Add Windows Remote Server, Not on Domain

To add a remote Windows server that is not and will not be part of your Active Directory domain, follow the steps below:

Set Up Host in Management UI

Follow the steps from the Add Test Connection documentation until you get to the Tunnel page of the Add Endpoint Wizard. On this page, do the following:

  1. Adjust the IP address ranges listed in the Except for field on left side of the page to include the networks or hosts at the remote server’s site that the server needs to access. For example, for a server running an application that needs to connect to a database at the same remote site, make sure the IP address of the database is included in the networks listed in the Except for field. Also make sure that if the server needs to use DNS resolvers from the remote site, the IP addresses of those resolvers are included.

    Also, if you will need to access the server over RDP (or other remote-access system) to install the agent, also include the IP address of your administrative workstation from the perspective of the server (for example if the public IP address of the Internet access point used by your admin workstation is 198.51.100.123, add 198.51.100.123/32 to the Except for field).

  2. Adjust the IP addresses listed in the WireGuard Address fields on the right side of the page if you have selected a specific set of addresses for the server, or if you have already assigned the suggested addresses to some other computer.

  3. Click the Next button. This will take you to the Extras page of the Add Endpoint Wizard.

  4. Select Private for the Firewall Zone dropdown.

  5. If the server needs to use DNS resolvers from the remote site, select the No changes to DNS settings when tunnel is up option; otherwise select the Use custom DNS settings when tunnel is up option, and make sure the DNS Server list includes DNS resolvers to which the remote server will be able to connect through the ACSC network – and which will be able to answer all of the remote server’s DNS queries (including for hosts at the remote site).

  6. Click the Next button. This will take you to the Review page of the Add Endpoint Wizard.

  7. Click the Apply button. This will add the server to the ACSC network.

  8. Click the Set Up Agent icon on the Point panel on the right side of the page. This will take you to the Set Up page for the server.

  9. Click the acsc.conf and acsc-setup.conf links. This will download the unique acsc.conf and acsc-setup.conf files for the server.

Install Agent on Host

To install the ACSC agent on the server, perform the following steps on the server as an Administrator user:

  1. Create a new C:\Program Files\Anti-Cloud\Secure Connect\agent\cnf\ directory on the server.

  2. Copy the server’s unique acsc.conf and acsc-setup.conf files you downloaded above into this directory on the server.

  3. Copy the agent’s MSI (Microsoft Installer) package to the server, and execute it.

  4. If the PowerShell execution policy on the server is Restricted, change its policy to RemoteSigned (or AllSigned):

     PS> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Allow Network Services on Host

Once the agent has been installed and starts up, the server will have full outbound access to the organization’s ACSC network. Additionally, other devices on the organization’s ACSC network will have inbound access to the server according to the Windows firewall rules configured on the server for Private firewall profile.

To enable inbound access to other network services on the server exclusively through the ACSC network, configure Windows Defender Firewall rules on the server that allow access through the acsc0 network interface on the server.

For example, you could run the following PowerShell command on the server to allow access from the ACSC network to a web server running on TCP port 80 of the server:

PS> New-NetFirewallRule `
    -Name custom1 `
    -DisplayName "Web Server HTTP-In ACSC" `
    -Group "Custom" `
    -Enabled True `
    -Direction Inbound `
    -Action Allow `
    -Protocol TCP `
    -LocalPort 80 `
    -InterfaceAlias acsc0

Add DNS Entry for Host

Other devices on the organization’s ACSC network will be able to access the server using its ACSC addresses. This is the addresses set in the WireGuard Address field of the Add Endpoint Wizard described above. For example, if the server’s IPv4 ACSC address is 10.234.123.56, and the server is running a web server on TCP port 80 (and the server’s firewall allows access to the server as described above), other devices using IPv4 on the ACSC network will be able to access the web server via an URL of http://10.234.123.56.

If you want to provide convenient DNS entries for servers on the ACSC network, create a private zone for them on your DNS servers (or use an existing private zone). Add an A (IPv4) and/or AAAA (IPv6) record for each server you want to provide with a DNS entry. For example, if you created a zone on your DNS servers named acsc.corp for servers in your ACSC network, you might add an A record like the following for the above example web server:

webserver 3600 IN A 10.234.123.56

If you did that, devices on the ACSC network using that DNS server would be able to access the web server via an URL of http://webserver.acsc.corp.