Prerequisites - Adaptive Applications - BlueCat Gateway - 20.8.1

BlueCat Overlay for Microsoft

prodname
BlueCat Gateway
version_custom
20.8.1

Before you begin, ensure that the following prerequisites are met.

BlueCat Address Manager

  • You must be running Address Manager v9.1.0 or greater.
  • You must have a Configuration where the Microsoft data will be imported.
    You can use an existing configuration or create a new configuration.
    Note: If you are using an existing configuration, the imported data might modify existing Address Manager data, resulting in potential data issues. BlueCat recommends importing the data to a new configuration.
  • You must have the necessary configurations for BlueCat Gateway to interact with Address Manager. For more information, refer to the BlueCat Gateway Installation Guide.
  • You must have a dedicated API user for executing processes to import DNS and DHCP data into Address Manager. You can use the same API user that interacts with BlueCat Gateway.

BlueCat Gateway

  • The Address Manager API user must be able to log in to Gateway and execute the workflow used for the import process.
  • You must have at least 2 CPUs and 8GB of RAM allocated to the BlueCat Gateway instance that is performing the import process.

Microsoft Windows Servers

  • You must be running Microsoft Windows Server 2012 or greater.
  • You must have PowerShell execution policy set to RemoteSigned:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  • You must have a dedicated service account to a user account with permissions to run PowerShell commands.
  • BlueCat recommends configuring SSL/TSL certificates to encrypt data flow.
    • Verify if WINRM is listening on HTTPS using the following command:
      winrm e winrm/config/listener
    • You can also execute the following commands in the PowerShell prompt to automate the HTTPS configuration:
      • Retrieve the FQDN of the Windows Server:
        $fqdn = (Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
      • Create a new Self-Signed Certificate. You can also use a certificate signed by an external CA. You must save it under Trusted Root CA for WINRM:
        $cert = (New-SelfSignedCertificate -DnsName $fqdn -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
      • Create a command to enable HTTPS Listener using the FQDN and HTTP Certificates from the previous commands:
        $winrmcmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$fqdn`"; CertificateThumbprint=`"$cert`"}'"
      • Create the HTTPS Listener using WINRM:
        Invoke-Expression $winrmcmd
      • Validate that the HTTPS Listener is configured and running.
        Listener
            Address = *
            Transport = HTTPS
            Port = 5986
            Hostname = dc1.contoso.com
            Enabled = true
            URLPrefix = wsman
            CertificateThumbprint = a0599c5b28519c90f185ccecdb418cb71ad72f8e
            ListeningOn = 10.244.133.31, 127.0.0.1, 192.168.103.10, ::1, fd79:c344:4793:6fc9:9105:1c3f:a785:f25d, fe80::5efe:10.244.133.31%16, fe80::5efe:192.168.103.10%15, fe80
        ::3492:b293:a8e3:96%14, fe80::9105:1c3f:a785:f25d%12

Network requirements

BlueCat Gateway must be able to communicate with BlueCat Address Manager and Microsoft Windows servers using HTTP (TCP port 5985) or HTTPS (TCP port 5986) for remote connections to the Windows WINRM service.

You can execute the following PowerShell command to add a new firewall rule for port 5986:
New-NetFirewallRule -DisplayName BC-MSO-HTTPS -Enabled True -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow -Profile Domain,Private