What are the deployment requirements for the Hybrid Agent? (4375827)

What are the deployment requirements for the Hybrid Agent?

Getting the following error messages whenever the installation of the Hybrid agent is attempted:

System and network requirements are missing or the agent is unable to find a Domain Controller. If the DNS is unable to fulfill the lookups requested by the setup process to find a DC it will fall back to NetBIOS over TCP to try and locate a DC. If there is a fallback to SMB that would explain the error as it is a typical error, you see in an SMB session.

Ensure you have carefully reviewed and followed all the prerequisites and instructions in the User Guide topic below:

https://support.quest.com/technical-documents/on-demand-global-settings/current/user-guide/11#1039241

Additional permissions for specific SC vulnerabilities:

https://support.quest.com/technical-documents/security-guardian/current/user-guide/6#TOPIC-2152204

After the agent is configured, review the following:

https://support.quest.com/technical-documents/security-guardian/current/user-guide/2#TOPIC-2155136

The agent setup binary process (setup.exe) requires LDAP connectivity (TCP 389) to the domain/DCs. The authentication mechanism is GSS-SPNEGO (which in turn negotiates Kerberos/NTLM with the DC):

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e7d814a5-4cb5-4b0d-b408-09d79988b550

The following network protocols may be used by the agent (either directly or indirectly by the local system) to attempt to work with the domain either during the setup process or during regular operation:

Within the domain:
TCP 389 (LDAP), UDP 53 (DNS), TCP 445 (SMB), UDP 137 (name resolution)

On-Demand connection 443 (HTTPS) depending on your region:
US:
odjrs-usprod-us-iothub.azure-devices.net
https://odjrsusprodusgrssto.blob.core.windows.net/

Canada:
odjrs-caprod-ca-iothub.azure-devices.net
https://odjrscaprodcagrssto.blob.core.windows.net/

Australia:
odjrs-auprod-au-iothub.azure-devices.net
https://odjrsauprodaugrssto.blob.core.windows.net/

Europe:
odjrs-euprod-eu-iothub.azure-devices.net
https://odjrseuprodeugrssto.blob.core.windows.net/

UK:
odjrs-ukprod-uk-iothub.azure-devices.net
https://odjrsukprodukgrssto.blob.core.windows.net/

Note: Make sure these URLs are reachable and whitelisted, and also that there is no DNS service blackholing in your Azure tenant to something like the blob.core.windows.net site.

Also, the setup will handle domain\username or username@domain.com  formats when specifying the identity. Either works.


 

Removing your AD Domain from the Tenants section of the On Demand UI and then re-adding it back could also help to resolve issues with the Hybrid agent deployment.