The Cloud Automation Platform​

Considering moving into the Cloud?

OpsAI is your IT-infrastructure scanner - giving you knowledge and help:

  • OpsAI documents all parts of your current infrastructure. Servers, Assets and Apps
  • Sets up Governance and manages Risk incl. technical debt
  • It generates a road map to what you can move into the Cloud and how much you could save

OpsAI gives you automated view of your IT assets and helps you move them into the Cloud.

— How it works

OpsAI takes the complexity out of IT, giving businesses an overview with valuable visual insights

Be ready for the cloud
Free up valuable IT resources and focus on what is important – implementing strategic initiatives to help your business grow by investing in a service that gets you ready for the cloud.

Technology
OpsAI gives you a clear overview of what your IT-infrastructure looks like today. With a view of your applications, workflows and infrastructure, you can determine the cost and benefits of future cloud transformation strategies.

Servers, devices and containers.
What is in your environment?

Find out:

  • How & at what capacity your environment is being used
  • When & where spikes in usage occur
  • What is driving consumption

Discover

Asset Context Graph
OpsAI has built-in graph technology that let’s you analyze your real time CMDB/ITAM data in multiple dimensions.

Data Export
OpsAI gives you the option to export your data and use it with your preferred analysis application.

  • Easy sign-up
  • Seamless installation
  • Non-intrusive, agentless scanning
  • Always-up-to-date CMDB
  • Instant graph insights
  • Result-driven

Optimize

Data Enrichment
OpsAI helps you optimize your valuable IT infrastructure using:

  • Filtering out "noise" applications
  • Automatically generated Asset Graph
  • Automatically built Business Application Groups
  • Categorize your assets by lifecycle, environments, status and more…

Transform

Cost
Estimate your future Cloud costs by rightsizing your IT estate.
Map business application groups with the right license metrics.

Get insight into your IT infrastructure based on critical business application communication.

OpsAI prepares you for Cloud transformation and builds your business case on facts – today.

  • Determine business application groups
  • Prioritize your Cloud tranformation the right way
  • Get complete application overview​

Security

OpsAI enhances the effectiveness of your security setup by giving you insights into which items that need attention, leaving you less vulnerable to internal and external threats.

Get an overview of:

  • IT security
  • Microsoft Windows / Microsoft SQL Server patch status
  • Patch level analysis & status
  • Software version level
  • Detect severe and critical software

Compliant

OpsAI gives you real time insights of your assets across your infrastructure. This enables protection for state and active monitoring. Turning insights into action to meet today’s industry compliance demands.

Technical debt overview
Get an overview of your applications by Hardware, Hypervisor, and Cloud in combination with Window Server Version

Risk assessment
OpsAI visualizes risk to show the importance of a common understanding between Business and IT. The Risk assessment uses TOGAF to determine a complete Risk Overview.

  • Risk overview per server
  • Report per server and average risk of patch and technical debt

Partners

Realize the power of the cloud with Cloudeon as your Partner
Stop imagining and realize the potential of cloud economics.​

Cloudeon brings the future to your present, and take the technical complexity and financial uncertainty out of cloud adoption

Why Partner With OpsAI?

The OpsAI Partner Program enables you to deliver better value to your customers.

Give your customers access to the best, most simple and scanning tool available.

Contact us

Current customer or prospect, partner or interested in becoming one, we want to hear from you. Reach out and we will respond as soon as possible.

If you have suggestions for new features or would like changes to existing features, please enter your suggestion here

mail

FAQ

To install the OpsAI Scanner, you need access to the enterprise dedicated Windows server.

Prerequisites
Windows server 2012 R2 / Windows 10 (x64) or newer, with .NET Framework 4.6.1 or later, FIPS must be disabled

  1. Minimum 4 vCPU and 16Gb RAM
  2. Domain-joined
  3. Administrative credentials to the servers that will be scanned:
    1. For Windows servers, a user with access to read and execute WinRM and WMI. This is needed for each individual Windows domain which will be inventoried.
    2. For Linux servers, a user with rights to logon and execute ssh commands is needed. (See below for two commands that require sudo access)
  4. The user account running the OpsAI Scanner must be local administrator

Windows servers must fulfill the TCP port requirements (see FAQ for Port Requirements)

Once the OpsAI Scanner is downloaded, installed and configured, it may take up to 8 hours to discover and scan your IT infrastructure.

The OpsAI Scanner is agentless and only scans your organisation IT infrastructure. The results are processed automatically and without manual interaction, giving you 100% control of your data.

For example, if you scanned a server with SQL Server installed, then OpsAI will report that SQL Server is installed. If you then uninstalled SQL Server and re-scanned that device, the SQL Server installation will no longer appear on your OpsAI asset list.

If you are concerned about downloading the OpsAI Scanner, you can scan it with your antivirus software before you run it.

The OpsAI Scanner runs, collects and transmits the collected data to your organization portal. The Scanner can only be downloaded from and activated via your organization portal on OpsAI.com by authenticated users, and this activity is tracked and logged.

Uninstalling the OpsAI Scanner from a server is a 4 step process:

  1. Launch the OpsAI Configuration tool on the server where the OpsAI Scanner has been installed. Navigate to the “Operate” tab. For each domain select it, and click “Stop”. This will stop the OpsAI Scanner service(s)
  2. Once all scanner services has been stopped, you uninstall the OpsAI Scanner service by selecting each domain and clicking “Uninstall”.
  3. Use the Control Panel to uninstall the OpsAI Configuration tool
  4. Delete the OpsAI Scanner database. It is located in the “C:\Program Files (x86)\OpsAI“ folder. The uninstaller is conservative by design, and refrains from destroying user data.

You have the option to Partner up and let us help you build a strong business case for the future. This offer includes quality gate meetings, Cloud adoption workshops and experts taking you through all aspects that constitutes the true cost of on-premise IT and Cloud economics. The final business case becomes the key in realizing Cloud benefits, savings and opportunities, providing real-time overviews including operational considerations, Technical Debt, compliance, financial overviews and strategic and operational roadmaps.

When scanning, the OpsAI Scanner collects information about the number of processors and cores, CPU, OS, IP addresses, installed applications and services, disks, and performance metrics, all of which constitutes the scanned infrastructure.

The data collected by OpsAI during the scan is sent to the Cloud to form the basis for the analytics exposed in the dashboards and reports.

Data in transit

When the data is moved between the scanner and the Cloud where it is stored, it is encrypted using secure https - TLS version 1.2.

Data at rest

Data is stored in the Cloud where it is used as the basis for dashboards and reports. Only persons granted permission by you will have access to the collected data. Data is encrypted at rest using 256-bit AES encryption where the credentials are stored in Azure Key Vault.

Data deletion

Once you decide not to use OpsAI anymore, you can perform a complete deletion of the data collected and stored by using the feature that allows you as the customer to shut down your entire organization in OpsAI. By doing so the data will be erased from the Cloud solution as well as the Cloud backup simultaneously.

However, we have introduced a grace periode of 30 days to ensure that you do not accidentally erase all your data.

The CMDB import file is a comma separated text file with UTF8 encoding.
The first row is considered the header and is always ignored.
All columns except DomainName and HostName are optional.
For Linux/Unix machines, use “Unix” as domain name.
Values can optionally be in quotes (“).
The expected columns are the following:

  • HostName
  • DomainName
  • ApplicationGroup
  • Environment
  • SystemOwnerName
  • SystemOwnerPhone
  • SystemOwnerEmail
  • SystemOwnerDepartment

All columns have a max size of 256 characters.

Example CSV

Hostname,DomainName,ApplicationGroup,Environment,SystemOwnerName,SystemOwnerPhone,SystemOwnerEmail,SystemOwnerDepartment
Merkur,testdom.local,"Application Group",Production,Donald Duck,+45123456,dd@duckburg.com,Customer Service
Venus,Unix,application group,Test,Mickey Mouse,+45999888,mm@duckburg.com,Transportation

Documentation

Type Name Support
Windows Windows Server 2000 Limited
Windows Windows Server 2003 Limited
Windows Windows Server 2008 Full
Windows Windows Server 2008 R2 Full
Windows Windows Server 2012 Full
Windows Windows Server 2012 R2 Full
Windows Windows Server 2016 Full
Windows Windows Server 2019 Full

Support for Unix scans on the following verified platforms:

Type Name
Unix Debian GNU/Linux 8 (jessie)
Unix Debian GNU/Linux 9 (stretch)
Unix Oracle Linux Server release 6.9
Unix Oracle Linux Server 7.5
Unix Red Hat Enterprise Linux Server release 6.7 (Santiago)
Unix Red Hat Enterprise Linux Server 7.5 (Maipo)
Unix Ubuntu 14.04.5 LTS, Trusty Tahr
Unix Ubuntu 16.04.5 LTS (Xenial Xerus)
Unix Ubuntu 18.04.1 LTS (Bionic Beaver)
Unix SUSE Linux Enterprise Server 12 SP3
Unix SUSE Linux Enterprise Server 15
Unix FreeBSD 10.4-RELEASE-p11 (GENERIC) (limited data)
Unix FreeBSD 11.1-RELEASE-p6 (GENERIC) (limited data)

OpsAI supports the newest version of major browsers including Chrome and Firefox on Windows, and Chrome, Firefox and Safari on MacOS. Minimum required screen size is 1280 x 960 pixels.

However, Microsoft Edge is not a supported browser as Microsoft has publicly stated here here that they are switching to the Chromium Engine.

Pre requisites for installing and configuring OpsAI Scanner

Have you determined and implemented the delegation model?

The OpsAI scanner runs under a Service or User account. This account must have the following permissions granted in order to scan servers:

  1. Local administrator on the server on which the scanner is installed
  2. Execute remote WMI calls
  3. Execute remote PowerShell

Scanner security recommendations

Always run OpsAI scanner with an account that has limited AD privileges - make sure the OpsAI scanner is not being executed as Domain Administrator or any other high privileged AD user.

Turn on the “Account is sensitive and cannot be delegated” attribute to prevent delegation attacks using the OpsAI Service or User Account.

Disable Unconstrained Kerberos delegation for machines/accounts when possible.

Monitor all machines with Unconstrained Kerberos delegation enabled for security incidents and treat them as a part of the high risk infrastructure.

Monitor actions performed by the account configured in the OpsAI Scanner, e.g., create alerts for suspicious activity (RDP connections, AD User/Group manipulation).

Only allow WinRM connections coming from trusted hosts - can be implemented either via firewall rule or adding hosts to TrustedHostsList.

How these permissions are granted vary from company to company. It is recommended that customers use a delegation model to grant the least amount of privileges to OpsAI Scanner.

The delegation model chosen should consider that new servers are added over time, and as a consequence should grant the least amount of privileges to those new servers. If not, new servers will appear as “Access Denied” on the OpsAI scanner status page.

If no delegation model exist, a way to grant permissions would be to create an “OpsAI Service Accounts” security group, add the OpsAI Service or User Account to the group and use a GPO to add the group to “Local Administrators” group on all servers. This approach violates the least amount of privileges principle.

Servers running OpsAI scanners must be considered as “Secure Administrative Hosts” and should be configured accordingly. Please refer to Microsoft “Implementing Secure Administrative Hosts” article.

Administrative credentials to the servers that will be scanned:

  1. For Windows servers, a service or user account with access to read and execute WinRM and WMI. This is needed for each individual Windows domain which will be inventoried.
  2. For Linux servers, a user with rights to logon and execute ssh commands is needed. (See below for two commands that require sudo access)
  3. User account running the Scanner Service must be local administrator.

You can check the group memberships of the scanner account like this:

  1. Start a new Powershell console as the user running the scanner.
  2. Run this command: “runas /user:domain\name Powershell”
  3. Replace “domain” with the netbios domain name and “name” with the account name.
  4. You will be prompted for password
  5. In the new Powershell console type: “whoami /groups /fo csv | convertfrom-csv”

Have you configured the OpsAI Scanner Windows Server?

  1. Windows server 2012 R2 / Windows 10 (x64) or newer, with .NET Framework 4.6.1 or later, FIPS must be disabled if scanning Unix machines
  2. Minimum 4 vCPU and 16Gb RAM.
  3. Domain joined

Have you configured external network ports?
HTTPS TCP Port 443 over SSL from OpsAI scanner Windows server to https://scan.opsai.com

Have you configured internal network ports?
OpsAI is an agentless scanner that uses WMI and WinRM to gather data. Both services are widely used in server environments and they can be adjusted to only allow granular access to certain objects and commands. If these services are not used and it is necessary to open for these services in the network, access should only be granted between the scanner server and the servers to be scanned, by implementing specific firewall rules explicitly stating the rules described below.

WMI:

  1. TCP Port 135 from OpsAI scanner Windows server to all Windows servers
  2. To test WMI connectivity use the “Get-WmiObject” PowerShell command
    Get-WmiObject -Class Win32_Service -ComputerName 10.0.0.1https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
  3. To test Remote Registry connectivity use this PowerShell command
    [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(-2147483646, 10.35.11.207)

RPC inspect:

  1. on firewalls with RPC inspect, dynamic high ports should be allowed. On firewalls without this feature, the dynamic high port range should be opened from the servers to be scanned to the scanning server.
 

WinRM (Remote PowerShell):

  1. TCP Port 5985 and 5986 between OpsAI scanner Windows server and endpoints/both ways
  2. To enable WinRM, use the Enable-PSRemoting PowerShell command on the target servers.
    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-5.1
  3. To test Remote Powershell use the “Test-WSMan” Powershell command
    Example:
    "Test-WSMan 10.0.0.1"https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/test-wsman?view=powershell-6

SSH::

  1. TCP Port 22 between Scanner server and endpoints/both ways

Have you downloaded the latest version of the OpsAI scanner?
Sign in to the organization portal at OpsAI.com, and navigate to the Scanner page. Click the download scanner button.

Have you enabled Remote PowerShell?
Enable PSRemoting remotely

  1. Download PsTools: https://download.sysinternals.com/files/PSTools.zip
  2. Extract PsExec to a folder, for example “C:\Temp\psexec.exe”
  3. Open Powershell and run: “Unblock-File C:\Temp\psexec.exe”
  4. Paste all names of the servers that should have WinRM enabled to an empty txt file with 1 server-name per line and save the file, for example “C:\Temp\Servers.txt”. The file content should look like this:Server1
    Server2
    Server3
  5. Start a new Powershell console as the user running the OpsAI scanner service. You can run this command to achieve this: runas /user:domain\name Powershell
  6. Replace “domain” with the netbios domain name and “name” with the account name. You will be prompted for password
  7. Create a variable holding the server names like this: “$Servers = Get-Content C:\Temp\servers.txt”
  8. Then run this command:"foreach ($Server in $Servers) {
    Write-host "Updating WinRM on $Server" -fore green;
    $exp = "C:\Temp\PsExec.exe -nobanner -d \\$($Server.Trim()) -s powershell Enable-PSRemoting -Force";
    Invoke-Expression $exp
    }"

OpsAI scanner install

  1. Copy the downloaded scanner install exe file to the server where it must be installed, launch it and follow the installation wizard.
  2. The OpsAI Configuration wizard will automatically start once installation has been completed.
  3. If you need to re-configure the scanner later, use the OpsAI icon placed on the Desktop.

OpsAI scanner configuration
Activation Code

Config Wizard

  1. Log on to your OpsAI organization, and navigate to the scanner page. Click “Generate new Activation Code”. Then click the Copy icon, and paste it into the “Activation Code” textbox in the OpsAI Scanner configuration wizard.
  2. Note: The Activation Code is only active for one hour. A new code can be retrieved by signing in to the organization portal at OpsAI.com

Active Directory Domains

Config Wizard
Press the “Add button” and select the Active Directory domains that should be scanned from the list. Once all desired domains have been configured, click “Next”

Linux/Unix credentials

Config Wizard

On the Unix tab, select “Enable Unix Scanner” if you want to scan Linux or Unix servers.

Please note that Linux or Unix scanning requires that the NMap (https://nmap.org/) tool is installed on same server as the OpsAI Scanner.

You must add Unix Credentials on the Unix tab: You can add general (global) User and SSH credentials or credentials per machine (IP address)

Please add these entries to /etc/sudoers, so OpsAI scanner may execute dmidecode and service commands as a privileged user (replace “linuxuser” with the actual Unix user name used by the scanner):

Cmnd_Alias DMIDECODE = sudo dmidecode -t system|grep -E '(Manufacturer|Product Name|UUID)'
Cmnd_Alias SERVICE = sudo service –status-all 2>/dev/null
linuxuser ALL=(root) NOPASSPWD: DMIDECODE
linuxuser ALL=(root) NOPASSPWD: SERVICE

The private key file used with SSH credentials supports RSA and DSA private key in both OpenSSH and ssh.com format. If the file has a Subject: header, you must remove it.

Sample of a valid file:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,DD06FC017B349484 lGoF/TTnsMoRpxDiFInQQIB/LcdKElaEkf6g14c6MiLj2s18eNmbEFvkb0tt/69PaVRxULQJjp9yjhn1Utcq8LnEHZ6P6LpzV9f6TWA+8qiBFjfbKulXdfTHLxqGNdq5
…more lines
jihdzRM/vTqMLszqjgJ7y5uAnQ6U/vcD/gfud1MTd2jJKtlrel+xNQ==
-----END RSA PRIVATE KEY-----

Federal Information Processing Standards must be disabled on the OpsAI Scanner Windows server for Unix scanning to succeed.

See https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Start / Stop Scanner service

  1. On the Operate tab select the Domain(s) which scanner service you wish to install.
  2. Click “Install” and enter the full username and password for the service or user account that will run the service.
  3. Press “OK” to install and start the Windows Service instance. When the scanner service has been started, a full scanning of your IT infrastructure may take up to several hours.

Optionally, you can exclude individual servers from scanning. Create a txt file with either a computer name or IP address per line, and add it to the scanner via the "Exclusions" button. Notice that Windows servers that have been discovered and then removed from Active Directory will be automatically excluded from scanning.

Advanced scanner configuration
Usually, it is not necessary to change any settings in opsai.exe.config, but some of the settings may need changes based on special customer needs. The settings file (opsai.exe.config) is located in the “C:\program Files\OpsAI\Scanner” folder. To change any setting, open the file in Notepad and modify as required.

The following settings could be changed due to customer requirements:
MaxDop indicates the number of concurrently scanned machines. You can change the MaxDop default value of 4 to a higher value if you have a powerful machine (for example to 8 or 12 concurrent threads).
The RunnerTimeoutInSeconds value can be altered if you have a network with high latency and a number of servers remain in WMI status Unclassified.
The WmiTimeoutInSeconds value can be altered if you have a network with high latency and a number of servers remain in WMI status "Partial Data" and you see WMI timeout errors in the Troubleshoot tab for the server.

The purpose of this feature is to scan SQL Server instances and user databases to evaluate if they can be migrated to Azure SQL DB Managed Instance.

In order to use this feature perform the following steps:

  • Disable UAC on the scanner, follow these instruction.
  • Download and install the latest version of Microsoft Data Migration Assistant on the scanner machine. Version 4.5 or higher is required.
  • Enable SQL Server assessments in the OpsAI configuration tool on the scanner machine.
  • Optionally, configure credentails for your SQL Server instances using the OpsAI configuration tool. If no credentials are configured, the credentials of the scanner service will be used.
  • The scans will then be performed and the results can be viewed in the portal, by clicking the instance name on the SQL Server instance list.

The Windows account used for running the assesments must be granted the following rights:

GRANT CONNECT SQL TO [MyDomain\dma_user]
GO
GRANT CONNECT ANY DATABASE TO [MyDomain\dma_user]
GO
GRANT VIEW SERVER STATE TO [MyDomain\dma_user]
GO
GRANT VIEW ANY DEFINITION TO [MyDomain\dma_user]
GO
                                

Notice that these rights does not enable the account to access any data in the user databases on the SQL Server instance.

You can use the filtering features of the server list to only display servers that are "obsolete", for example servers that have been shut down and decommissioned.

In order to use this feature perform the following steps:

  • Add the WMI State column to the server list, and filter by "Not responding".
  • Add the "Last Logon" column, and order to this to see "old" servers.
  • Optionally, export the csv list of the result for further processing.

Go to the server list, and add the WMI Status column.

The WMI status can have one of the following values:

  • Unclassified: OpsAI knows of the server (from Active Directory for example), but has never attempted to scan it.
  • Success: OpsAI has successfully performed a full scan of the server.
  • Partial data: OpsAI has successfully performed a full scan of the server, but some parts of the scan has failed.
  • Not responding: OpsAI is unable to connect to the server – most likely due to missing network connectivity or because the server has been shut down.
  • Unauthorized: OpsAI can connect to the server, but the server actively refuses access.

Provided the scanner is still running, you can remove it by removing the machine account from Active Directory.

When you create an account and install the OpsAI scanner onto a designated Windows machine, you will be able to see the data collected from the scan on the OpsAI platform. 

Dashboard
The Platform’s dashboard gives you an overview of your IT environment. You will be able to view the data collected about your Geo Map, IT Infrastructure, Compliance Ratio, Business Applications, Risk Assessment, Technical Debt, Rightsizing potential and Support.

*Please note: in the demo version of OpsAI only Risk Assessment and Technical Debt data will be available.

Scanner Status
The OpsAI Platform lets you view the status of the scanner and the total amount of assets found and their states. Here you can download the latest version of the OpsAI scanner and generate a new keycode.

Assets
OpsAI gathers data from all your assets and lists in one place for you or you can view them by type. You can multi-select and edit servers, group them into the necessary application groups, filter and view server or application group details.  

  • How do I edit?
    To edit a server, select one or multiple servers in the server list, then click More Options. menu. Here you can move to an application group, create a new application group or change the server lifecycle.  
  • How do I group? 
    As mentioned above, to create an application group select multiple servers from the server list, click More Options menu Ad to an existing application group or Create a new group.
  • How do I see the details of an application group or server?
    To view the details of a server or application group simply click on the name of the asset in their given list.   

Cost
In the cost section of OpsAI, you have an overview of the potential cost of your assets when moved to the cloud either mapped 1:1 or Right Sized and based on Cloud provider, region, commitment and licensing. 

Settings
As an owner of the OpsAI organization account you can invite, delete or move ADMIN rights to another user and create another organization account if needed. You are also able to download an Excel file of the scanned data. 

  • How do give Admin rights to another in the organization?
    If you wish to invite another to manage your account, you must give them ADMIN rights. ADMIN rights give that person full access and the ability to edit the account itself.  
  • How do I Invite a new user to the organization?
    Yes, you can give others access to your organization account under Organization settings.  When you invite someone to your account, they will have access to view your data that has been collected  
  • How do I delete an unwanted organization account?
    If you feel that you no longer want to use OpsAI or created an unwanted organization, you can simply delete the organization account in the Organization settings under the profile “Edit”.
    Be aware that when you delete an organization, you will no longer be able to access that account and any data collected will be deleted.

Of course! We appreciate any feedback you may have about OpsAI. This can easily be done from the "Contact Us" section here, or by clicking “Feedback” in the OpsAI platform. 

If you have any problems with OpsAI, you can let u know by sending us an email through our website. We will try our best to fix any problem you may have. 

Take control of your infrastructure today

©2018 Cloudeon All rights reserved — CVR/VAT 37 19 61 69