Access Broker Agent Setup - indiana-university/kumo GitHub Wiki

The Kumo Access Broker Agent is a Windows service that provides integrated, domain-level authentication of Clients connecting to the Kumo service. It runs as the 'Network Service' user and communicates with the Kumo Portal and installed Clients over HTTPS. Like the client, the Kumo Access Broker Agent is pre-configured to work with @member. It is your responsibility to provision and secure a Windows Server to host the Access Broker Agent.

• Windows Server 2008+, joined to your domain
• .NET Framework 4.8
• Server should Support TLS 1.2 See instruction for Adding TLS 1.2 Support on Windows Server and Installing .NET Framework 4.8 Runtime
• A valid, single-domain SSL certificate that supports both Client and Server Authentication

We recommend that you provision at least two Access Brokers, each with 2+ virtual cores and 4+ GB memory. Multiple Access Brokers will allow for simple load balancing and redundancy.

1. Start the Access Broker installation by double-clicking the downloaded MSI installer package.
2. You'll be asked to specify the SSL certificate and port with which to secure the service. The following system changes will then be applied:

• The 'Network Service' account will be granted read access for the selected SSL certificate.
• The 'Network Service' account will be granted listening rights on the selected port.
• The selected port will be bound to the selected SSL certificate.

1. The Access Broker will attempt to start as the final installation step. If it starts the installation will finish successfully.
2. Once the Access Broker has started and the installation has completed, browse to the Admin > Access Brokers tab in the Kumo Portal. You should see an entry for the machine name of the server on which you just installed the Access Broker.
3. Verify that the host name and port are correct, check the Enabled box, and Save your changes.
4. Restart the Access Broker service. It will now be able to authenticate Client requests.

Installation errors will be logged with the Windows Application log under the source 'Kumo Access Broker Agent'. If you experience problems during installation please refer to our Troubleshooting document.

You can disable the Access Broker at any time by unchecking the Enabled box.

The Access Broker will open a single TCP port (9091 by default) to receive HTTPS traffic from clients. You must ensure that this port is open to receive inbound traffic on all firewalls that sit between your deployed Clients and Access Brokers. Additionally, you will need to make sure the Access Broker agent can send requests to your Kumo portal.

When the SSL certificate associated with your Access Broker expires, do the following:

1. Install a new certificate.
2. Uninstall the Access Broker.
3. Re-run the Access Broker installer.
4. Select the new certificate during installation.