OPAS Prerequisites This document contains the prerequisites and requirements for setting up OPAS. Prepared By: Luke Swords Principal Consultant 24/06/2015 Version 1.0 Contact Information Infront Consulting Group Ltd. 56 Aberfoyle Crescent, Suite 830 Toronto, Ontario M8X 2W4 OPAS - PREREQUISITES Infront Consulting Group, Ltd. 416-503-8350 x25 P a g e 1 6 info@infrontconsulting.com www.infrontconsulting.com
Contents 1 Software Requirements... 3 2 Hardware Requirements... 4 3 Security Requirements... 5 3.1 Users and Groups... 5 3.2 Additional Security Considerations... 5 OPAS - PREREQUISITES Infront Consulting Group, Ltd. P a g e 2 6
1 Software Requirements As of version 4 OPAS requires the following components in order to be deployed into a customer environment: Component Requirement Description OPAS Web UI Windows Server 2012 R2 The OPAS web components have been ASP.Net 4.5 validated on Windows Server 2012 R2..Net Framework 4.5 OPAS Web Service OPAS Database Runbook Server OPAS IIS 8 (default install) Windows Server 2012 R2 ASP.Net 4.5.Net Framework 4.5 IIS 8 (default install) Microsoft SQL Server 2008 R2 and later System Center 2012 R2 Windows Failover clustering management PowerShell cmdlets System Center Configuration Manager 2012 client and later PowerShell 2.0 and higher. System Center Operations Manager 2012 agent The OPAS web services have been validated on Windows Server 2012 R2. The OPAS database is a single point of failure, so some customers may wish to use SQL HA options available in higher Editions of SQL. Only standard integration pack activities are used. Only RTM is required but customers should be running at least SP1 or R2 for the significant security/bug fixes. Required the remote management of Windows failover clusters. Update inventory, media transport and installation. If DSC validation tasks are required, then PowerShell 4.0 and PowerShell remoting is necessary. OPAS can be used to place components into maintenance mode. OPAS - PREREQUISITES Infront Consulting Group, Ltd. P a g e 3 6
2 Hardware Requirements It is possible run the OPAS components on separate servers or on a single server. In addition it is also possible run OPAS on the same server as the management server. Note: When running all components a single server, high availability and single point of failure considerations must be taken into consideration. Role Hardware Notes OPAS Web UI 2 vcpu OPAS Web API 4 GB RAM 10 GB hard disk OPAS Database 2 vcpu Server 4 GB RAM 10 GB hard disk Roles can be installed on separate server but the recommended hardware requirements should be the same. Estimated database size is less than 1 GB. SQL Server does not need to be a dedicated instance, but can run on a shared SQL server. OPAS - PREREQUISITES Infront Consulting Group, Ltd. P a g e 4 6
3 Security Requirements The security pre-requisites for OPAS may be provided with just a single Active Directory user account and a group. 3.1 Users and Groups Account / Group Description Privilege Runbook Service Account Service account used to run the Runbook Service This should be a domain account that has local administrative privileges on all target servers. Required to remotely invoke WMI, the SCCM client and perform maintenance actions, including reboots OPAS Admins group An Active Directory group that provides access to the OPAS console. and execution of scripts. This group provides access to OPAS via a.net Authorization rule. 3.2 Additional Security Considerations A description of the security access required for OPAS components is described in the table below: Component Description Reason server to OPAS clients Kerberos authentication between SCO runbook account and all OPAS patched systems. Required to command and control machines that need to be patched. Runbook Server to SCOM Management Server SCO Runbook account has Administrator rights on all OPAS patched systems. PowerShell remoting must be enabled on the SCOM management server. Required to remotely invoke WMI, the SCCM client and perform maintenance actions. Used to perform maintenance actions 3.3 Ports Required by OPAS The following ports are required between the OPAS clients, OPAS components and. Component Direction Ports Description server to OPAS clients OPAS TCP Port 135 TCP Ports 1024-5000 (Windows Server 2003 R2) TCP Ports 49152 65535 (Windows Server 2008 and higher) RPC Endpoint Mapper and dynamic range OPAS UI Users OPAS UI TCP Port 80 This assumes the default port used by the site has not changed. OPAS - PREREQUISITES Infront Consulting Group, Ltd. P a g e 5 6
OPAS UI DSC Validation Task Run SQL Query Validation Task Check SQL Backup Validation Task OPAS UI server OPAS API server OPAS OPAS OPAS TCP Port 1433 TCP Port 5985 (HTTP) TCP Port 5986 (HTTPS) TCP Port 1433 TCP Port 1433 This assumes default SQL port has not changed. OPAS UI and OPAS API component can reside on the same server. These are default ports used by WinRM and PowerShell remoting. These ports are configurable. HTTPS may not be configured. This assumes default SQL port has not changed. This assumes default SQL port has not changed. OPAS - PREREQUISITES Infront Consulting Group, Ltd. P a g e 6 6