Windows Server Prerequisites
Make sure your system fits the descriptions below before starting the installation.
Backup Operator Privileges
The user configured in the permissions perquisites section must be a member of the local Backup Operator group of the file server. It eliminates the need to grant explicit permissions to the Data Access Security user to all the folders on the file server. By using the Backup Operator privilege, Data Access Security can crawl, collect permissions, and classify data even if the user does not have explicit permissions to the folder.
Permissions
Data Access Security requires different permissions based on the tasks that require those permissions. The user configured in the Application Configuration wizard must have the following permissions on the file server:
- Share Read permissions to all shares on the file server
- Member of the local Backup Operators group on the file server
- Member of the local Administrators group on the file server
The following describes required permissions by each Data Access Security task:
- Crawling - The user must have Share Read permissions to all the shares on the file server and be a member of the local Backup Operators group on the file server.
- Permission Collection - The user must have Share Read permissions to all the shares on the server and be member of the local Backup Operators group on the server. The user must also be a member of the local Administrators group to read the Share Permissions and the local Users and Groups of the server.
- Data Classification - The user must have Share Read permissions for all the shares on the server and be member of the local Backup Operators group on the server.
Best Practice
Verify the Identity Collector associated to this application has completed an aggregation initiated from Data Access Security by navigating to Admin > Identity Collector > locate IC > Actions > Run Aggregation. This ensures all permissions will be mapped properly to Identity Security Cloud identities.
Activity Monitor Installer
An Activity Monitor Installer is required for Windows File Server–type applications only. The Activity Monitor Installer can be downloaded here.
The installer is a command-line application that receives parameters and installs the Activity Monitor service inside the Windows File Server.
Important
The installer must be executed from within the Windows File Server.
Activity Monitor Installer Prerequisites
ASP.Net Core 10.0 Runtime v10.0.7 - Windows Hosting Bundle Installer must be installed on the virtual machine. If that is missing, the installer will not start and will notify the user.
Supported Windows Versions
The installer can be installed on:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Activity Monitor Installer Installation Phases
- Configure the application using Data Access Security.
- Retrieve one IP address in the virtual appliance cluster (Activity Monitor).
- Install the Activity Monitor on the virtual machine.
Activity Monitor Installer Installation
The installer command-line application accepts the following parameters:
| Parameter | Description |
|---|---|
| -f, --folder |
(Required) Installation folder path |
| -c, --cert |
Certificate thumbprint |
| -h, --host |
(Required) VA address |
| -p, --port |
VA port. Default: 11000 |
| -v, --verbose | Enables verbose log level |
| -l, --log |
Log file path |
| -r, --rollback | Enables rollback support |
| -?, -h, --help | Shows help and usage information |
Here is an example with actual values:
"Data Access Security Installer v1.2.0.0.exe" install -f C:\InstallerPath -h "172.16.4.101"
Note
If there are multiple virtual appliances in the cluster, add one IP for the virtual appliance cluster. Once the service is installed, it will pickup all the other IPs of the virtual appliance cluster and configure it automatically.
After the installation is completed, the DAS_WFS service will be installed and running on the File Server.
Mutual Authentication (mTLS)
With mutual TLS enabled, the Windows agent connects to the Data Access Security on-prem activity listener over HTTPS and both sides present certificates. Traffic uses TCP port 11000 by default.
Note
All activity applications on the same virtual appliance must use the same Activity Monitoring SSL setting - all Mutual Auth, or all non–Mutual Auth.
When configuring the Activity Monitoring SSL settings within the Connection Details of the application configuration:
- Select Mutual Auth.
- The Virtual Appliance Certificate File should be in the PKCS#12 form (.pfx / .p12 with private key). This is what secures HTTPS on the virtual appliance.
- Set Virtual Appliance Certificate File Password to the password of the uploaded PKCS#12 file.
-
The Windows Activities Service Certificate File is delivered in PEM or CER form (public certificate text; must be readable as PEM, starts with -----BEGIN CERTIFICATE-----).
Upload the public client certificate that matches the Windows thumbprint, or the issuing CA (or intermediate) certificate that signed it.
This PEM is uploaded in the application configuration only. You must still install the matching client certificate with a private key on each Windows server and set CertificateThumbprint – see the following instructions.
Each Windows server running DAS_WFS needs the following:
- A client authentication certificate with private key, installed in Local Computer > Personal (My).
- In
%ProgramData%\DAS_WFS\config.json, under WinActivitiesCollector, set CertificateThumbprint to the certificate’s thumbprint and set the virtual appliance addresses and port to the Data Access Security listener. - Ensure the Windows machine trusts the listener certificate (issuer in Trusted Root / Intermediate Certification Authorities as appropriate for your PKI).
SAN and Names
Avoid a mismatch between SAN and names.
- The agent opens TLS to the IPs you put in virtual appliance addresses (defined in the config file, e.g. “172.31.64.106”).
- The certificate should include the IP in Subject Alternative Name (SAN) as an IP address. If you use multiple virtual appliances, include all IPs in SAN or use one shared listener certificate that lists every cluster node IP you use.
- The virtual appliance accepts the Windows client certificate using the PEM you configure in the application (custom trust). This is separate from the listener SAN.
- The file server hostname is used for application identification; it does not replace the virtual appliance IP on the listener certificate.
TLS Version
The product does not have a minimum TLS version in the agent. It follows .NET and Windows defaults, typically TLS 1.2 and above in supported environments.
Mutual Authentication Troubleshooting
| Symptom | What to Check |
|---|---|
| SSL connection could not be established / Cannot determine the frame size | Listener on that host:port is not speaking TLS (still HTTP), wrong service on 11000, or a proxy returning non TLS bytes. Confirm mutual TLS is enabled and the listener is up with HTTPS. |
| Certificate / name mismatch (after TLS connects) | Virtual appliance IP in config vs IP SAN on the listener certificate. |
| Client certificate rejected / TLS works but requests fail | PEM trust in Data Access Security must match the chain for the Windows client certificate; thumbprint in config.json must match the certificate in Local Machine\My with private key. |
| Certificate not found in store (when the agent first connects to the virtual appliance) | Wrong thumbprint, cert under Current User instead of Local Machine, or cert not valid (expired / broken chain). |
| Mixed SSL settings on the same virtual appliance | One application configured as Mutual Auth, another not; listener mode fixed at first start. Align all apps on that virtual appliance and restart das-am . |
Console Output
During installation, the console displays progress information.
Note
Only the following two commands are mandatory:
- -f (installation folder)
- -h (VA host)
If other parameters are omitted, the installer uses default values:
-
Default installation path:
C:\ProgramData\DAS_WFS -
Default log path:
C:\ProgramData\DAS_WFS\Logs
Post-Installation Behavior
Once installation is complete, the installer will:
- Create and configure the Activity Monitor service on the virtual machine.
- Create the logs folder in the pre-defined location.
Uninstallation
To uninstall, run "Data Access Security Installer v1.2.0.0.exe" uninstall.
The console will display the uninstallation progress and status.
Communication Requirements
| Requirement | Source | Destination | Port |
|---|---|---|---|
| Permissions / Resource Collector and Data Classification Analysis | Permissions and Resource Collector Virtual Appliance / Data Classification Server Virtual Appliance | Monitored Server | SMB (139, 445) |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.