For the connection to an on-premise installed baramundi Management Suite (bMS), the system offers a special interface function.
In this administration area, both the setup and the import functions can be executed (import of the bMS endpoints into the asset DB as well as the bMS jobs for later execution on the endpoints or assets; import of Person data directly from bMS).
If the "Email for failed bMS jobs" option is activated, all users with the "Administration - Full" authorization automatically receive an email if a planned bMS import job could not be carried out successfully.
General information
The ticketing system uses a standard hybrid connection service from MS Azure for the secure connection between the cloud application and the local bMS.
The advantage of this solution is that bMS does not have to be accessible from the Internet.
Further information on the technology used, e.g. at: https://docs.microsoft.com/de-de/azure/app-service/app-service-hybrid-connections
Requirement for the interface
•bMS installation with an available bConnect interface (https call possible)
•Installation MS Standard tool "Azure Hybrid Connection Manager" (HCM) for local secure connection management. Download link HCM : <DOWNLOAD-LINK>
Security aspects of the interface
•Azure Hybrid Connection Manager (HCM) provides secure access to on-premises systems and services.
•The feature does not require an endpoint on the customer network that is accessible via the Internet.
•The connection is not called from www, but the local tool connects against Azure
•Each hybrid connection corresponds to a single host port combination
oOnly https calls against the specified hostname are possible (port 443)
•HCM performs https calls against Azure only
oA WebSocket connection encrypted with TLS 1.2 is established
•In addition, an individual security key is generated on the ticketing system side for each customer instance, which is used for the connection with Azure.
•As an option, the server certificate of the bConnect interface can be specified as well. The ticketing system checks whether the certificates match for each call against the bConnect interface.
Interface setup and update
Preliminary notes
•It makes sense to first create / import the persons (end users who are to be assigned to assets), so that the "primary users" from bMS can be directly assigned to the asset during the endpoint import (identified by the matching e-mail address OR log in name of a person). Otherwise, manual assignments would have to be made afterwards. The primary user is entered in a separate field on the asset form and is also automatically added to the list of people assigned to the asset.
•The imports block the server of the ticketing system. During this time, no user can work and get an "hourglass"/ freeze and - depending on the import runtime - a time-out.
oThe import duration can take longer, especially with many endpoints (reference system with 750 endpoints: approx. 20 minutes).
oThe admin should never perform imports, especially for assets, without notice during normal working hours. If possible, planned imports outside of regular working hours.
Setup Guide
(1) In the administration area "bMS interface":
•Enter the FQDN (Fully Qualified Domain Name) of the bMS or specifically of the bConnect interface (as accessible from the intranet) in the "Hostname" field.
•Enter interface user and password (not yet required for the actual interface setup, only later for imports/job execution).
•Optional upload of a server certificate if a web server certificate is available for the bConnect interface.
oIf a certificate is specified, only this server is trusted; without, all servers are trusted.
oAll public certificate formats (i.e. the public key) are supported, which are also supported by the Windows certificate manager.
•Close the form dialog with "OK" to save the data
For all changes to the FQDN or certificate, the users in the "Administrator - Full" group receive a notification in the system as soon as the interface is set up and the connection string is generated/updated (this can currently take up to one working day). The data that was saved last is always used for the connection.
The notification is displayed in the so-called "notification window", which opens as a separate table list as soon as new messages are available or there are still unread messages. The notification list is updated approx. every 15 minutes. The notification window can be opened and updated manually via the general settings menu.
(2) Azure Hybrid Connection Manager setup (version 02/2021)
•Install Azure Hybrid Connection Manager (HCM) on a local server that has access to the bConnect interface. This server must have internet access, but does not have to be accessible from the internet.
•Click on "Enter Manually" and copy the complete connection string into the corresponding field, confirm with "Add".
•The connection is established. The overview list must show "Connected".
•In case of problems with the connection setup, please also refer to the chapter "Troubleshooting".
(3) In the administration area "bMS Interface":
•Test connection: the "Test connection" button calls the baramundi server and returns the bMS version number if successful. If this is successful, the system can be reached via the interface, regardless of the correct bConnect user/PW.
•Provided that the bConnect user has the correct permissions from baramundi, the interface is now ready for use and jobs and endpoints defined in bMS can be imported via the prepared import jobs.
•The respective job state is displayed in the list below it.
•Recommendation: The import of jobs should be executed first, as it is completed in 1-2 minutes depending on the number of jobs and currently also serves as an additional test.
•Note: During the import, the ticketing system is locked. Especially, the asset import can take longer depending on the number/ internet connection (approx. 20 min. for 750 endpoints). Therefore, it is advisable to plan/ start this outside working hours.
Furthermore, it is possible to define automatic import intervals for the import of endpoints/assets or jobs (daily, weekly).
The current limitation of the possible number of imports that can be performed is set to three times per import type.
Import of personal data from bMS
With the use of bMS bConnect version 2.0 it is also possible to perform an automatic person import.
This makes it possible to automatically synchronize personal data that is synced in the bMS with a local AD with the bTS.
Important notes:
•In order for all data required for bTS to be available in the bMS bConnect interface, variables must be created in bMS. Please contact your baramundi consultant sales or support for details.
•It is not recommended to import data from the same persons via CSV and bMS in parallel in order to avoid any conflicts.
•Prerequisite is at least the bConnect 2.0 interface on the part of bMS.
In the baramundi Knowledge Base you will find instructions for preparing the data imports on the bMS side (requires a baramundi support account):
https://feedback.baramundi.de/knowledge-base/article/KB17190-EN
Additional notes:
The performed imports are displayed in the list below. Here it is to be noted:
If the "Successful" state is displayed, all records have been imported completely and all references have been set.
If the state "Failed" is displayed, error details are included in the error description. The import can also be opened by double-clicking. All errors that occurred are then displayed there.
Even if errors occurred, all other records may have been imported successfully.
Example:
The person was imported successfully, but no reference to the matching location could be created because it did not exist in the system. In this case, to resolve the error, the location with the corresponding title could be created in the system and the import repeated.