Versions Compared

Version Old Version 4 New Version 5
Changes made by

Yoav Crombie

Yoav Crombie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

Overview of SphereShield Agent

relevant for agent 1.

...

5.

...

New config settings

CheckServiceAliveInLog - true/false, enable log file monitoring for alive message. Checks in the logs of the service if it conatains the text “[IS ALIVE]” in the last time set in the next setting. If this is not detected, the agent will attept to restart the service
CheckServiceAliveInLogMinutes - how often check the alive message in the service log
For now this feature is supported only with AdSync version 1.2.0.2

Updated to agent 1.5.1

SphereShield Agent is a Windows Service to monitor other AGAT service and restart it if needed.
Monitored service can be:

  • Sip Filter (AgatSipFilter)

  • Bastion (for LAC, Teams Protector, Webex Protector filters)

  • Authentication Extender

  • Casb Adapter (AgatSphereShieldCasbAdapter)

  • Content Manager (AgatContentManagerService)

Monitoring operation consists of three main parts:

  • checking if monitored service is running and start it if not

  • checking in DB if monitored service is alive using Service Management mechanism - relevant for all services except Authentication Extender

  • sending a health check request to the Bastion and its filters. If the Bastion and filters are not healthy, the agent will try to restart the Bastion service.

Service name: AgatSphereShieldServiceAgent[CustomerName]
Service display name: AGAT SphereShield Service Agent [Customer Name]

The agent is installed and configured by the installer.

To install the service manually (run as administrator):

Code Block
> AgatSphereShieldServiceAgent.exe install

To uninstall the service (run as administrator):

Code Block
> AgatSphereShieldServiceAgent.exe remove

...

1 and above

SphereShield Agent is a Windows Service to monitor other AGAT service and restart it if needed.
Monitored service can be:

  • Sip Filter (AgatSipFilter)

  • Bastion (for LAC, Teams Protector, Webex Protector filters)

  • Authentication Extender

  • Casb Adapter (AgatSphereShieldCasbAdapter)

  • Content Manager (AgatContentManagerService)

Monitoring operation consists of three main parts:

  • checking if monitored service is running and start it if not

  • checking in DB if monitored service is alive using Service Management mechanism - relevant for all services except Authentication Extender

  • sending a health check request to the Bastion and its filters. If the Bastion and filters are not healthy, the agent will try to restart the Bastion service.

Service name: AgatSphereShieldServiceAgent[CustomerName]
Service display name: AGAT SphereShield Service Agent [Customer Name]

The agent is installed and configured by the installer.

To install the service manually (run as administrator):

Code Block
> AgatSphereShieldServiceAgent.exe install

To uninstall the service (run as administrator):

Code Block
> AgatSphereShieldServiceAgent.exe remove

Configuration

Confifuration added in Version 1.6.2

New config settings

CheckServiceAliveInLog - true/false, enable log file monitoring for alive message. Checks in the logs of the service if it conatains the text “[IS ALIVE]” in the last time set in the next setting. If this is not detected, the agent will attept to restart the service
CheckServiceAliveInLogMinutes - how often check the alive message in the service log
For now this feature is supported only with AdSync version 1.2.0.2

There is an AgatSphereShieldServiceAgent.config file with configuration for the agent. The agent writes to a log file (default at C:\Agat\Logs\ServiceAgent\[CustomerName]) and to Event Log with source "AGAT SphereShield Service Agent".

...

  • [DB mode] write agent alive time in service management table for monitored service row

  • check if monitored service is running and start it if not

  • [DB mode] check if monitored service is alive in service management table

  • [Bastion] check if Bastion and filters are OK:

    • Bastion healthcheck procedure:

      • for forward proxy:
        request https://[BastionHealthcheckHost]/healthcheck with proxy BastionIP
        for example https://test.skypeshield.com/teams_protection/healthcheck with proxy 127.0.0.1

      • for reverse proxy:
        request https://[BastionIp]/skypeshieldhealth with host header BastionHealthcheckHost
        for example https://127.0.0.1/skypeshieldhealth with host header test.skypeshield.com

      • if received HTTP 200 status code (during response time of BastionMaxHealthcheckLatencyMilliseconds if set not to 0) - Bastion and filters are OK (no restart is done)

      • if received other HTTP status or error/exception - except statuses 404 (Not Found), 403 (Forbidden) and 401 (Unauthorized) - will try to restart Bastion service after 3 consecutive failures every 10 seconds - only if already in production mode.

    • if healthcheck result not OK and the agent is in production mode (received 5 sequence OK results) - consider healthcheck as not passed

    • otherwise if healthcheck result is OK or the agent not in production mode (not received 5 sequence OK results) - consider healthcheck as passed

    • the agent will go into production mode (restart on error) only after receiving good result for 5 times indicating the correct operation to avoid misconfiguration in install.

  • If alive check or bastion healthcheck not passed - restart the monitored service

  • If failed to start the service X (X = ServiceMonitorNumberOfAttemptsBeforeRestart) times - kill the monitored service

...