Infrastructure requirements
The following requirements apply to the key infrastructure components that support CoreView's on-premises functionality.
All the prerequisites must be completed and validated before a deployment meeting can be conducted.
| Architecture Component | Minimum Requirement | |
|---|---|---|
| Hybrid Agent Server | Hardware1 | Virtual or Physical Wintel Server |
| CPU | 2 Core | |
| RAM | 8 Gb | |
| Storage | 200 Gb | |
| OS | Windows Server 2019 | |
| Domain Member | Optional | |
| Active Directory | Topology | All |
| Functional Level | Windows 2003 | |
| Azure AD Connect | Synchronization | Version 2.x |
| Exchange Services | CAS Server2 | Exchange Server 2013 |
| Docker | Version | Docker Community Edition (CE) runtime environment - most updated available version |
1 The Hybrid Connector should be installed on a standalone virtual or physical server and not coexist with other business services.
2 Under Exchange 2013 and higher, each Exchange Server is also a CAS server. The CoreView Hybrid Connector must be configured to point to a specific Exchange server, and not a Virtual IP (VIP).
Network / Firewall requirements
The following requirements apply to network traffic that supports CoreView’s on-premises functionality. Please note that these network requirements pertain only to traffic between the on-premises connector and CoreView or the Microsoft Azure Service Bus infrastructure.
The CoreView On-premises Connector will also need to communicate with the customer’s Active Directory and, optionally, a select Exchange Server.
Please note that some hostnames listed below could include more subdomain names. For example, “*.usgovcloudapi.net" could include something like “cvgov.blob.core.usgovcloudapi.net". Please configure your firewall to allow traffic for all subdomain names reported in the list below.
Customer registered in CoreView commercial data centers
| Network components | Target | Hostname | Port Requirement |
|---|---|---|---|
| Windows Services | CoreView API Service | *.4ward365.com | 443 (TCP) |
| Windows Services | CoreView API Service | *.loginportal.online | 443 (TCP) |
| Windows Services | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Windows Services | Azure Container Registry | *.azurecr.io | 443 (TCP) |
| Hybrid Agent | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Hybrid Agent | Azure Blob Storage |
*.windows.net *.usgovcloudapi.net |
443 (TCP) |
| Hybrid Agent | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Hybrid Agent | Visual Studio Services | *.visualstudio.com | 443 (TCP) |
| Hybrid Agent | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
| Hybrid Agent | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Hybrid Agent | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 52.138.125.123 52.155.24.120 52.227.224.106 |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Azure Blob Storage | cvhybridtool.azurecr.io | 80, 443 (TCP) |
| Diagnostic Tool | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Diagnostic Tool | Azure Blob Storage |
*.windows.net *.usgovcloudapi.net |
443 (TCP) |
| Diagnostic Tool | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Diagnostic Tool | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
| Diagnostic Tool | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Diagnostic Tool | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 52.138.125.123 52.155.24.120 52.227.224.106 |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Customers registered in CoreView Gov data centers:
| Network components | Target | Hostname | Port Requirement |
|---|---|---|---|
| Windows Services | CoreView API Service | *.4ward365.com | 443 (TCP) |
| Windows Services | CoreView API Service | *.coreview.com | 443 (TCP) |
| Windows Services | Azure Service Bus | *.usgovcloudapi.net | 443, 5671, 9354 (TCP, AMQP) |
| Windows Services | Azure Container Registry | *.azurecr.us | 443 (TCP) |
| Hybrid Agent | Azure Service Bus | *.usgovcloudapi.net | 443, 5671, 9354 (TCP, AMQP) |
| Hybrid Agent | Azure Blob Storage | *.usgovcloudapi.net |
443 (TCP) |
| Hybrid Agent | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Hybrid Agent | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Hybrid Agent | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Hybrid Agent | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 52.138.125.123 52.155.24.120 52.227.224.106 |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Azure Blob Storage | cvhybridtool.azurecr.io | 80, 443 (TCP) |
| Diagnostic Tool | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
| Diagnostic Tool | Azure Blob Storage |
*.windows.net *.usgovcloudapi.net |
443 (TCP) |
| Diagnostic Tool | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP) |
| Diagnostic Tool | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
| Diagnostic Tool | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
| Diagnostic Tool | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
| Diagnostic Tool | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net 52.138.125.123 52.155.24.120 52.227.224.106 |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
For additional information on the requirements for accessing the Azure Service Bus, please refer to the Microsoft documentation.
Important note about Multi-Factor authentication
If you implemented Multi-Factor Authentication (MFA) for accessing your Microsoft 365 cloud services, please mind creating a conditional access policy that excludes your on-premises Hybrid Connector IP address for asking any second-factor authentication for the CoreView service account CoreView named:
4ward365.admin@yourdomain.onmicrosoft.comWithout that exception policy, your CoreView tenant won’t be able to open any management session.
Please also mind your Hybrid Connector IP address could be behind a NAT applied by your network gateway for connecting to public networks such as the Internet. We recommend checking with your network specialist to identify your public IP address used by your on-premises for connecting to the public networks.
For more information about conditional access exception policy, please refer to the Microsoft documentation.
Security requirements
The following security requirements apply to CoreView’s on-premises functionality:
| Type | Minimum Permissions |
|---|---|
| CoreView Configuration | Tenant Admin |
| Hybrid Agent Deployment | Local or Domain Administrator |
| Active Directory Service Account | Domain Administrator (**) |
| Exchange Service Account | Organization Administrator Role |
| Exchange PowerShell Virtual Directory | Set to Basic or Integrated Authentication (*) |
(*) Important note about Exchange Virtual Directory configuration:
There are two methods for configuring authentication when setting up the PowerShell virtual directory for remote access. If Basic authentication is enabled, SSL must also be enabled and configured with a valid public certificate.
(**) If your company has security policies that don't allow setting service accounts with domain admin permission, please refer to the chapter “Hardening CoreView Hybrid Connector service accounts’ permissions” below.
If SSL is not enabled, then Windows Authentication should be set. In this scenario, you must configure gMSA for the Hybrid Connector hosting server and configure your CoreView Hybrid Connector to support the gMSA settings.
For more information about the settings of Exchange Powershell virtual directory refer to the Microsoft documentation.
Software requirements
The following software requirements apply to CoreView’s on-premises functionality:
| Software or Services | Minimum Requirements | |
|---|---|---|
| CoreView SaaS Solution | SKUs | CoreSuite, ONPREM SKU, OS2019 SKU |
| CoreView Hybrid Agent | Version | > 1.0.6 |
| Docker | Version | See chapter below |
Docker engine installation
Please refer to the Microsoft documentation for the instructions to deploy docker service in your hosting server.
Please note that proceeding with this operation will trigger an automatic server reboot.