “Create a new account.” Fill out your details and click on the Sign Up button. Confirm that your email address is correct.

Figure 3: ControlUp Account Creation window after initial launch of Console .exe file.

Important: though you can continue to create a ControlUp Organization immediately after this, it’s important that you check your inbox for the confirmation email and activate your account. If you forget to do that, you won’t be able to access ControlUp Insights later on.

In the “Create a ControlUp Organization” window, pick an Organization Name (e.g. your company name) and click continue.

 

Figure 4: Create a ControlUp Organization.

Update Security Settings

As with many features in ControlUp, the default security settings will work out of the box and the defaults will allow you and other users of ControlUp Real-Time DX to get access to most of the key features and functionality without any modifications. But without any changes, it also means that people who maybe shouldn’t have access to all those capabilities, will have those elevated permissions. So, let’s take care of that.

Access the Security Policy tab in the bottom of the Real-Time Console and then select “Manage Roles” from the top ribbon.

Figure 5: Manage Roles in ControlUp Real-Time Console.

 

As with many features in ControlUp, the default security settings will work out of the box and the defaults will allow you and other users of ControlUp Real-Time DX to get access to most of the key features and functionality without any modifications. But without any changes, it also means that people who maybe shouldn’t have access to all those capabilities, will have those elevated permissions. So, let’s take care of that.

Access the Security Policy tab in the bottom of the Real-Time Console and then select “Manage Roles” from the top ribbon.

Figure 6: Set the permissions for the different roles.

 

By default, the Account Owner and the Roles Manager are set to the individual that created the ControlUp Organization. We recommend that you change both the account’s Owner and the Roles Manager to a group of users to remove the dependency on an individual (who could be unavailable when changes need to be made). You can create a new AD group (e.g. “ControlUp Admins”) or use an existing AD group (e.g. “Citrix Admins”, “VMware Admins” or “Domain Admins”) for this.

Next, we want to make sure that all relevant people are added to the built-in ControlUp Admins role by selecting the ControlUp Admins role in the bottom pane and clicking Edit. In the dialog box that appears, add those users and/or groups that should have full admin permissions in ControlUp (including yourself!). 

After this, close the Security Settings Pane by clicking OK, which will bring you back to the Security Policy tab. 

The only thing that remains is to remove the elevated permissions from the built-in Organization Members role. The Organization Members role could be compared to the “Domain Users” group in AD, which with the default role permissions would be too elevated for a production-ready POC deployment. Based on this, we recommend that you reduce the permission scope for that role to have no permissions set and explicitly add users that require some level of access to specific roles like the ControlUp Admins role or the Help Desk role.

To make this change, right-click on the Organization Members header and select “Not set.” After this, make sure that you hit the Apply button on the left in the top ribbon.

 

Set up monitor and shared credentials

The ControlUp Real-Time Console queries the agents and pulls in all the data from disparate sources into a single, aggregated pane of glass for administrators to easily determine root causes of issues. But what if the console is not running? This is where the monitor or data collector comes in. Click on Settings on the top ribbon and click Monitors

Figure 7: Select Monitors from the Settings Menu.

 

In the next window, select Add Monitors to Site. As an option, the site can be defined here as well. Note that ‘Site’ refers to a physical location. If an organization has multiple data centers or other locations with EUC resources, the best practices recommend that you have at least one (two for redundancy) monitor in each physical location. 

Figure 8: Add a new monitor.

 

Monitors are usually dedicated virtual machines that serve to aggregate and transmit historical data. ControlUp provides a handy calculator to make sure they are sized properly. Most installations require 4 vCPUs and 16GB of RAM.

Ensure the user that is running the console has administrator access to the target machine. Select your desired monitor server from the next dialog:

 

Figure 9: Choose which machine will host the monitor.

 

The monitor will install itself automatically and start sending data for historical reporting. Once installed, check the monitor status from the same window and make sure the data is being uploaded. This occurs every 30 minutes, so you may have to wait for the first upload.

Figure 10: Verify monitor operation.

 

You also need shared credentials for certain tasks. Service accounts, cloud accounts, Linux logins, Netscaler logins, and many other possibilities exist outside of normal AD credentials. By putting these accounts into the shared credential store, the monitor can get the information it needs to maintain historical reporting. It’s just a matter of setting them up in the Credentials Store under Settings:

Figure 11: Add a credential set to the credential store.

 

ControlUp recommends that only role accounts be stored in shared credentials, and those accounts must be maintained within the organization’s security policies. Storing individual credentials isn’t recommended due to security and auditing concerns.

 

Create folder structure

Folders are extremely important in ControlUp. Folders are used in MANY configuration settings, including security, notifications and thresholds. Simply right click in the navigation pane and select Add ➡️ Folder.

Figure 12: Add a folder to the navigation menu.

 

Set up the folder hierarchy as it makes sense for the organization. It could be split in terms of network locations, EUC Delivery Groups, corporate departments or just about anything. Every folder structure is unique!

 

Set up data collector

If your environment will have agentless resources, such as EUC connection servers, Hypervisors, cloud connectors or Linux machines, you will need to set up a data collector. In the case of a cloud connection, a data collector is required. This is usually just your monitor machine, as described above, but designated as a data collector for certain services. More information on data collectors can be found in this handy blog on the subject.

 

Add hypervisor

The core of most EUC environments is the hypervisor. ControlUp supports all of the usual suspects, such as VMWare, Citrix, and Nutanix. Adding the hypervisor is as simple as interfacing with the vendor API and ensuring the proper permissions are applied. Simply click the button in the top left:

Figure 13: Add a hypervisor from the home menu.

 

Then fill out the connection information for your hypervisor. 

Figure 14: Enter the connection information for the hypervisor.

 

Note the use of shared credentials and role accounts as described above. Once added, the hypervisor and its hierarchy will appear in the navigation menu:

Figure 15: Verify the hypervisor is displayed in the navigation pane.

 

Add EUC

Similar to the hypervisor setup is the EUC environment setup. Again, just click the button at the top left:

Figure 16: Add an EUC environment in the home menu.

Select the appropriate EUC vendor and enter the connection information:

Figure 17: Enter the EUC connection information.

 

NOTE: you can add a data collector here, as described above. Once again, the EUC environment will appear in the navigation pane:

    Figure 18: Verify the EUC environment is displayed in the navigation pane.

 

Verify that ControlUp Insights works

If the Monitor was set up correctly above and data is being uploaded, then it will start appearing in the ControlUp Insights console. Click the button on the top right to be directed via browser to Insights.

Figure 19: Click the ControlUp Insights button on the home menu.

 

A new browser window will open and your top insights will be displayed. 

Figure 20: Verify trending data appears in the ControlUp Insights console.

 

Insights collects the metadata from the Real-Time Console and displays trends of the data for historical analysis and reporting. As you might guess, there is a fair bit of information presented here.  We’re just interested in making sure the data is being collected. Digging into that data… well, that’s another blog.

 

Next time on “From the Field”

This blog ended up being much longer than anticipated. That’s fine, though; we want to make sure that a customer can set up a PoC and get themselves up and running quickly. Remember, we’re always here for assistance, but setting up ControlUp is easier than shooting womp rats in Beggar’s Canyon.. With luck, these instructions are helpful, and we hope to see you getting great value from your data!

Next time, I’ll have a look at ControlUp RemoteDX and how we solve the issue of that last mile. You think Citrix is slow? Maybe you want to check your home network…