How does PowerSyncPro Migration Agent communicate with the PowerSyncPro server?

For the vast majority of our customers and partners, PowerSyncPro is presented to the internet for Migration Agent over HTTPS onto their own hosted PowerSyncPro server. This is so that PowerSyncPro Migration Agent installed on your workstations can perform the following actions uninterrupted from any internet connection, at work or at home:

• Create a secure connection and register the workstation in your instance of PowerSyncPro
• Hourly interrogate if it the machine is part of a batch and therefore a runbook, for a migration.
• Report progress and logging back to the PowerSyncPro server

PowerSyncPro recommends you make your server internet accessible with your own Public SSL (https) so that when the device state changes (for example from AD joined to WORKGROUP to Entra Joined) your workstation will maintain access to PowerSyncPro server (for the items above) regardless of any of your configuration items or settings being removed or added during the state change which might impact connectivity.

What website address does PowerSyncPro server typically use?

For typical implementations when RDP'ing onto the server, you will be using the following address to access the PowerSyncPro server configuration:

http://localhost:5000

For Migration Agent, you will have an internet accessible endpoint, this is one of the parameters you specify in Migration Agent msi install:

https://pspma.mycompanydomain.com/agent

The other parameter is your server PreSharedKey (PSK).

What is undesirable?

Having this address accessible on the internet will also make it possible to log into the configuration GUI for PowerSyncPro.

 This might be undesirable for the configuration console to be accessible externally.

For example, you will be able to goto any configuration page over the internet, if you have the credentials.

https://pspma.mycompanydomain.com/sync/syncProfiles

How can this be circumvented?

PowerSyncPro Migration Agent only needs access to the following path of the URL to perform all the actions described at the beginning of this article.

/agent

So in our pretend example this would be

https://pspma.mycompanydomain.com/agent

Using re-write rules in IIS, we can restrict access to only the /agent URL, so that other parts of the configuration are blocked by IIS.

Firstly, the prerequisites for using re-write rules is to have the following three features installed on the server (these are detailed in the prerequisites on the downloads page PowerSyncPro - Downloads and Documentation )

• IIS
• Microsoft URL Rewrite
• Microsoft Application Request Routing 3.0 (x64)

Download this script onto the PowerSyncPro server from our Github page, and load an administrative powershell

PSP-Replace-WebConfig.ps1

This requires two parameters

• Domain: Your PSP external endpoint domain (e.g. psp.contoso.com). It must not include slashes or 'http'.
• LocalEndPoint: PSP local endpoint. Defaults to 'localhost:5000'. It must not include slashes or 'http'.

For our fictitious example it would be

.\PSP-Replace-WebConfig.ps1 -Domain pspma.mycompanydomain.com -LocalEndpoint localhost:5000

When you run this, it will backup and standardise your web.config for PSP only, it expects the file to be in the standard location of:

C:\inetpub\wwwroot\web.config

Here is an example

Now test you cannot get to this site or the logon page of the PowerSyncPro configuration:

https://pspma.mycompanydomain.com/sync/syncProfiles

You will now have to manage PowerSyncPro configuration when RDP'ing onto the server using:

http://localhost:5000

To manually configure re-write rules, please review the documentation on PowerSyncPro - Downloads and Documentation