Installing The Windows Cerulean Agent

A step-by-step guide to installing and managing the Cerulean Agent on your Windows servers and workstations.

Overview

The Cerulean Agent provides automated data collection and configuration services for your end points and lays the framework for AgileBlue's autonomous response capabilities. The Cerulean Agent includes several enhancements and remote support capabilities not included in previous AgileBlue Management Agent versions.

Additionally, the Cerulean Agent no longer includes Sysmon64, minimizing its footprint on your Windows machines while enhancing AgileBlue's monitoring capabilities.

Relevant Agent Versions

This guide covers the installation process for the Cerulean Agent, starting with version 2304.3.2.

For questions regarding installation of previous AgileBlue Agent versions, click here.

Supported Operating Systems

The agent supports the following Windows operating systems:

Windows 8.1 and newer
Windows Server 2012/R2 and newer

Minimum System Requirements

The agent is specially designed to use minimal system resources; the requirements for the agent are simply that of the operating system installed. Special consideration should be made on virtual machine infrastructure such that the actual allocation of resources meets the operating system / user load requirements. Specifically, shared computing environments such as VDI desktops or Terminal Server / Services should have adequate resources to handle the user load. (E.g. enough physical resources that each user has sufficient resources allocated to their session.) AgileBlue cannot guarantee the complete functionality of the agent if resources do not meet recommended levels.

Networking Requirements

The Cerulean Agent, and its associated data collection services, securely sends data over the internet to the AgileBlue Cloud. To allow this, the following ports should be configured for outbound traffic on all devices and environment firewalls, routers, etc.

TCP Outbound Port 443
TCP Outbound Port 9243

Additionally, the Cerulean Agent will install the Elastic Agent, which requires the following TCP ports to be available:

6791/HTTP
- This port is leveraged for performance monitoring of the Elastic Agent
6789/GCRP
- Used for management of the Elastic Agent

Anti-Virus Configuration

The Cerulean Agent performs administrative actions on your devices that some anti-virus systems may identify as malicious. To prevent anti-virus systems from quarantining or otherwise impeding the agent from performing its responsibilities, please be sure to whitelist the related files and services.

C:\Program Files\Cerulean\*
C:\Program Files\Elastic\Agent*
C:\programdata\cerulean\*
C:\Program Files\Elastic\Agent\elastic-agent.yml
C:\Program Files\Elastic\Agent\fleet.enc
C:\Program Files\Elastic\Agent\data\elastic-agent-*\logs\elastic-agent-json.log
C:\Program Files\Elastic\Agent\data\elastic-agent-*\logs\default\*-json.log*
C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe

Download the Installer

When downloading the Cerulean Agent installer, you will receive a ZIP file containing two files: windows_installer3.exe and config.json. Both items will important for the installation process.

Open a web browser and navigate to the AgileBlue Portal
Select Agent from the management section of the navigation menu
Click on the Windows Agent Installer tile
Take note of the API Key provided on the corresponding pop-up

Install the Agent

The Cerulean Agent can be installed locally on your Windows machine or deployed via your RMM. This section covers local installations.

Unzip the file collected in the previous section
Right click on windows_installer3.exe and select Run as administrator

Optionally, the install can also be completed from a command prompt. This is especially useful if the config.json file is not located in the same directory as the installer.

Open an administrative Command prompt
Navigate to the directory containing the installer executable
Run the following command, being sure to replace "YOURAPIKEY" with the API Key provided when you first downloaded the installer. That value can also be found on the Alert Playbook page in the portal:

windows_installer3.exe install -a YOURAPIKEY -u https://agentapi.agileblue.com

Confirm Installation Success

There are a couple of different methods to confirm the installation of the agent. Most importantly, you will want to verify that the following services are present on the machine on the machine with the status and startup type reflected below:

Cerulean Agent
- Status: Running
- Startup Type: Automatic
Cerulean Updater
- Status: N/A
- Startup Type: Manual
Elastic Agent
- Status: Running
- Startup Type: Automatic

Elastic Endpoint
- Status: Running
- Startup Type: Automatic

Optionally, you can confirm installing by checking for the agent file located at:

C:\Program Files\Cerulean\cerulean-agent.exe

Manage Your Installation

In addition to the installation commands above, the Cerulean Agent has several helpful built-in options available to you as well. When operating from an elevated command prompt, you can utilize the following commands and flags to achieve the listed actions. Additionally, you can add the command help to see these commands during the installation, uninstallation, or troubleshooting processes:

windows_installer3.exe help

Available General Commands:

help
- Help about any command
install
- Installs the Cerulean Agent onto the system
repair
- Repair a Cerulean Agent installation
uninstall
- Uninstalls the Cerulean Agent

Available General Flags:
*Note: All flags must be added after one of the commands listed above.

-h
- help for windows_installer3.exe
-v
- Verbose output
-i
- Places agent into image mode, ment for Golden Image usage
-s
- Places agent into syslog mode

Agent Deployment

If you are leveraging an RMM for deployment of the Cerulean Agent, utilize the following command:

windows_installer3.exe install -a YOURAPIKEYHERE -u https://agentapi.agileblue.com

Questions? Contact AgileBlue Support.

Email: support@agileblue.com
Phone: (216) 606-9400🚨