Assets prerequisites for agentless connections

Flows matrix

This matrix sums up the flows that may be required to monitor assets using agentless connection, based on the equipment type.

SourceDestinationProtocolPortDescription
Cyberwatch scannermonitored assetTCP22SSH (Linux)
Cyberwatch scannermonitored assetTCP5985WinRM (Windows)
Cyberwatch scannermonitored assetUDP161SNMP (network devices)
Cyberwatch scannermonitored assetTCP443HTTPS VMware API
monitored assetCyberwatch scannerTCP443HTTPS Microsoft cab file transfer

Software prerequisites

  • Operating System among those covered in the list of supported operating systems
  • SSH service enabled on Linux / UNIX
  • WinRM service enabled for Windows (PowerShell command: Enable-PSRemoting -Force)
  • SNMPv3 enabled for network devices

Specific requirements for Linux assets

  • Valid SSH account with login/password or public/private key authentication
  • Sudoers rights WITHOUT TTY if you want to deploy security fixes with Cyberwatch (optional)

Specific requirements for Windows assets

  • Valid local or domain WinRM Administrator account, with “NEGOTIATE” authentication mode
  • The account provided MUST have administrator rights
  • The Windows Update service (wuauserv) must be activated
  • PowerShell v2 or higher must be installed, can be downloaded on the official Microsoft Update Catalog website
  • Windows Update Agent v6.1.0022.4 or higher must be installed

Windows Server 2008 assets also must support SHA-2 hash algorithms as described in the official Microsoft documentation. In summary, three updates are required:

  • SHA-2 Code Signing Support, by installing KB4474419
  • January 2020 (monthly rollup) update by installing KB4534310 on Windows Server 2008 R2 SP1
  • SHA-2 Related Servicing Stack Updates
    • by installing KB4490628 on Windows Server 2008 R2 SP1
    • by installing KB4493730 on Windows Server 2008 SP2

In case these KBs are not installed, the following exception will be encountered in the Cyberwatch scan result:

# Error: Exception calling "AddScanPackageService" with "3" argument(s): "A certificate chain processed but terminated in a root certificate which is not trusted provider (HRESULT : 0x800B0109)"

Requirements for Windows Server 2012 and Windows Server 2012 R2 to enable WUA scans

To guarantee that Windows Update Agent is fully operational, Windows Server 2012 and 2012 R2 need a cumulative monthly rollup update that is equal or more recent than: