Enroll a server

To manage access to a server with Advanced Server Access, the server must be running the Advanced Server Access server agent, and you must enroll the server into a project. Enrollment is the process where the Advanced Server Access agent configures a server to be managed by a specific project.

If you're using the default configurations, the Advanced Server Access server agent will manage user accounts on your server and enable client certificate authentication for SSH or RDP.

Enrollment methods

You can enroll servers with Advanced Server Access automatically, or use an enrollment token to manually enroll a server.

Automatic enrollment requires information that's gathered using some automated method, such as cloud metadata (for example, signed instance metadata from AWS). Automatic enrollment is enabled by default. You can disable automatic enrollment of a server by editing the agent's sftd.yaml configuration file and setting AutoEnroll: false.

Alternatively, you can enroll servers using an enrollment token. This requires a token file to be present on the server being enrolled. Automatic enrollment, if possible in an environment, takes precedence over enrollment tokens. Set AutoEnroll: false in the server agent's sftd.yaml configuration file to disable automatic enrollment and permit enrollment by token.

You can disable the server agent's autostart mechanism by creating a disable-autostart file before installing the server agent package to prevent a server from being inadvertently enrolled in Advanced Server Access. See Disable autostart.

Automatically enroll servers in Advanced Server Access

Advanced Server Access supports automatically enrolling cloud servers to Advanced Server Access projects.

The Advanced Server Access server agent uses cloud metadata to identify itself when automatically enrolling a server.

Automatic enrollment is the best option to use in the following situations:

  • All of your Amazon Web Services (AWS) servers from a specific AWS account will only belong to one Advanced Server Access project
  • All of your Google Cloud Platform (GCP) servers from a specific GCP project will only belong to one Advanced Server Access project

Use per-project enrollment tokens to enroll bare metal and on-premises servers, and when automatic enrollment using cloud metadata is not available.

After you've configured automatic enrollment for a set of cloud servers, when the agent starts on a server that has not been previously enrolled in Advanced Server Access, the agent uses cloud metadata as proof of its identity and enrolls the server in your Advanced Server Access project.

Enroll servers using an enrollment token

An enrollment token is a base64-encoded object with metadata that the Advanced Server Access server agent can configure itself from.

To create an enrollment token for a project:

  1. Open the project from the Advanced Server Access dashboard.
  2. Switch to the Enrollment tab, then click Create Enrollment Token.
  3. Enter a description for the token. Click Submit to create the token.
  4. Copy the token to the enrollment token path on the server, either by using your configuration management system (for example, Puppet, Chef, Ansible, and so on), or by writing it to a file.
    • On Linux, the enrollment token path is /var/lib/sftd/enrollment.token
    • On Windows, the enrollment token path is C:\windows\system32\config\systemprofile\AppData\Local\scaleft\enrollment.token

Next steps

See also