Cloud Agent Preparation for Cloning / Gold Image

Steps to Install Cloud Agent on Golden Image

If the GoldenImage=true is passed as a parameter during installation, the agent is installed in a non-running state and does not generate any HostID. After the agent host restarts, the agent starts working, or you can manually start the Cloud Agent services. The HostID is generated once Cloud Agent starts working on the agent host.

Run the following command or use a systems management tool to install a Cloud Agent into Golden Image as per your organization's standard process to install the software.

> QualysCloudAgent.exe CustomerId={xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx} ActivationId={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} WebServiceUri=<platform_url>/CloudAgent/ GoldenImage=true

Deployment in Cloned or Gold Images

The Qualys Cloud Agent supports configuration and deployment into cloned images in physical, virtual, and cloud environments (including Amazon AWS and Microsoft Azure). The Cloud Agent is created with a universally unique identifier (UUID) as its Agent ID as part of the provisioning process between the agent and the Qualys Platform or Private Cloud Platform. Each Cloud Agent must have a unique Agent ID to avoid issues with the management and reporting of the Cloud Agent.

Use the following deployment guidelines to generate unique UUIDs across deployments in cloned or gold images.

This method is for all supported versions of Windows.

  • Install the operating system, applications, and patches. Refer to the Steps to Install on Gold Image to know more about Cloud Agent installation.

    QualysCloudAgent.exe CustomerId={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} ActivationId={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} WebServiceUri=<platform_url>/CloudAgent/ Proxy="/u <proxy url> /n <proxy username> /p <proxy password> a/<PAC file url>" .
  • Create a snapshot of the Gold Image before proceeding.
  • Verify that there is no network connectivity on the Gold Image instance to the Qualys Cloud Platform or deployed Private Cloud Platform(s) for the installation process of the Cloud Agent, which can include, but not limited to:
  • Turn off networking to the Gold Image from the virtualization manager
  • Manage the Gold Image in a network that does not have network connectivity
  • Create a bogus entry in the local hosts file (located at C:\Windows\System32\drivers\etc\hosts) for the DNS name of the public POD or PCP that the agent connects to, e.g. 127.0.0.1 (make sure to remove this entry before the Gold Image is cloned).
  • Create a temporary Windows firewall rule to block the Cloud Agent process from communicating over the network (make sure to remove this entry before the Gold Image is cloned)
  • Install the Qualys Cloud Agent and configure it using your assigned Activation ID and Customer ID.
  • The Cloud Agent will attempt to connect to the Qualys Platform to provision. Without connectivity, the agent will remain in an unprovisioned state pending its next successful connection to the Qualys Platform.
  • If this is not the last application or service to be installed in the Gold Image, shut down the Cloud Agent service and set its auto-start to "Disabled" so that the agent doesn't start and provision itself during the remainder of the Gold Image configuration; make sure to set the Cloud Agent service to "Automatic" start before cloning the Gold Image.
  • Shut down the Gold Image and make it available for cloning.
  • Upon start-up of a cloned image, the Cloud Agent will start, connect to the Qualys Platform, get provisioned, and generate its UUID for that running cloned instance.

Alternative approach: You can install the Cloud Agent into instances in domain join script(s) as part of the final installation/provision for hosts. This approach simplifies the gold image installation but requires additional processing during the domain join.

Not following these procedures (or if Software Distribution Tools are not configured correctly when deploying or upgrading agents) can create duplicate host records in the Qualys Cloud Platform. In case of duplicate host records the New Agent UUID has all the vulnerability, compliance, and asset inventory information after the re-provisioning date of the Cloud Agent.

You can remove duplicate host records by uninstalling the hosts associated with old UUIDs from the Cloud Agent user interface or the API if you have duplicate host records. This does not affect the functionality of the Cloud Agent using the new UUID.

If there are too many duplicate records and you can not remove them by yourself, contact Qualys Customer Support.