Hybrid Connector: requirements

  • Last update on November 20th, 2024

The article outlines the prerequisites for setting up CoreView's on-premises services, including hardware specifications for servers, firewall settings, and software versions. It also covers security guidelines and the impact of Multi-Factor Authentication on the system.


Infrastructure requirements

The following requirements apply to the key infrastructure components that support CoreView's on-premises functionality. 

All the prerequisites must be completed and validated before a deployment meeting can be conducted.

 
Architecture Component Minimum Requirement
Hybrid Agent Server Hardware1 Virtual or Physical Wintel Server
  CPU 2 Core
  RAM 8 Gb
  Storage 200 Gb
  OS Windows Server 2019, 20223 
  Domain Member Optional
  Browser Microsoft Edge, Google Chrome4
Active Directory Topology All
  Functional Level Windows 2003
Azure AD Connect Synchronization Version 2.x
Exchange Services CAS Server2 Exchange Server 2013
Docker Version Docker Community Edition (CE) runtime environment - most updated available version

1 The Hybrid Connector should be installed on a standalone virtual or physical server and not coexist with other business services.

2 With Exchange 2013 and later versions, every Exchange Server doubles as a Client Access Server (CAS). You must configure the CoreView Hybrid Connector to target a specific Exchange server rather than a Virtual IP (VIP) address.

3The following versions of VMs on Azure with Windows 2022 are not supported, therefore do not use these versions: https://learn.microsoft.com/en-us/windows-server/get-started/hotpatch 

4 Please note that Internet Explorer is not supported.


Multiforest Service Accounts

The structure of the multi-forest version of the CoreView Hybrid Connector echoes that of Microsoft AD Connect. While there will be a single on-premises server hosting the agent, this server needs to be able to reach the chosen domain controller for each forest you aim to integrate.

The connection technology consistently relies on Remoting Powershell (you can find more information in this Microsoft article). Therefore, it's necessary to equip each forest's domain controller with a dedicated service account. This means there's no need for Active Directory Trust or Enterprise Admins.

If a forest has more than one Exchange server, we suggest assigning an additional service account to each extra Exchange organization.

Just like with the single-forest version, we recommend using a domain controller from each forest that has the Global Catalog role assigned. This is because of the requirement to import group members spanning multiple domains and forests. Without a connection to a Global Catalog, these couldn't be imported.

For forests arranged in parent-child relationships, you only need a domain controller from the parent domain. CoreView's data import process can discover each child domain and import the related data.

A separate account is a requirement for each forest, a single account cannot be used for more than one forest.

 

Network / Firewall requirements

The following requirements apply to network traffic that supports CoreView’s on-premises functionality. Please note that these network requirements pertain only to traffic between the on-premises connector and CoreView or the Microsoft Azure Service Bus infrastructure. 

The CoreView On-premises Connector will also need to communicate with the customer’s Active Directory and, optionally, a select Exchange Server. 

Be aware that certain hostnames provided below may have additional subdomains. For instance, "*.usgovcloudapi.net" might extend to "cvgov.blob.core.usgovcloudapi.net". Ensure your firewall settings permit traffic for all subdomain names mentioned in the following list.

 

Customer registered in CoreView commercial data centers 

Network components Target Hostname Port Requirement
Windows Services CoreView API Service *.4ward365.com 
*.coreview.com
443 (TCP)
Windows Services CoreView API Service *.loginportal.online 443 (TCP)
Windows Services Azure Service Bus *.windows.net 443, 5671, 9354 (TCP, AMQP)
Windows Services Azure Container Registry *.azurecr.io 443 (TCP)
Hybrid Agent Azure Service Bus *.windows.net 443, 5671, 9354 (TCP, AMQP)
Hybrid Agent CoreView API Service *.coreview.com 443 (TCP)
Hybrid Agent Azure Blob Storage

*.windows.net  

443 (TCP)
Hybrid Agent AD Domain Controller TBD by Customer 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Exchange PowerShell Host TBD by Customer 80, 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Visual Studio Services *.visualstudio.com 443 (TCP)
Hybrid Agent Microsoft O365 workloads *.microsoft.com 80, 443 (TCP)
Hybrid Agent Azure AD

*.windows.net 

*.microsoftonline.com 

*.microsoft.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent MSOL

*.microsoftonline.com 

*.windows.net

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Exchange Online

*.office365.com 

*.outlook.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent SharePoint Online *.sharepoint.com 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Teams

*.lync.com 

*.digicert.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent GoDaddy Certification Authority *.godaddy.com 80 (TCP), 443 (TCP)
Hybrid Agent CoreView All Services

*.4ward365.com  

*.loginportal.online 

*.windows.net  

*.azurecr.io  

*.windows.net   

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Azure Blob Storage cvhybridtool.azurecr.io 80, 443 (TCP)
Diagnostic Tool Azure Service Bus *.windows.net 443, 5671, 9354 (TCP, AMQP)
Diagnostic Tool Azure Blob Storage

*.windows.net  

443 (TCP)
Diagnostic Tool AD Domain Controller TBD by Customer 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Exchange PowerShell Host TBD by Customer 80, 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Microsoft O365 workloads *.microsoft.com 80, 443 (TCP)
Diagnostic Tool Azure AD

*.windows.net 

*.microsoftonline.com 

*.microsoft.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool MSOL

*.microsoftonline.com 

*.windows.net

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Exchange Online

*.office365.com 

*.outlook.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool SharePoint Online *.sharepoint.com 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Teams

*.lync.com 

*.digicert.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool GoDaddy Certification Authority *.godaddy.com 80 (TCP), 443 (TCP)
Diagnostic Tool CoreView All Services

*.4ward365.com  

*.loginportal.online 

*.windows.net  

*.azurecr.io  

*.windows.net  

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool CoreView API Service *.coreview.com 443 (TCP)
 
 

Customers registered in CoreView Gov data centers:

Network components Target Hostname Port Requirement
Windows Services CoreView API Service *.4ward365.com 443 (TCP)
Windows Services CoreView API Service *.coreview.com  443 (TCP)
Windows Services Azure Service Bus *.usgovcloudapi.net  443, 5671, 9354 (TCP, AMQP)
Windows Services Azure Container Registry *.azurecr.us 443 (TCP)
Hybrid Agent CoreView API Service *.coreview.com 443 (TCP)
Hybrid Agent Azure Service Bus *.usgovcloudapi.net  443, 5671, 9354 (TCP, AMQP)
Hybrid Agent Azure Blob Storage

*.usgovcloudapi.net 

443 (TCP)
Hybrid Agent AD Domain Controller TBD by Customer 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Exchange PowerShell Host TBD by Customer 80, 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Azure AD

*.windows.net 

*.microsoftonline.com 

*.microsoft.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent MSOL

*.microsoftonline.com 

*.windows.net

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Exchange Online

*.office365.com 

*.outlook.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent SharePoint Online *.sharepoint.com 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent Teams

*.lync.com 

*.digicert.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Hybrid Agent GoDaddy Certification Authority *.godaddy.com 80 (TCP), 443 (TCP)
Hybrid Agent CoreView All Services

*.4ward365.com  

*.loginportal.online 

*.windows.net  

*.azurecr.io  

*.windows.net  

*.usgovcloudapi.net  

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Azure Blob Storage cvhybridtool.azurecr.io 80, 443 (TCP)
Diagnostic Tool Azure Service Bus *.windows.net 443, 5671, 9354 (TCP, AMQP)
Diagnostic Tool Azure Blob Storage

*.windows.net  

*.usgovcloudapi.net 

443 (TCP)
Diagnostic Tool AD Domain Controller TBD by Customer 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Exchange PowerShell Host TBD by Customer 80, 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Microsoft O365 workloads *.microsoft.com 80, 443 (TCP)
Diagnostic Tool Azure AD

*.windows.net 

*.microsoftonline.com 

*.microsoft.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool MSOL

*.microsoftonline.com 

*.windows.net

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Exchange Online

*.office365.com 

*.outlook.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool SharePoint Online *.sharepoint.com 80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool Teams

*.lync.com 

*.digicert.com

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool GoDaddy Certification Authority *.godaddy.com 80 (TCP), 443 (TCP)
Diagnostic Tool CoreView All Services

*.4ward365.com  

*.loginportal.online 

*.windows.net  

*.azurecr.io  

*.windows.net  

*.usgovcloudapi.net  

80 (TCP), 443 (TCP), 5985 (TCP), 5986 (TCP)
Diagnostic Tool CoreView API Service *.coreview.com 443 (TCP)
 
 

For additional information on the requirements for accessing the Azure Service Bus, please refer to the Microsoft documentation.


Important note about Multi-Factor authentication

If you've enabled Multi-Factor Authentication (MFA) for your Microsoft 365 cloud services, remember to set up a conditional access policy. This policy should exclude your on-premises Hybrid Connector's IP address from requiring a second authentication factor for the CoreView service account named:

4ward365.admin@yourdomain.onmicrosoft.com

Without that exception policy, your CoreView tenant won’t be able to initiate any management sessions.

Keep in mind that your Hybrid Connector's IP address may be subject to Network Address Translation (NAT) by your network gateway when connecting to public networks, like the Internet. We advise consulting with your network specialist to determine the public IP address your on-premises systems use for these connections.

For more information on the conditional access exception policy, please refer to the Microsoft documentation.


Security requirements

The following security requirements apply to CoreView’s on-premises functionality:

Type Minimum Permissions
CoreView Configuration Tenant Admin
Hybrid Agent Deployment Local or Domain Administrator
Active Directory Service Account Domain Administrator (**)
Exchange Service Account Organization Management
Exchange PowerShell Virtual Directory  Set to Basic or Integrated Authentication (*)

(*) Important note about Exchange Virtual Directory configuration:

There are two methods for configuring authentication when setting up the PowerShell Virtual Directory for remote access. If Basic authentication is enabled, SSL must also be enabled and configured with a valid public certificate.  

(**) If your company's security policies restrict granting domain admin permissions to service accounts, please see the section titled Hardening CoreView Hybrid Connector service accounts’ permissions for guidance.

If SSL is not enabled, you should enable Windows Authentication instead. In this case, configure a gMSA for the server hosting the Hybrid Connector and adjust your CoreView Hybrid Connector to support the gMSA configuration.

For more information regarding the configuration of the Exchange Powershell virtual directory, please refer to the Microsoft documentation.


Software requirements

The following software requirements apply to CoreView’s on-premises functionality:

Software or Services Minimum Requirements
CoreView SaaS Solution SKUs CoreSuite, ONPREM SKU, OS2019 SKU
CoreView Hybrid Agent Version > 1.0.6
Docker Version See chapter below

Docker engine installation

For instructions on deploying the Docker service on your hosting server, please consult the Microsoft documentation.

Be aware that continuing with this operation will cause the server to reboot automatically.