ARM architecture and scalability

General architecture

ARM consists of or requires the following components:

• ARM server
• Web components
• ARM applications
• ARM Configuration Wizard
• RabbitMQ
• Microsoft SQL database
• optional: additional collectors

 

An ARM server is a Windows server that runs the ARM service. This service also functions as a (first) collector. In small environments the components ARM server, SQL database, web components, RabbitMQ can be run on a single Windows server. In larger environments the components can be run on dedicated Windows servers. For scaling recommendations, see section Distributed installation.

 

The ARM components communicate via network interfaces. The following schematic diagrams show which ports are used in detail. For an overview of the ports used, see the port requirements section in the System Requirements.

 

Note that ARM is not an Orion platform product. We recommend installing ARM and the Orion platform on different servers.

 

Applications

With ARM you get these applications:

• ARM main application (Windows application)
• ARM configuration application (Windows application)
• ARM configuration wizard (Windows application)
• ARM web application

 

 

Please note that older versions of ARM (before 2020.2.2) use dynamic ports (random high ports) for communication between the Windows applications and the ARM server. If existing firewalls require it, you can set a range for the use of dynamic ports in the ARM configuration files.

 

How to make the applications available to users can be found in the chapter Provide access to the ARM applications (GUI).

 

Distributed installation

Web components

Web components are the ARM web site installed on a Windows web server (IIS) for the ARM web application and the WebAPI. We recommend that you run the Web components on the ARM server itself. If you expect a very high usage of the web application, it is possible to run the web components on a dedicated server.

How to install the Web Components on a dedicated web server is described in chapter Install web components.

Please note the system requirements, section web components.

 

SQL database

ARM requires a connection to a Microsoft SQL database instance. For small environments or for evaluation purposes, you can run the SQL Express Edition included in the ARM setup on the ARM server.

For larger environments or if you want to use the monitoring functions productively, we strongly recommend using a dedicated database server with a Microsoft SQL Server Standard Edition or higher.

For information on sizing the database server and supported versions, see the SQL Server section in the system requirements.

When using SQL Express, please refer to the notes in the chapter ARM and SQL Express.

 

RabbitMQ

ARM uses RabbitMQ as a queuing service for messages. We recommend running the version of RabbitMQ that is included in the ARM setup on the ARM server itself. However, it is also possible to use an "external" RabbitMQ service.

For information on ARM supported versions of RabbitMQ/Erlang, see the ARM server requirements section in the system requirements.

 

Collectors

In large or distributed environments, it makes sense to install additional collectors to distribute the load, connect remote sites and improve system performance. For information on how to set up additional collectors (install and integrate them into ARM), see the Collectors chapter of the administrator guide.

Notes on scaling, that is, when additional collectors are recommended, can be found in the following sections for the respective resource types.

 

 

Active Directory

The main features of ARM for Active Directory are:

• View and manage accounts
• Log activities (AD Logga)

 

Scan AD, manage accounts

ARM uses LDAP for these activities.

Whether LDAP (port 389) or LDAPS (port 636) is used depends on the system configuration and cannot be configured within ARM.

An additional collector is optional. The ARM server itself can be used as a collector. We recommend using an additional collector in the following cases:

• Domain controllers at remote locations
• The ARM server itself or all existing collectors already have a high load

To set up AD scans, refer to the Active Directory scans chapter in the administrator's guide.

 

Retrieve log events (AD Logga)

ARM uses RPC for retrieving the events.

If you have enabled the Windows Firewall on domain controllers, please refer to the instructions in chapter Configure the Windows Firewall for AD Logga in the Administrator Guide.

An additional collector is optional. The ARM server itself can be used as a collector.

You can configure only one collector for AD Logga, which processes events from all domain controllers.

 

Scalability and scanning performance

You can configure multiple collectors for an Active Directory scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For optimal scanning performance, you can adjust the number of parallel requests of the scan. In principle, the more parallel requests, the higher the scan performance and the higher the CPU and RAM load on the collector. In most cases, however, doubling the number of parallel requests does not double the scan performance. Where the optimal or justifiable value for the number of parallel requests lies depends significantly on the hardware configuration and existing load, and cannot be predicted here.

Possible values

• Minimum: 1
• Maximum: 128
• Default: 4

 

You configure the settings in the ARM configuration application under the menu item "Scans". For more information, refer to the Configuring AD Scans chapter of the Administrator's Guide.

 

 

Azure Active Directory

The main functions of ARM for Azure Active Directory are:

• View and manage accounts
• Log activities (AAD Logga)

Scan AAD, manage accounts

ARM uses web interfaces (APIs) provided by Azure for all activities.

An additional collector is optional. The ARM server itself can be used as a collector. We recommend using an additional collector in the following cases:

• The ARM server itself or all existing collectors already have a high load
• The ARM server has no internet access

Setting up AAD scans is described in the Azure AD Scans chapter of the administrator's guide.

 

Retrieve log events (AAD Logga)

ARM uses web interfaces (APIs) provided by Azure to retrieve the events.

An additional collector is optional. The ARM server itself can be used as a collector.

Setting up the AAD Logga is described in the Configuring the Azure Active Directory (AAD) Logga chapter of the administrator guide.

 

Scalability and scanning performance

You can configure multiple collectors for an Azure Active Directory scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For optimal scanning performance, you can adjust the number of parallel requests of the scan. In principle, the more parallel requests, the higher the scan performance and the higher the CPU and RAM load on the collector. In most cases, however, doubling the number of parallel requests does not double the scan performance. Where the optimal or justifiable value for the number of parallel requests lies depends significantly on the hardware configuration and existing load, and cannot be predicted here.

Possible values

• Minimum: 1
• Maximum: 128
• Default: 4

 

Windows file server

The main features of ARM for Windows file servers are:

• View and manage directory permissions
• Log file server activities (FS Logga)

The required installation effort depends on the desired feature set.

 

Scan, manage

ARM uses the CIFS protocol for all activities.

Additional collectors are optional. The ARM server itself can be used as a collector. We recommend using additional collectors in the following cases:

• File servers at remote locations
• The ARM server itself or all existing collectors already have a high load

 

Retrieve file server events (FS Logga)

To use the monitoring features on a Windows file server, an installation of the following ARM components is required on each file server to be monitored:

• ARM Filter driver
• ARM Collector

The Windows file server itself operates as a collector.

The setup is described in the chapter Preparing Windows File Server for FS Logga of the administrator's guide.

 

Scalability and scanning performance

You can configure multiple collectors for a file server scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For optimal scanning performance, you can adjust the number of parallel requests of the scan. In principle, the more parallel requests, the higher the scan performance and the higher the CPU and RAM load on the collector. In most cases, however, doubling the number of parallel requests does not double the scan performance. Where the optimal or justifiable value for the number of parallel requests lies depends significantly on the hardware configuration and existing load, and cannot be predicted here.

Possible values

• Minimum: 1
• Maximum: 128
• Default: 4

For optimal scanning performance it is also important to set the appropriate file server type in the scan configuration. In "Auto" mode, performance may be degraded due to compatibility requirements.

Please also note that for most use cases of ARM, it is not necessary or useful to scan all shares of a file server. This is especially relevant for administrative shares ($ shares) and system drives. For a fast scan, limit the scope to the productive shares.

You configure the settings in the ARM configuration application under the menu item "Scans". For more information, refer to the Configure file server scans chapter of the administrator's guide.

 

 

NetApp file server

The main features of ARM for NetApp file servers are:

• View and manage directory permissions
• Log file server activities (FS Logga)

The required installation effort depends on the desired feature set.

 

Scan, manage

ARM uses the CIFS protocol for all activities. ARM does not support NFS shares.

Additional collectors are optional. The ARM server itself can be used as a collector. We recommend using additional collectors in the following cases:

• File servers at remote locations
• The ARM server itself or all existing collectors already have a high load

 

Retrieve file server events (FS Logga)

ARM uses the NetApp FPolicy feature for monitoring functions. An additional collector that processes the events of the NetApp file server is mandatory. The ARM server cannot be used as a collector.

On NetApp 7-Mode ARM uses RPC (TCP 135) and SMB (TCP 139) to retrieve the events. In NetApp clustered mode, the port is configurable, with the preset value being TCP 2002.

The setup is described in the chapters Prepare NetApp 7-Mode file servers or Prepare NetApp clustered data ONTAP file servers of the administrator's guide.

 

Scalability and scanning performance

You can configure multiple collectors for a file server scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For optimal scanning performance, you can adjust the number of parallel requests of the scan. In principle, the more parallel requests, the higher the scan performance and the higher the CPU and RAM load on the collector. In most cases, however, doubling the number of parallel requests does not double the scan performance. Where the optimal or justifiable value for the number of parallel requests lies depends significantly on the hardware configuration and existing load, and cannot be predicted here.

Possible values

• Minimum: 1
• Maximum: 128
• Default: 4

For a fast scan, limit the scope to the productive shares. Set the file server type to NetApp. You configure the settings in the ARM configuration application under the menu item "Scans". For more information, refer to the Configure file server scans chapter of the administrator's guide.

 

 

EMC-Fileserver

The main features of ARM for EMC file servers are:

• View and manage directory permissions
• Log file server activities (FS Logga)

The required installation effort depends on the desired feature set.

 

Scan, manage

ARM uses the CIFS protocol for all activities. ARM does not support NFS shares.

Additional collectors are optional. The ARM server itself can be used as a collector. We recommend using additional collectors in the following cases:

• File servers at remote locations
• The ARM server itself or all existing collectors already have a high load

 

Retrieve file server events (FS Logga)

The EMC Common Event Enabler (CEE) is required for the monitoring functions. An additional collector that processes the events of the EMC file server is required. The CEE and the collector service must run on the same Windows server. This server should be located in the same network segment as the EMC file server to be monitored. The ARM server cannot be used as collector.

The setup is described in the chapter Prepare EMC file servers of the administrator's guide.

 

Scalability and scanning performance

You can configure multiple collectors for a file server scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

For optimal scanning performance, you can adjust the number of parallel requests of the scan. In principle, the more parallel requests, the higher the scan performance and the higher the CPU and RAM load on the collector. In most cases, however, doubling the number of parallel requests does not double the scan performance. Where the optimal or justifiable value for the number of parallel requests lies depends significantly on the hardware configuration and existing load, and cannot be predicted here.

Possible values

• Minimum: 1
• Maximum: 128
• Default: 4

For a fast scan, limit the scope to the productive shares. Set the file server type to EMC. You configure the settings in the ARM configuration application under the menu item "Scans". For more information, refer to the Configure file server scans chapter of the administrator's guide.

 

 

Exchange

The main features of ARM for Exchange Online and Exchange on-premise are:

• View and manage mailbox permissions
• Log mailbox activities (Exchange-Logga)

 

ARM uses PowerShell to access Exchange.

Additional collectors are optional. The ARM server itself can be used as a collector. We recommend using additional collectors in the following cases:

• For Exchange Online if your ARM server has no internet access
• The ARM server itself or all existing collectors already have a high load
• Exchange (on-premise) servers on remote locations

 

Scalability and scanning performance

You can configure multiple collectors for an Exchange scan. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

 

You configure the settings in the ARM configuration application under the menu item "Scans". For more information, refer to the following chapters of the administrator's guide:

• Configure Exchange scans
• Configure Exchange Logga

 

 

SharePoint on-premise, SharePoint Online, OneDrive

The main features of ARM for SharePoint on-premise, SharePoint Online and OneDrive are:

• View and manage permissions
• Log activities (SharePoint Online Logga, OneDrive Logga)

 

ARM uses SharePoint CSOM (client side object model) to access SharePoint. ARM uses web interfaces (APIs) provided by Microsoft Azure to access OneDrive and to retrieve SharePoint Online events.

Additional collectors are optional. The ARM server itself can be used as a collector. We recommend using additional collectors in the following cases:

• For SharePoint Online if the ARM server has no internet access
• The ARM server itself or all existing collectors already have a high load
• SharePoint (on-premise) servers on remote locations

 

Scalability and scanning performance

You can configure multiple collectors for scanning. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

You configure the settings in the ARM configuration application under the menu item "Scans". For more information, refer to the following chapters of the administrator's guide:

• Configure OneDrive scans
• Configure OneDrive Logga
• Configure SharePoint Scans
• Configure SharePoint Online Logga

 

 

Teams

The main features of ARM for Teams are:

• View and manage teams permissions, memberships, channels

 

ARM uses web interfaces (APIs) provided by Microsoft Azure to access Teams.

An additional collector is optional. The ARM server itself can be used as a collector. We recommend using an additional collector in the following cases:

• The ARM server has no internet access
• The ARM server itself or all existing collectors already have a high load

 

Scalability and scanning performance

You can configure multiple collectors for scanning. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

Setting up Teams scans is described in the following chapter of the administrator's guide:

• Configure Teams scans

 

SAP

The main features of ARM for SAP are:

• View SAP permissions

 

ARM uses the SAP .NET connector to read SAP permissions.

An additional collector is optional. The ARM server itself can be used as a collector. We recommend using an additional collector in the following cases:

• The ARM server itself or all existing collectors already have a high load

 

Scalability and scanning performance

You can configure multiple collectors for scanning. The scan is always executed using only one collector. If you have configured multiple collectors, the ARM Server automatically decides which collector to use for the scan based on the CPU and RAM usage, not the location.

Setting up SAP scans is described in the following chapter of the administrator's guide:

• Configure SAP scans