Movere deployment requirements
This article summarizes deployment requirements for the Movere Console.
Installing the console
Review the installation requirements summarized in the table.
| Requirements | Details | Verify |
|---|---|---|
| Installation permissions | To install the Console, in Movere you need a Customer Tenant user account with Write permission. In addition, on the Console machine, you need Local Admin access to install and run the Console. Enable service logon for the user account running the console. This helps Movere service to persist. Learn More |
Verify your Movere account settings. We recommend that you create a dedicated account for Movere, with Local Admin permissions. This account can then be used to access the machine on which you install the Console, and can also be used for scanning Windows devices. Create a dedicated service account for Movere. |
| Operating System | The Console machine should be a 64-bit Windows Server machine running Windows Server 2012, or later. You can run the Console on a Windows Server 2008 R2 machine, but we don't recommend this since Microsoft support has ended. You can run the Console on a Windows 10 machine, but we strongly recommend a Windows Server machine. |
To check the operating system, from the command line run: wmic OS get Caption, OSArchitecture, TotalVisibleMemorySize |
| Install location | By default the Console is installed in C:\Movere. | Review the folder contents after installation. |
| .NET | The Console machine must run .NET framework 4.7.2 or later. | Check the .NET version. |
| Transport Layer Security (TLS) | The operating system must support TLS 1.2. The Console machine must also support any legacy versions of TLS that target devices might use during scanning communications with the Console. |
Check the TLS version. |
| Memory | The Console machine needs at least 8 GB of RAM. If you want to use the option to upload data to Movere from the Console, instead of uploading directly from scanned devices, we recommend using SSD storage on the Console machine. |
Verify the machine memory size. |
| Storage | The machine should have a minimum of 1 GB of free storage. | Verify from the command line: wmic OS get Caption, OSArchitecture, TotalVisibleMemorySize |
| Internet | The Console machine needs persistent internet access. Make sure a compatible browser (such as Microsoft Edge) is installed on the Console machine. |
Verify connectivity from the command line: ping bing.com |
| Active Directory | The Console machine can be in a domain or workgroup, or located in a perimeter network. If you run the Console in a workgroup or in a machine in a perimeter network, you must start scans from the command line. |
Check DNS resolution for domain machines. |
| Scan Microsoft 365 | If you scan Microsoft 365, these components must be installed on the Console: - Microsoft Online Services Sign-In Assistant - Windows Azure Active Directory Module for Windows PowerShell. |
Verify the components are installed. |
Console URL access
The Movere Console machine needs access to Movere URLs. Allow URLs that correspond to the region in which the Movere customer tenant is located.
Note
Log in and UI; User Authentication and Stats tab API URLs are not tied to a specific Movere region. Movere routes login and authentication requests to the Movere geographical region which is closest to the user's physical location. This Movere region where such requests are routed may be different from the Movere region where customer tenant and data is hosted.
Console port access
The ports needed for Console deployment and scanning are summarized in the graphic.
On the Console machine, open these ports. These ports can't be customized. Some additional ports need to be open on target machines for scanning Windows machines and Linux machines.
| Console machine port | Direction | Details |
|---|---|---|
| TCP 443 | Outbound external | Used to upload payloads via the Console to the cloud. |
| TCP 443 | Outbound internal | Used to download the token.txt file. Query VMware ESXi and XenServer. |
| TCP 445 (Windows File Sharing) | Outbound internal | Used to deliver the Movere bots (Inventory and ARC), Framework verifier, and token file to the target Windows devices. Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| TCP 139 | Outbound internal | Used to deliver the Movere bots (Inventory and ARC), Framework verifier, and token file to the target Windows devices running Windows Server 2000. Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. For Windows Server 2003 and above TCP 445 is required. |
| TCP 389 | Outbound internal | Used to query Active Directory (LDAP). |
| TCP 3268 | Outbound internal | Used to query the Global Catalog. |
| TCP 135 (NetBios) | Outbound internal | Used for scanning Remote WMI. |
| TCP/UDP 53, TCP/UDP 88 | Outbound internal | Used to locate the domain controllers and authenticate prior to object enumeration. |
| TCP 636 | Outbound internal | Used to communicate with the domain controller in the customer’s environment if secure LDAP is enabled. |
| TCP 22 | Outbound internal | Used to query VMware vCenter Server Appliance. Used to connect to Linux devices during scanning. |
| TCP 443 | Inbound internal | Used for all internal traffic between the targeted endpoints and the Console. Used for all requests from the Movere bots for secondary credentials and token refresh, and for routing payloads back to the Console for uploading. |
| UDP 137-139 | Inbound internal | Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| Ephemeral port 49152 - 65535 | Inbound internal | Used to receive return traffic at the console. |
Allow Console binaries
To ensure successful Movere scans, we strongly recommend adding all Movere binaries to anti-virus and security software allow lists in your environment. On the Movere console machine, allow these files (located in the Movere Console installation folder).
| App/file | Details |
|---|---|
| Movere.Console.WPF.exe | The service to install the Movere Console. |
| Movere.Service.exe | The Movere service to orchestrate scanning. |
| Movere.Uninstall.exe | The service to uninstall Movere. |
| Movere.UpdateService.exe | The service to automatically update to the latest version of the Movere Console (optional). |
Next steps
- Deploy the Movere Console.
- Review scanning requirements for Windows and Linux.
- Learn about scanning.