The article outlines the prerequisites for setting up CoreView's on-premises services, including hardware specifications for servers, firewall settings, and software versions. It also covers security guidelines and the impact of Multi-Factor Authentication on the system.
Infrastructure requirements
The following requirements apply to the key infrastructure components that support CoreView's on-premises functionality.
All the prerequisites must be completed and validated before a deployment meeting can be conducted.
Architecture Component | Minimum Requirement | |
---|---|---|
Hybrid Agent Server | Hardware1 | Virtual or Physical Wintel Server |
CPU | 2 Core | |
RAM | 8 Gb | |
Storage | 200 Gb2 | |
OS | Windows Server 2019, 20223 | |
Domain Member | Optional | |
Browser | Microsoft Edge, Google Chrome4 | |
Active Directory | Topology | All |
Functional Level | Windows 2003 | |
Azure AD Connect | Synchronization | Version 2.x |
Exchange Services | CAS Server2 | Exchange Server 2013 |
Docker | Version | Docker Community Edition (CE) runtime environment - most updated available version |
1 The Hybrid Connector should be installed on a standalone virtual or physical server and not coexist with other business services.
With Exchange 2013 and later versions, every Exchange Server doubles as a Client Access Server (CAS). You must configure the CoreView Hybrid Connector to target a specific Exchange server rather than a Virtual IP (VIP) address.
2 The 200GB of storage should all be located within the C-drive. Avoid splitting the storage across drives.
3The following versions of VMs on Azure with Windows 2022 are not supported, therefore do not use these versions: https://learn.microsoft.com/en-us/windows-server/get-started/hotpatch
4 Please note that Internet Explorer is not supported.
Multiforest Service Accounts
The structure of the multi-forest version of the CoreView Hybrid Connector echoes that of Microsoft AD Connect. While there will be a single on-premises server hosting the agent, this server needs to be able to reach the chosen domain controller for each forest you aim to integrate.
The connection technology consistently relies on Remoting Powershell (you can find more information in this Microsoft article). Therefore, it's necessary to equip each forest's domain controller with a dedicated service account. This means there's no need for Active Directory Trust or Enterprise Admins.
If a forest has more than one Exchange server, we suggest assigning an additional service account to each extra Exchange organization.
Just like with the single-forest version, we recommend using a domain controller from each forest that has the Global Catalog role assigned. This is because of the requirement to import group members spanning multiple domains and forests. Without a connection to a Global Catalog, these couldn't be imported.
For forests arranged in parent-child relationships, you only need a domain controller from the parent domain. CoreView's data import process can discover each child domain and import the related data.
A separate account is a requirement for each forest, a single account cannot be used for more than one forest.
Network / Firewall requirements
The following requirements apply to network traffic that supports CoreView’s on-premises functionality. Please note that these network requirements pertain only to traffic between the on-premises connector and CoreView or the Microsoft Azure Service Bus infrastructure.
The CoreView On-premises Connector will also need to communicate with the customer’s Active Directory and, optionally, a select Exchange Server.
Be aware that certain hostnames provided below may have additional subdomains. For instance, "*.usgovcloudapi.net
" might extend to "cvgov.blob.core.usgovcloudapi.net
". Ensure your firewall settings permit traffic for all subdomain names mentioned in the following list.
Customer registered in CoreView commercial data centers
Network components | Target | Hostname | Port Requirement |
---|---|---|---|
Windows Services | CoreView API Service | *.4ward365.com *.coreview.com |
443 (TCP) |
Windows Services | CoreView API Service | *.loginportal.online | 443 (TCP) |
Windows Services | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
Windows Services | Azure Container Registry | *.azurecr.io | 443 (TCP) |
Hybrid Agent | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
Hybrid Agent | CoreView API Service | *.coreview.com | 443 (TCP) |
Hybrid Agent | Azure Blob Storage | *.windows.net |
443 (TCP) |
Hybrid Agent | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Visual Studio Services | *.visualstudio.com | 443 (TCP) |
Hybrid Agent | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
Hybrid Agent | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
Hybrid Agent | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Azure Blob Storage | cvhybridtool.azurecr.io | 80, 443 (TCP) |
Diagnostic Tool | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
Diagnostic Tool | Azure Blob Storage | *.windows.net |
443 (TCP) |
Diagnostic Tool | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
Diagnostic Tool | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
Diagnostic Tool | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | CoreView API Service | *.coreview.com | 443 (TCP) |
Customers registered in CoreView Gov data centers:
Network components | Target | Hostname | Port Requirement |
---|---|---|---|
Windows Services | CoreView API Service | *.4ward365.com | 443 (TCP) |
Windows Services | CoreView API Service | *.coreview.com | 443 (TCP) |
Windows Services | Azure Service Bus | *.usgovcloudapi.net | 443, 5671, 9354 (TCP, AMQP) |
Windows Services | Azure Container Registry | *.azurecr.us | 443 (TCP) |
Hybrid Agent | CoreView API Service | *.coreview.com | 443 (TCP) |
Hybrid Agent | Azure Service Bus | *.usgovcloudapi.net | 443, 5671, 9354 (TCP, AMQP) |
Hybrid Agent | Azure Blob Storage | *.usgovcloudapi.net |
443 (TCP) |
Hybrid Agent | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Hybrid Agent | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
Hybrid Agent | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Azure Blob Storage | cvhybridtool.azurecr.io | 80, 443 (TCP) |
Diagnostic Tool | Azure Service Bus | *.windows.net | 443, 5671, 9354 (TCP, AMQP) |
Diagnostic Tool | Azure Blob Storage |
*.windows.net *.usgovcloudapi.net |
443 (TCP) |
Diagnostic Tool | AD Domain Controller | TBD by Customer | 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Exchange PowerShell Host | TBD by Customer | 80, 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Microsoft O365 workloads | *.microsoft.com | 80, 443 (TCP) |
Diagnostic Tool | Azure AD |
*.windows.net *.microsoftonline.com *.microsoft.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | MSOL |
*.microsoftonline.com *.windows.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Exchange Online |
*.office365.com *.outlook.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | SharePoint Online | *.sharepoint.com | 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | Teams |
*.lync.com *.digicert.com |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | GoDaddy Certification Authority | *.godaddy.com | 80 (TCP), 443 (TCP) |
Diagnostic Tool | CoreView All Services |
*.4ward365.com *.loginportal.online *.windows.net *.azurecr.io *.windows.net *.usgovcloudapi.net |
80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP) |
Diagnostic Tool | CoreView API Service | *.coreview.com | 443 (TCP) |
For additional information on the requirements for accessing the Azure Service Bus, please refer to the Microsoft documentation.
Important note about Multi-Factor authentication
If you've enabled Multi-Factor Authentication (MFA) for your Microsoft 365 cloud services, remember to set up a conditional access policy. This policy should exclude your on-premises Hybrid Connector's IP address from requiring a second authentication factor for the CoreView service account named:
4ward365.admin@yourdomain.onmicrosoft.com
Without that exception policy, your CoreView tenant won’t be able to initiate any management sessions.
Keep in mind that your Hybrid Connector's IP address may be subject to Network Address Translation (NAT) by your network gateway when connecting to public networks, like the Internet. We advise consulting with your network specialist to determine the public IP address your on-premises systems use for these connections.
For more information on the conditional access exception policy, please refer to the Microsoft documentation.
Security requirements
The following security requirements apply to CoreView’s on-premises functionality:
Type | Minimum Permissions |
---|---|
CoreView Configuration | Tenant Admin |
Hybrid Agent Deployment | Local or Domain Administrator |
Active Directory Service Account | Delegated Permissions on Organizational Units (**) |
Exchange Service Account | Organization Management |
Exchange PowerShell Virtual Directory | Set to Basic or Integrated Authentication (*) |
(*) Important note about Exchange Virtual Directory configuration:
There are two methods for configuring authentication when setting up the PowerShell Virtual Directory for remote access. If Basic authentication is enabled, SSL must also be enabled and configured with a valid public certificate.
(**) For more details, check out our guide on Hardening CoreView Hybrid Connector service accounts’ permissions.
If SSL is not enabled, you should enable Windows Authentication instead. In this case, configure a gMSA for the server hosting the Hybrid Connector and adjust your CoreView Hybrid Connector to support the gMSA configuration.
For more information regarding the configuration of the Exchange Powershell virtual directory, please refer to the Microsoft documentation.
Software requirements
The following software requirements apply to CoreView’s on-premises functionality:
Software or Services | Minimum Requirements | |
---|---|---|
CoreView SaaS Solution | SKUs | CoreSuite, ONPREM SKU, OS2019 SKU |
CoreView Hybrid Agent | Version | > 1.0.6 |
Docker | Version | See chapter below |
Docker engine installation
For instructions on deploying the Docker service on your hosting server, please consult the Microsoft documentation.
Be aware that continuing with this operation will cause the server to reboot automatically.