Access Rights Manager 2023.2.2 System Requirements
Release date: December 21, 2023
SolarWinds strongly recommends that you install Access Rights Manager on a server that is neither public, nor internet-facing. To learn about best practices for configuring your Access Rights Manager installation securely, see Best practices to secure SolarWinds Products.
These system requirements define the minimum requirements for Access Rights Manager 2023.2.2. For additional information about requirements, see the Access Rights Manager release notes.
Access Rights Manager Server requirements
Hardware requirements for the Access Rights Manager Server vary depending on several factors:
- the number of users in Active Directory (AD)
- the number of resources monitored by Access Rights Manager (Logga)
- the Access Rights Manager Server's data storage settings
SolarWinds strongly recommends that you use a fixed (not dynamic) RAM configuration when setting up a virtual machine. Dynamic RAM allocation can result in significant performance degradation in combination with an SQL server running locally on the ARM server.
ARM and SolarWinds Platform products must be installed on separate servers. Note that ARM is not an SolarWinds Platform product.
Hardware/Software | Requirements | ||||||||
---|---|---|---|---|---|---|---|---|---|
Operating System |
Please also note PowerShell requirements.
|
||||||||
CPU (number of processor cores) |
Intel Itanium platforms are not supported. |
||||||||
Hard drive space |
|
||||||||
Memory |
|
||||||||
.NET Framework |
.NET 4.8 (or higher) |
||||||||
RabbitMQ | The ARM setup includes RabbitMQ version 3.7.1. If you want to use another instance of RabbitMQ, you must ensure full compatibility with the versions of RabbitMQ and Erlang/OTP included with ARM. | ||||||||
Erlang/OTP | The ARM setup contains Erlang/OTP version 21.1. If you want to use a different version of Erlang/OTP, you must ensure full compatibility with the RabbitMQ and Erlang/OTP versions included with ARM. | ||||||||
Access rights |
The service account requires local administrator rights on the Access Rights Manager server. |
||||||||
Other |
The Access Rights Manager server must be a member of an Active Directory domain. Clusters are not supported. Server Core is not supported. |
Access Rights Manager Collector requirements
Hardware/Software | Requirements |
---|---|
Operating System |
Please also note PowerShell requirements.
Access Rights Manager collector service can only be installed on server core versions on which the graphical interactive Access Rights Manager setup can be executed. |
CPU (number of processor cores) |
8 Intel Itanium platforms are not supported. |
Hard drive space | 10 GB |
Memory | 16 GB |
.NET Framework |
.NET 4.8 (or higher) The automatic collector update is only working if the collector already has the .NET 4.8 framework installed. The automatic collector update does NOT push .NET 4.8 framework installation on collectors. SolarWinds recommends that you update all collector servers with .NET framework 4.8 before upgrading ARM to version 2019.4 or later. |
Other |
Access Rights Manager collectors can be installed on a member server (node) of a cluster. Access Rights Manager collectors cannot be used as a cluster resource in Windows Server Failover Clustering manager. |
Access Rights Manager GUI application requirements
These requirements are for both the main Access Rights Manager application and the Access Rights Manager Configuration application.
Hardware/Software | Requirements |
---|---|
Operating System |
|
CPU (number of processor cores) | 2 |
Hard drive space | 500 MB |
Memory | 4 GB |
.NET Framework |
.NET 4.8 (or higher) |
Graphics |
optional: Graphic card supporting DirectX 10 |
Screen resolution |
Recommended: 1920x1080 (1080p) or higher |
SQL Server requirements
Hardware/Software | Requirements | ||||||||
---|---|---|---|---|---|---|---|---|---|
Microsoft SQL Server (32-bit and 64-bit) |
|
||||||||
CPU (number of processor cores) |
8 Intel Itanium platforms are not supported. |
||||||||
Hard drive space (Database storage) |
|
||||||||
Memory | 8 GB | ||||||||
.NET Framework |
.NET 4.8 (or higher) |
||||||||
Login permissions |
|
||||||||
Collation | Recommended collation setting for the ARM database is:
|
||||||||
Other |
We do not recommend using SQL Server Express Edition for production environments. SQL Server Express Edition has the following limitations:
|
File server requirements (scan and manage permissions)
Hardware/Software | Requirements |
---|---|
Windows file server |
Operating System
Windows Server Failover Clustering (WSFC) is supported. DFS (Domain integrated and standalone Computer) is supported. Intel Itanium platforms are not supported. |
NetApp file server |
Access Rights Manager supports CIFS-based shares. |
EMC file server | Access Rights Manager supports CIFS-based shares. |
FS Logga requirements (monitor file server)
Hardware/Software | Requirements |
---|---|
Windows file server |
Operating System
Windows Server Core Versions are only supported which support the execution of an interactive graphical setup. Failover-Clusters are supported. NTFS junction points or reparse points are not supported in the cluster environment. FS Logga requires a filter driver installation on the Windows server as well as a dedicated collector. Windows file servers that have been virtualized through XenServer are supported from version 6.5 onwards. A XenServer Tools/Windows Management agent must be installed. DFS is not supported. Intel Itanium platforms are not supported. |
NetApp file server |
Supported versions
The NetApp integrated monitoring policy (FPolicy) is used to operate FS Logga. A dedicated collector is required. |
EMC file server |
Supported versions
The FS Logga utilizes components and services provided by EMC. This requires a dedicated collector. The collector must run on the same server as the Common Event Enabler (CEE). |
Web components and web interface requirements
Hardware/Software | Requirements |
---|---|
Operating System |
|
.NET Framework |
.NET 4.8 (or higher) |
Internet Information Services (IIS) | Version 10 or higher |
Supported browsers |
It is recommended to use the latest Browser versions.
As of ARM version 2019.4, Internet Explorer is no longer supported. Cookies and Javascript must be enabled. |
Port requirements
Beginning in version 2020.2.2, Random High Ports are no longer used. You can find the network requirements for versions 2019.4 and earlier here.
Port# | Protocol | Service/ Process |
Direction | Description |
---|---|---|---|---|
- | ICMP | - | The connection is initiated by the ARM server or by a collector. | Connectivity check. |
88 |
TCP |
Kerberos |
The connection is always initiated by the ARM server. |
Authentication. |
135 | TCP | RPC | The connection is always initiated by the ARM server. | Scan local accounts, retrieve events from domain controllers. |
139 |
TCP |
NetBIOS |
The connection is always initiated by the ARM server. |
|
389 |
TCP |
LDAP |
The connection is always initiated by the ARM server. | Scan and manage Active Directory. The port must be reachable on every domain controller. |
445 | TCP | Microsoft DS (CIFS) | The connection is always initiated by the ARM server. | Scan and manage file server shares. |
541* | UDP | Syslog | The connection is always initiated by the ARM server. | Send events to a Syslog server. |
636 | TCP | LDAPS | The connection is always initiated by the ARM server. |
Scan and manage Active Directory. The port must be reachable on every domain controller. If your system uses LDAPS, it may still be required that port 389 is reachable on the DCs. |
1433 | TCP | MS SQL Server | The connection is always initiated by the ARM server. |
Access Rights Manager uses this port for all communication between the Access Rights Manager server and the SQL server. Collectors communicate only with the Access Rights Manager server and do not communicate with the SQL server. |
2002* | TCP | FS Logga | The connection is initiated by the configured collector. | ARM uses the connection for retrieving events from a NetApp file server. |
5671* | TCP | RabbitMQ | The connection is initiated by the ARM server or by a collector. | ARM utilizes RabbitMQ message queuing for alerting (FS Logga and AD Logga). |
15671* | TCP | RabbitMQ | The connection is initiated by the ARM server or by a collector. | RabbitMQ management port. Used by ARM server health check. Only between ARM server and RabbitMQ, Collectors are not affected. |
5985 | TCP | WinRM | The connection is initiated by the ARM server (collector update) or by a collector (Exchange, SharePoint). | Via PowerShell: collector update, access Exchange, retrieve available SharePoint site collections (only for SharePoint on-premise). |
5986 | TCP | WinRM (SSL) | The connection is initiated by the ARM server (collector update) or by a collector (Exchange, SharePoint). | Via PowerShell: collector update, access Exchange, retrieve available SharePoint site collections (only for SharePoint on-premise). |
55555* |
TCP |
Access Rights Manager components default port |
The connection is initiated by the ARM server or by a collector. |
Access Rights Manager components default port. Access Rights Manager uses this port for all communication between the Access Rights Manager server and client (GUI applications), Web Client, WebAPI, Collectors. |
55580 | TCP | ARM Configuration Wizard | The connection is always initiated by the Configuration Wizard. | With the Configuration Wizard, you can perform the basic configuration and integrate resources into ARM. |
*The specifications apply to the standard configuration. You can configure different ports.
To access online resources, the following URLs must be reachable:
Exchange Online
-
https://outlook.office365.com/powershell-liveid/
Further Azure/Microsoft 365 resources
-
https://graph.microsoft.com
-
https://login.microsoftonline.com
-
https://manage.office.com/api/v1.0/
For additional information, see ARM architecture and scalability.
Exchange requirements
Hardware/Software | Requirements |
---|---|
Exchange version |
Exchange 2016 Cumulative Update 2 is needed to modify out of office notices. |
Exchange Logga requirements
Hardware/Software | Requirements |
---|---|
Exchange version |
For the on-premise variants, the servers holding the mailbox databases must primarily use the en-US language. Installing language packs may require a reboot. For more information, visit Microsoft. |
SharePoint requirements
Hardware/Software | Requirements |
---|---|
SharePoint version |
|
AD Logga requirements
Hardware/Software | Requirements |
---|---|
Operating system |
The AD Logga supports domain controllers (DCs) that run on the following server versions:
The Logga does not require a dedicated collector. Even the Access Rights Manager server itself can be used as a collector. Access Rights Manager does not require any software installation on domain controllers. Access Rights Manager does not perform any schema extension on Active Directory. |
PowerShell requirements
ARM requires PowerShell version 5.1.
PowerShell 7 lacks features that are required by ARM. PowerShell 5.1 is mandatory for ARM and can be installed and run in parallel with PowerShell 7.
Access Rights Manager service account permissions
SolarWinds recommends using service accounts (dedicated user accounts) for Access Rights Manager. This ensures that:
- The access rights of the service accounts are used only by Access Rights Manager.
- It is easy to identify whether an action was performed by an Access Rights Manager service account or by a domain admin.
- If the domain admin's password changes, the Access Rights Manager configuration is unaffected.
- Restrictions through activity limits are avoided (for example, Exchange Online allows only three parallel requests).
Feature | Required access rights |
---|---|
Access Rights Manager server |
A service account requires local administrator rights on the Access Rights Manager server. If the service account is a member of the domain Admin group, then this requirement is automatically fulfilled. If a server computer becomes a member of the domain (domain join) then the group Domain Admins will become a member of the local administrator group. |
SQL Server |
|
Active Directory (AD)-Scan |
Each user account already has read permissions to run an Active Directory scan. If you are using delegation in your organization, you must add the service account to the group that can read the required OUs. |
AD Modify |
If you work with delegation in your company, you must assign service accounts to a group that is allowed to change the relevant OUs. Without delegation: Add the service account to the Domain Admin group. |
File server (FS)-Scan |
The service account needs permissions to read NTFS permissions and traverse folders to access all desired folders. Service accounts can become a member of the domain admin group. If the domain admin account does not have access to all folders (for example, user folders) then add service accounts to the backup operators on the file server. |
AD Logga | The service account must be a member of the group Event Log Reader. Members of the Domain Admin group also have the required access rights to be able to read event protocols. |
FS Logga | No service account is required for the FS-Logga functionality. The "NT Authority system" must have access to the monitored directories. You can find more information regarding required settings in the Administrator Guide in the FS Logga section. |
Exchange |
The service account requires administrator privileges on the collector server. To read exchange access rights add the service account to the group View-Only Organization Management. To be able to change access rights on the Exchange server add the service account to the group Organization Management (read rights are included). Further access settings (impersonation, own mailbox) may be required and are described in the section Exchange Scans. |
SharePoint | The required permissions are described in the Administrator Guide in the chapter Add a SharePoint scan. |
Exchange Logga | The service account must be a member of the Organization Management and Records Management roles on the selected Exchange Server. |