Agent Connector Configuration
Both Secure File Sharing is facilitated by an Agent Connector on the host(s) you have files you wish to access, or that have network access to services you wish to expose. Creating this is very simple, the only configuration option is a name.
The Agent makes an outbound-only connection, through your existing firewall (with no configuration changes).
Once the Connector is installed, you can later add new directories to share, new services to expose, entirely from the administrative web interface.
The Connector will automatically keep itself up to date and pick up new configuration. Set it and forget it.
The links are given automatically in the administrative portal on install. If you wish, you may download the binaries from these links.
- Linux X86_64
- Linux ARM
- Linux MIPS Big Endian
- Linux MIPS Little Endian
- Microsoft Windows
- MacOS Darwin (X86-64)
Install as per the instructions below (
agilicus-agent client --install --agent-id UUID --oidc-issuer https://auth.YOURDOMAIN
). Once installed, the software will automatically keep itself up to date using The Update Framework.
NOTE: If the agent is used solely on the client side (e.g. ssh ProxyCommand) no install is needed, it just needs to be on the path.
You will be given a download link, and instructions as per the below image. A default command line is generated (you can copy and paste it). When you run it, it will open a browser and ask you to authenticate. From here it will generate a special user called a “service account”, and connect to the API for instructions. If you are installing on a headless (e.g. a server over ssh) system, you may add “
” flag. If you do, it will ask output a URL which you may cut and paste into your browser. You will then be given a one-time password code to paste back in.
chmod a=x agilicus-agent && sudo ./agilicus-agent client --install --agent-id XXXXXXXX --oidc-issuer https://auth.dbt.agilicus.cloud
The Agent Connector is installed as a systemd service. You may observe its logs via the journalctl command.
sudo journalctl -fu agilicus-agent -- Logs begin at Wed 2021-01-27 13:58:49 EST. -- Jan 28 16:29:06 server.agilicus.ca agilicus-agent-wrapper.sh: Starting agilicus-agent… Jan 28 16:29:06 server.agilicus.ca agilicus-agent-wrapper.sh: time="2021/01/28 16:29:06" level=info msg="Starting client - version v0.29.5" Jan 28 16:29:07 server.agilicus.ca agilicus-agent-wrapper.sh: 2021/01/28 16:29:07 Successfully downloaded update. Exiting to apply update Jan 28 16:29:07 server.agilicus.ca systemd: agilicus-agent.service: Succeeded. Jan 28 16:29:08 server.agilicus.ca systemd: agilicus-agent.service: Scheduled restart job, restart counter is at 268391. Jan 28 16:29:08 server.agilicus.ca systemd: Stopped Agilicus Agent. Jan 28 16:29:08 server.agilicus.ca systemd: Started Agilicus Agent. Jan 28 16:29:08 server.agilicus.ca agilicus-agent-wrapper.sh: Starting agilicus-agent… Jan 28 16:29:08 server.agilicus.ca agilicus-agent-wrapper.sh: time="2021/01/28 16:29:08" level=info msg="Starting client - version v0.29.5" Jan 28 16:29:08 server.agilicus.ca agilicus-agent-wrapper.sh: time="2021/01/28 16:29:08" level=info msg="Logging in…"
The Agilicus Agent runs as an unprivileged system user. This means that, by default, it will not have permission to read files in a shared directory created by you. To give it access, create a group whose purpose is to group users who have permission to read and write shared files on the machine. Add the agilicus user to the group, then give that group permission to access the shared folder.
# Set up the shares group and add the agilicus user to it sudo addgroup shares sudo usermod -a -G shares agilicus # Configure the share and all files within it to allow access to the shares group sudo chgrp -R shares my-shared-directory sudo chmod -R g+srw my-shared-directory # Ensure files created by the agent and other users have the proper permissions sudo setfacl -d -m g::rwx my-shared-directory
The Agilicus Agent runs from systemd. You can stop it with
sudo systemctl stop agilicus-agent
You can permanently uninstall it with
sudo /usr/bin/agilicus-agent client --uninstall
The Agent Connector runs as a Windows Service. You will be given instructions to download it, and will then run it to install. A command line will be generated you can copy, which will look similar to below.
%UserProfile%\Downloads\agilicus-agent.exe client --install --agent-id XXXXXXXXX --oidc-issuer https://auth.dbt.agilicus.cloud
Once the Agilicus Agent is installed, it will automatically configure itself and keep itself up to date.
NOTE: WebClient Service
You may need to manually enable the Windows WebClient service if you will use the connector to mount a remote WebDav Share to this machine. Normally this is set to run on demand, but in some environments it may be disabled.
In a similar fashion to the Linux install above, download the binary. In the command line, change ‘–install’ to ‘–kubernetes-install’. This will run and then give you a kubectl command line to run. You may inspect/modify the generated YAML before applying.
bin/agilicus-agent client --kubernetes-install --agent-id XXXXXXX --oidc-issuer https://auth.dbt.agilicus.cloud --no-upgrades INFO[2021-06-24T19:32:40.695380725-04:00] Starting client - version v0.59.0-5-g3c7a28f-dirty INFO[2021-06-24T19:32:41.073253518-04:00] Download public key file INFO[2021-06-24T19:32:41.073370301-04:00] Will install into directory /tmp/agilicus-agent-3835986779 INFO[2021-06-24T19:32:41.261896657-04:00] Fetch agent configuration INFO[2021-06-24T19:32:41.261933338-04:00] Write agent configuration file in temp directory INFO[2021-06-24T19:32:42.473685368-04:00] Output Kubernetes YAML INFO[2021-06-24T19:32:42.517497179-04:00] Now run: kubectl apply -f /tmp/agilicus-agent-3835986779/agilicus-agent.yaml INFO[2021-06-24T19:32:42.51752864-04:00] Installation Complete
The YAML that is applied to your system will:
- Create a namespace
- Create a service-account in that namespace
- Create a PersistentVolumeClaim of 100Mi
- Create a Deployment with no privilege
- Create a Secret with initial credentials
The Deployment will need outbound (and only outbound) connectivity to the Internet. Specifically, it will need to be able to reach
. No inbound connectivity will be created, no Ingress, no LoadBalancer.
Return to Product Configuration
- Identity & Authentication Methods
- Content Security Policy
- Sign-In Theming
- Azure Active Directory
- Zero-Trust SSH Access
- Zero-Trust Desktop Access
- Command Line API Access
- Multi-Factor Authentication
- Application Request Access
- OpenWRT Agent Connector Install
- Synology Agent Connector Install
- Authentication Clients
- Authentication Rules
- Resource Permissions
- Resource Groups
- Legacy Active Directory