On-Premise Agent
The OrbisID On-Premise Agent is an optional component that runs in network segments where target systems are not directly reachable from the OrbisID server. It polls the OrbisID API for scan jobs, executes them locally, and submits results back.
When to Use a On-Premise Agent
Deploy a On-Premise Agent when:
- Target systems are in segmented networks not accessible from the OrbisID server
- You have Windows systems to scan — Windows scanning always requires an agent (see Windows Scanning below); this is the one case where an agent isn't optional
- You are using Custom Script system types (Enterprise edition)
- You are using PAM Vault Script credentials that need to run locally
- Security policy requires scans to originate from within the target network
- The OrbisID server itself has restricted outbound internet access — cloud/SaaS connectors (AWS, Okta, Google Cloud Platform, etc.) can be routed through an agent that does have the required egress, rather than requiring direct internet access from the OrbisID server
Architecture
The agent communicates only with the OrbisID server (outbound HTTPS). It does not need to accept inbound connections.
Installation
Prerequisites
- Network access to target systems (LDAP/SSH/JDBC/WinRM ports/etc)
- HTTPS access to the OrbisID server
- One of:
- Docker 24+ (for containerised deployment)
- Java 17+ (for JAR deployment)
- Windows Server 2019+ (for the Windows Installer — required if you need to scan Windows systems)
Only the Windows Installer (below) bundles the Windows scan helper needed to scan WINDOWS-type systems. The Docker image and manual JAR deployments (Linux or Windows) can scan Active Directory, Linux, SQL Server, and other non-Windows types, but not Windows targets. See Windows Scanning for details.
Option A: Docker (Recommended)
- In OrbisID, navigate to Administration > On-Premise Agents
- Click Add Agent and note the agent key
- Click Download Docker Image to get the agent image tar file
- On the agent host:
# Load the Docker image
docker load -i orbisid-scan-agent.tar
# Create a config directory
mkdir -p /opt/orbisid-agent
# Create the configuration file (see Configuration below)
nano /opt/orbisid-agent/config.yml
# Run the agent
docker run -d \
--name orbisid-agent \
--restart unless-stopped \
-v /opt/orbisid-agent/config.yml:/app/config.yml:ro \
orbisid/scan-agent:latest
Option B: Windows Installer (Recommended for Windows scanning)
The Windows Installer is the only deployment option that bundles the Windows scan helper — use this if you need to scan WINDOWS-type systems.
- In OrbisID, navigate to Administration > On-Premise Agents
- Click Add Agent and note the agent key
- Click Download Windows Installer to get
OrbisID-Agent-Setup.exe - Run the installer on the agent host (Windows Server 2019+, admin privileges required)
- On the Java Runtime page, either use the bundled JRE (default) or point to an existing Java 17+ install
- On the Agent Configuration page, enter the OrbisID backend URL and the agent key from step 2
- Finish the wizard — the installer registers and starts OrbisID On-Premise Agent as a Windows service (via WinSW), including the bundled
orbisid-windows-scanner.exehelper used for WinRM/PowerShell Remoting
The service can be managed like any other Windows service (services.msc, or sc query OrbisIDAgent).
Option C: JAR (Windows, manual)
Use this only for non-Windows scanning (Active Directory, Linux, SQL Server, etc.) from a Windows host — it does not include the Windows scan helper, so WINDOWS-type systems assigned to an agent deployed this way will fail with an actionable error. Use Option B if you need Windows scanning.
- In OrbisID, navigate to Administration > On-Premise Agents
- Click Add Agent and note the agent key
- Click Download JAR to get the agent JAR file
- On the agent host, ensure Java 17+ is installed (
java -version) - Create a directory and copy the JAR:
mkdir C:\OrbisID\agent
copy orbisid-agent.jar C:\OrbisID\agent\
- Create the configuration file:
server:
url: https://your-orbisid-host
agent-key: <your-agent-key>
poll:
interval: 30
agent:
name: agent-corp-01
logging:
level: INFO
scan:
timeout: 3600
- Run the agent:
java -jar C:\OrbisID\agent\orbisid-agent.jar --config C:\OrbisID\agent\config.yml
For production, install it as a Windows Service using NSSM (Non-Sucking Service Manager):
nssm install OrbisIDAgent "C:\Program Files\Eclipse Adoptium\jdk-17...\bin\java.exe"
nssm set OrbisIDAgent AppParameters "-jar C:\OrbisID\agent\orbisid-agent.jar --config C:\OrbisID\agent\config.yml"
nssm set OrbisIDAgent AppDirectory "C:\OrbisID\agent"
nssm set OrbisIDAgent Start SERVICE_AUTO_START
nssm start OrbisIDAgent
Download NSSM from nssm.cc. After installation, the agent starts automatically on boot and restarts on failure.
Option D: JAR (Linux)
- In OrbisID, navigate to Administration > On-Premise Agents
- Click Add Agent and note the agent key
- Click Download JAR to get the agent JAR file
- On the agent host:
# Create a directory for the agent
mkdir -p /opt/orbisid-agent
cp orbisid-agent.jar /opt/orbisid-agent/
# Create the configuration file
nano /opt/orbisid-agent/config.yml
# Run the agent
java -jar /opt/orbisid-agent/orbisid-agent.jar \
--config /opt/orbisid-agent/config.yml
For production, create a systemd service:
[Unit]
Description=OrbisID On-Premise Agent
After=network.target
[Service]
Type=simple
User=orbisid
WorkingDirectory=/opt/orbisid-agent
ExecStart=/usr/bin/java -jar orbisid-agent.jar --config config.yml
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Configuration
The agent is configured via a config.yml file:
# OrbisID server connection
server:
url: https://your-orbisid-host
agent-key: <your-agent-key>
# Polling behaviour
poll:
interval: 30 # Seconds between job polls
# Agent identification
agent:
name: agent-dmz-01 # Descriptive name for this agent
# Logging
logging:
level: INFO # DEBUG, INFO, WARN, ERROR
# Scan execution
scan:
timeout: 3600 # Maximum scan duration in seconds (default: 1 hour)
Configuration Reference
| Setting | Default | Description |
|---|---|---|
server.url | required | Full URL of the OrbisID server (e.g., https://orbisid.example.com) |
server.agent-key | required | Agent authentication key (generated in OrbisID admin) |
poll.interval | 30 | How often (in seconds) the agent checks for new jobs |
agent.name | hostname | Descriptive name displayed in the OrbisID admin UI |
logging.level | INFO | Log verbosity. Use DEBUG for troubleshooting. |
scan.timeout | 3600 | Maximum time (in seconds) a single scan can run before being killed |
Agent Groups
Agent groups let you organise agents by network segment and assign systems to groups. When a scan job is created for a system, it is dispatched to an agent in the system's assigned group.
- In OrbisID, navigate to Administration > On-Premise Agents
- Create a group (e.g., "DMZ Agents")
- Add agents to the group
- Assign systems to the group
Systems not assigned to any group are scanned by the OrbisID server directly (if reachable) or by any available agent — except WINDOWS-type systems, which must be assigned to a group with at least one Windows-installed agent. Windows scanning cannot fall back to direct scanning by the OrbisID server.
Connector Support via Agent
Assigning an Agent Group to a system routes both its scans and its Test Connection checks through that agent instead of the OrbisID server. This works for almost every connector type — directory/network connectors (Active Directory, Linux, Windows, LDAP, SQL Server, Oracle, MySQL/MariaDB, PostgreSQL, network devices, etc.) as well as cloud/REST connectors (AWS, Azure-adjacent SaaS platforms, Okta, HashiCorp Vault, PAM platforms, and the rest of the OSType catalogue).
Agent-routed Active Directory scans and connection tests fully honour the system's Port, Use LDAPS (SSL), Use StartTLS, Trust All TLS Certificates, and referral-handling settings — the agent uses the same connection logic as a direct scan from the OrbisID server, not a simplified fallback.
Three exceptions are not agent-routable:
- Microsoft Entra ID (formerly Azure AD) — scans directly from the OrbisID server only
- CSV — the Manual Upload source mode reads a file already stored on the OrbisID server, so it cannot run on a remote agent (the Network Share source mode is unaffected if the agent can reach that share)
- CSV PAM — always reads from the OrbisID server's local filesystem
Assigning an Agent Group to any of these three will fail with an "Unsupported OS type" error; leave them unassigned so they scan directly from the OrbisID server.
Windows Scanning
Windows scanning connects via WinRM (PowerShell Remoting) using a bundled helper (orbisid-windows-scanner.exe) rather than a Java client, so it can keep pace with changes to Windows' own remoting stack. Because it uses Windows' real, native WinRM client (the same one Invoke-Command/New-PSSession use), it's also subject to that client's normal trust policies — unlike the previous Java implementation, which bypassed them. This makes Windows scanning agent-only, with four requirements beyond a normal agent deployment:
- The agent must be installed on Windows via the Windows Installer. Docker and manual JAR deployments (Linux or Windows) do not include the helper.
- Target hosts must have PowerShell Remoting enabled, not just a bare WinRM listener. From an elevated PowerShell prompt on each target:
Enable-PSRemoting -Force
winrm quickconfig alone is not sufficient — Enable-PSRemoting also registers the PowerShell remoting endpoint the helper connects to.
- Non-domain (workgroup) targets must be trusted by the agent host if connecting over plain HTTP (port 5985). Windows only allows Negotiate/NTLM authentication to a non-domain-joined computer when that computer is listed in the WinRM client's
TrustedHosts, or when Kerberos applies (both machines domain-joined). This commonly affects cloud VMs with auto-generated hostnames (e.g. AWS EC2'sEC2AMAZ-...default names). From an elevated PowerShell prompt on the agent host (not the target):
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "EC2AMAZ-XXXXXXX" -Concatenate -Force
Restart-Service WinRM
Use -Value "*" instead of a specific hostname to trust all targets from this agent (simpler, but trusts any host it connects to). Alternatively, configure a WinRM HTTPS listener on the target and use port 5986 — non-domain credentials over HTTPS use Basic authentication in this tool, which doesn't go through the native NTLM/TrustedHosts path at all, and is the more secure option regardless.
A failed connection due to this will surface Windows' own WinRM error text (mentioning TrustedHosts and error code 0x8009030d) in the scan/test failure message.
- Non-built-in local admin accounts need UAC remote-restriction disabled on the target if connecting over plain HTTP with a local (non-domain) account that isn't the literal built-in
Administratoraccount (SID ending-500). Windows filters that account's token for network logons by default (UAC remote restrictions), which produces the same0x8009030d/"A specified logon session does not exist" error as a missingTrustedHostsentry — even with correct credentials andTrustedHostsalready configured. From an elevated PowerShell prompt on the target (not the agent host):
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
-Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
Not needed if the credential is the actual built-in Administrator account, which is already exempt from this restriction.
Once all of the above are in place, assign the Windows system to an Agent Group containing the Windows-installed agent and scan as normal.
Custom Scripts
Requires Enterprise edition.
Custom scripts allow you to scan any system type by providing your own script that OrbisID executes via the On-Premise Agent.
Script Interface
The script receives a JSON payload on stdin with connection details:
{
"hostname": "target-host.example.com",
"port": 443,
"username": "service-account",
"password": "decrypted-password",
"parameters": {
"custom_param_1": "value1",
"custom_param_2": "value2"
}
}
The script must output a JSON result on stdout:
{
"success": true,
"accounts": [
{
"username": "admin",
"displayName": "Administrator",
"accountType": "HUMAN",
"enabled": true,
"groups": ["Administrators", "Remote Desktop Users"],
"lastLogon": "2025-01-10T14:30:00Z",
"attributes": {
"department": "IT",
"custom_field": "value"
}
}
],
"errorMessage": null
}
Account Fields
| Field | Required | Type | Description |
|---|---|---|---|
username | Yes | String | Account username |
displayName | No | String | Friendly display name |
accountType | No | String | HUMAN or NON_HUMAN |
enabled | No | Boolean | Whether the account is active |
groups | No | String[] | Group memberships |
lastLogon | No | ISO 8601 | Last login timestamp |
attributes | No | Object | Additional key-value metadata |
Script Modes
| Mode | Description |
|---|---|
| Path | The script already exists on the agent host at a specified path |
| Upload | The script is uploaded to OrbisID and delivered to the agent at scan time |
Connection Testing
When Test Connection is run for a Custom Script system, the agent executes the script with a --test flag appended to the command. The script should perform a lightweight connectivity check and exit with code 0 for success or non-zero for failure.