Theory of Operation
Installation will create a Service Account (for the Agent Connector to run as). See “Agent Connector Sign-In” for more information.
The Agent makes an outbound-only connection, through your existing firewall (often with no configuration changes).
Once the Connector is installed, you can later add new directories to share, new services to expose, entirely from the administrative web interface.
The Connector will automatically keep itself up to date and pick up new configuration. Set it and forget it.
Uninstall / Delete
When you no longer need an Agent Connector, you should first uninstall it from the host it is on. Then you may delete it from the Admin portal
Manual Download / Install
Instructions per platform are given, personalised, in the administrative portal. They are also shown below for reference.
If you wish, you may download the binaries from these links.
- Linux X86_64 (e.g. Ubuntu, Debian server)
- Linux ARM (e.g. Synology NAS, OpenWRT)
- FreeBSD ARM (e.g. pfSense SG-1100)
- Linux MIPS Big Endian (e.g. OpenWRT etc. router)
- Linux MIPS Little Endian (e.g. OpenWRT, Ubiquity etc router)
- Linux PPC Big Endian (e.g. OpenWRT etc. router)
- Linux PPC Little Endian (e.g. OpenWRT, Ubiquity etc router)
- Microsoft Windows
- MacOS Darwin (X86-64)
Install as per the instructions below (agilicus-agent client --install --agent-id UUID --oidc-issuer https://auth.YOURDOMAIN). Once installed, the software will automatically keep itself up to date using The Update Framework.
NOTE: If the agent is used solely on the client side (e.g. ssh ProxyCommand, Launcher) no install is needed, it just needs to be on the path.
Linux Specific
Permissions
The Agilicus Agent runs as an unprivileged system user. This means that, by default, it will not have permission to read files in a shared directory created by you. To give it access, create a group whose purpose is to group users who have permission to read and write shared files on the machine. Add the agilicus user to the group, then give that group permission to access the shared folder.
# Set up the shares group and add the agilicus user to it
sudo addgroup shares
sudo usermod -a -G shares agilicus
# Configure the share and all files within it to allow access to the shares group
sudo chgrp -R shares my-shared-directory
sudo chmod -R g+srw my-shared-directory
# Ensure files created by the agent and other users have the proper permissions
sudo setfacl -d -m g::rwx my-shared-directoryUninstall
The Agilicus Agent runs from systemd. You can stop it with
sudo systemctl stop agilicus-agentYou can permanently uninstall it with
sudo /usr/bin/agilicus-agent client --uninstall --cfg-file /etc/agilicus/agent/agent.conf.enc.yamlWindows Specific
Install
The Agent Connector runs as a Windows Service. You will be given instructions to download it, and will then run it as an Administrative user to install. A command line will be generated you can copy, which will look similar to below.
%UserProfile%\Downloads\agilicus-agent.exe client --install --agent-id XXXXXXXXX --oidc-issuer https://auth.dbt.agilicus.cloudOnce the Agilicus Agent is installed, it will automatically configure itself and keep itself up to date.
Uninstall
"%ProgramFiles%\Agilicus\Agent\agilicus-agent.exe client --uninstall --cfg-file "%ProgramFiles%\Agilicus\Agent\agent.conf.enc.yaml"Windows Notes
NOTE: WebClient Service
You may need to manually enable the Windows WebClient service if you will use the connector to mount a remote WebDav Share to this machine. Normally this is set to run on demand, but in some environments it may be disabled.
NOTE: Windows Failover Clustering High Availability
To configure the Agilicus Agent for 1+1 ACTIVE/PASSIVE on Windows Cluster Server, use a Generic Service. For more information, see Agilicus Agent Windows Cluster Server
NOTE: Windows Defender False Positive
Some installations have observed, using the PowerShell installation instructions, a false-positive detection for Trojan:Script/Sabsik.TE.B!ml. This has been submitted to Microsoft for re-evaluation, but they have been unable to reproduce. If this occurs, you can override this detection for this specific binary.
NOTE: 2012 PowerShell: Could not create SSL/TLS secure channel
Older versions of Windows may be missing the R3 root certificates (see Microsoft note). This can prevent usage of modern cryptographic https sites. Let’s Encrypt has more information, including a diagram of the full chain of trust.
You may find you need to run Windows Update, or, manually remove the old R3 intermediate and add the new one from Let’s Encrypt.Related Configuration
Return to Product Configuration
- Locked-Down Networks Certificate Revocation
- Signup: Firewall Configuration
- Sign-In Errors
- Geo-Location-Based Access Control
- Time Synchronisation
- Agent Connector Sign-In
- Resources – Overview, Concepts
- Connect to VTScada – Adding a Web Application
- Web Application Security
- Administrative Users
- Define Application: Proxy
- Authorisation rules
- Agent Connector Install: Raspberry Pi
- Real VNC & Raspberry Pi
- Kubernetes Agent Connector Install
- Linux, FreeBSD, Embedded Agent Connector Install
- Agent Connector Install: Ubiquity EdgeRouter X
- Audit Destinations
- Agent Connector Install: Netgate SG-1100 pfSense
- Identity Group Mapping
- Billing
- Auto-Create Users From Specific Domain With Google Workplace
- Organisation
- Authentication Audit
- Authentication Issuer – Custom Identity
- Signup
- Microsoft ClickOnce
- Groups
- Agilicus Agent Windows Cluster
- Launchers
- Forwarding
- Usage Metrics
- Service Accounts
- Connectors
- Identity & Authentication Methods
- Content Security Policy
- Users
- Sign-In Theming
- Sign in With Apple
- Azure Active Directory
- Sign in With Microsoft
- Agilicus Agent (Desktop)
- Agent-Connector
- Zero-Trust SSH Access
- Theory of Operation: CNAME + DOMAIN
- Zero-Trust Desktop Access
- Command Line API Access
- Applications
- Permissions
- Profile
- Multi-Factor Authentication
- Authentication Rules
- Application Request Access
- OpenWRT Agent Connector Install
- Synology Agent Connector Install
- Authentication Clients
- Authentication Rules
- Shares
- Services
- Resource Permissions
- Resource Groups
- Legacy Active Directory