SolarWinds Platform Agent requirements
This topic applies only to the following SolarWinds Platform products:
SolarWinds Observability Self-Hosted
DPAIM — LA — NAM — NPM — SAM — SCM — SRM — VMAN*
Agent software is free. Licensing occurs through your product and is usually based on the number of monitored elements.
- Windows agents run as a service.
- Linux/Unix agents run as a service daemon.
Before you deploy agents to a target computer, review the following system requirements.
System requirements
Type | Windows | Linux/Unix |
---|---|---|
Operating System |
Only Pro, Enterprise, and Ultimate workstation |
Linux distributions not listed above, such as Debian or Fedora, are not supported. |
In a TLS 1.2 only environment, the target agent operating system must support TLS 1.2. | ||
Hard drive space | Approximately 100 MB of hard drive space on the target computer. | |
Other software |
The following software packages are installed by the agent installer if necessary:
.NET Framework support
|
For Linux, you may need to install the following manually:
For AIX:
|
Security |
The DigiCert Root Certificate Authority (CA) must be current. This is required because the agent software is signed using a DigiCert certificate. To install a certificate, see Certificates and the agent in the SolarWinds Platform. After the agent is installed, it runs as a Local System account and does not require administrative permissions to function. |
After the agent is installed, it runs under dedicated swiagent account. Some actions require root access. |
Account privileges
If you want to deploy agents from the SolarWinds Platform server, the following requirements must be met.
Windows
- The account used for remote deployment must have access to the administrative share on the target computer:
\\<hostname_or_ip>\admin$\temp
. - User Account Control (UAC) must either be disabled on the target computer, or the built-in Administrator account must be used.
- You may need to disable UAC remote restrictions.
- Other remote or mass deployment methods do not have the same requirements.
Linux/Unix
- An account that can connect remotely through SSH.
- An account that can install software and create a user and group.
See Credentials and privileges used on Linux/Unix-based computers for more information.
To deploy a Linux/Unix agent via pull deployment, make sure that the following conditions are met:
- SolarWinds Platform Web Console must be accessible from the target Linux computer.
- Pull deployment uses wget, curl, or perl to download the installation files from the chosen polling engine.
Agent port requirements
The following ports need to be open both to deploy and to update SolarWinds Platform Agents:
- Target computer where the agent is deployed
- Server hosting the SolarWinds Platform polling engine
- Local agent ports
Target computer
Port | Protocol | Service/ Process |
Direction | Description | Communication method |
OS |
---|---|---|---|---|---|---|
22 | TCP |
sshd Agent installer |
Inbound |
Used to install the agent on Linux/Unix computers through SSH and SFTP or SCP. |
Either | Linux/Unix |
135 |
TCP |
Agent installer |
Inbound |
(DCE/RPC Locator service) Microsoft EPMAP. This port must be open on the target computer for remote deployment. WMI is only needed for deploying the agent to a Windows server with the Add Node or Add Agent wizard. If you do not want to open WMI ports required for software deployment, you can use another deployment method for the Agent. WMI also uses any random TCP port greater than 1024. See WMI portocalypse on THWACK. |
Either | Windows |
445 |
TCP | Agent installer |
Inbound |
Microsoft-DS SMB file sharing. This port must be open on the target computer (inbound) for remote deployment. |
Either | Windows |
17778 |
TCP |
SolarWinds Agent |
Outbound |
Used continuously by the agent to communicate back to theSolarWinds Platform server. Also used to deploy the agent. | Agent-initiated |
All |
17790 |
TCP |
SolarWinds Agent |
Inbound |
Used to communicate with the SolarWinds Platform server. | Server-initiated | All |
Dynamic | UDP | SolarWinds.ServiceHost.Process.exe | Outbound | SolarWinds Cortex utilizes two dynamic UDP listening ports from dynamic range (assigned by OS) for SNMP polling. One port is for IPv4 and the second one is for IPv6 (if enabled). | Either | Windows |
SolarWinds Platform server
Port | Protocol | Service/ Process |
Direction | Description | Communication method |
OS |
---|---|---|---|---|---|---|
22 | TCP | n/a |
Outbound |
Used to install the agent on Linux/Unix computers through SSH and SFTP or SCP. |
Either | Linux/Unix |
17778 |
TCP |
Orion Module Engine SolarWinds Agent |
Inbound |
Used continuously by the agent to communicate back to the SolarWinds Platform server. Also used to deploy the agent. | Agent-initiated |
All |
17790 |
TCP |
Orion Module Engine SolarWinds Agent |
Outbound |
Used to communicate with the SolarWinds Platform server. | Server-initiated | All |
Local Agent ports
The following ports are required for local communication inside the server or agent. Do not open them in the firewall; they are used only by local services.
Windows
Port | Protocol | Direction | Description |
---|---|---|---|
17775 | TCP | Inbound (on agents) | RestAPI forwarder for Cortex |
17798 | TCP | Inbound (on servers) | Cortex Diagnostics API |
Dynamic | TCP | Inbound (on agents) | Port used for communication between the JobEngine and its workers. |
Linux/AIX
Port | Protocol | Direction | Description |
---|---|---|---|
Dynamic | UDP | Inbound (on agents) |
Python scripts in the Agent installation directory use a port from the dynamic range for SNMP-based polling. |
SolarWinds Platform Agent resource consumption
Agent resource consumption is variable and depends on what information is collected and how often the information is collected. This is the same as when the data is polled agentlessly, because in most cases, Agents use the same methods for collecting data as agentless polling.
Some Linux distributions, such as CentOS, log all cron
jobs, including jobs that ensure the agent service is still up and responding. The log file can become large quickly. If your distribution logs all cron jobs, ensure that you use a tool such as logrotate
to keep your log files to a manageable size.
Resource | Consumption |
---|---|
CPU | Under normal operating conditions, SolarWinds Platform Agent monitoring consumes less than 1% more resources than what would be consumed by monitoring the same node agentlessly. |
Memory | 10 - 100 MB, depending on the number and types of jobs. |
Bandwidth |
Roughly 20% (on average) of the bandwidth consumed by the WMI protocol for transmission of the same information. For example, agents use approximately 1.3 kB/s versus WMI at 5.3 kB/s. |
SolarWinds Platform Agent scalability
SolarWinds Platform Agents Scalability Engine Guidelines |
|
---|---|
Scalability options |
The achievable SolarWinds Platform Agent scalability varies with actual usage and configuration. Up to 1000 Agents with minimal load have been tested. However, SolarWinds recommends not exceeding 500 agents per polling engine.
|
FIPS support
Starting with Orion Platform 2020.2, SolarWinds Platform Agents support FIPS.
To run FIPS-compliant SolarWinds Platform Agents, enable FIPS on the target computer. FIPS is configured both on the main polling engine and on the polled agent computer so all communication between them is FIPS-compliant.
Remote deployment in FIPS mode is disabled. To run SolarWinds Platform Agents in FIPS-compliant mode, deploy agents manually (Windows or Linux/Unix).
FAQs about agent requirements
- What authentication method is used by the Agent?
- What are the minimum required cipher suites for TLS 1.2 agent communications?
- How do we ensure that only the SolarWinds Platform server can initiate communication to the Agent?
What authentication method is used by the SolarWinds Platform Agent?
The agent retains the SolarWinds Platform server’s public certificate and uses it for validation. The agent is provisioned with its own certificate for regular operation. The server maintains each agent’s certificate and uses it to verify agent identities.
What are the minimum required cipher suites for TLS 1.2 agent communications?
The SolarWinds Platform Agents for Windows use RSA for server authentication. As a result, a TLS 1.2 cipher suite with RSA authentication must be enabled on the Windows agent machine to meet this requirement.
Agents use the OpenSSL cypher string TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA
How do we ensure that only the SolarWinds Platform server can initiate communication to the SolarWinds Platform Agent?
The agent retains a copy of the public Orion certificate obtained during provisioning. Passive mode uses this to authenticate the server.