Recast Proxy

A Recast Proxy is a service that runs under a service account. A Proxy can serve many purposes, such as running Recast actions, elevating permissions, or reading from Active Directory or Configuration Manager to populate scopes. 

To view the required permissions for each Recast Software product and proxy use, see Proxy Permissions.

NOTE: In deployments with multiple Recast Proxies, only one Proxy can be installed per server, and each Proxy can only support one service account.

Proxy Types

User Proxies are automatically installed with your standard Right Click Tools installation. The user proxy ensures that actions run in Right Click Tools will run as the logged in user with the logged in user's permissions. User proxies do not appear on the Recast Proxies page in the Recast Management Server interface.

Service Account Proxies are useful when you want to run actions as a service account. These can also be used to run actions against untrusted domains. Install these proxies using the Recast Proxy MSI available in the Recast Portal. Service account proxies are listed on the Recast Proxies page in RMS.

Service account proxies installed in another domain than the Recast Management Server must be manually authorized on the Recast Proxies page before they can be used to run actions. You can also edit RMS settings to automatically approve all proxies.




Proxy Permissions

The permission set required for a proxy service account differs depending on how you're using a Recast Proxy.

If you haven't set up the required proxy permissions prior to installing Recast Management Server or Recast Proxy, you can skip the installer's Configuration Manager Configuration page by removing any information from the text fields, selecting Test ConfigMgr Connection and the Skip ConfigMgr Verification checkbox, and clicking Next.

Right Click Tools

To access web dashboards and trends

This permission set also allows scheduling for Builder actions and kiosk profile application.

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory
  • db_datareader in the Configuration Manager SQL server database
  • Read-only access to the Configuration Manager console (Read-only Analyst security role in ConfigMgr)

NOTE: Some actions won't work, such as adding to or removing from collection

To run actions as a service account

  • Local admin on any device that actions will be run against
  • Read/Write permissions in Active Directory (Write is only required to delete devices from AD)
  • Appropriate ConfigMgr Security Role for intended actions in the Configuration Manager console (Full Administrator for all actions)
  • Permission to MBAM, if applicable

To elevate permissions

  • Local administrator access on all devices managed by Right Click Tools

NOTE: Some actions won't work, such as adding to or removing from collection

To add or remove from collections

  • Permission to modify a collection in Configuration Manager: configmgr collection > modify permission

For Fast Channel support

  • Permission to run scripts in Configuration Manager 
  • If using Read-only Analyst in ConfigMgr as your base security role, also grant the following privileges:
    • Collection > Run Script = Yes 
    • SMS Scripts > Read = True

Endpoint Insights

To collect warranty information 

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory
  • db_datareader in Configuration Manager SQL server database
  • Read-only access to the Configuration Manager console (Read-only Analyst security role in ConfigMgr)

NOTE: These first four permissions are the same as those required to access web dashboards and trends in Right Click Tools.

  • If your Recast Management Server is installed on a server other than your Configuration Manager SQL database, the proxy account will need to be added to the SMS_SiteSystemToSiteServerConnection_MP_<YourSiteCode> local group on that server. This will allow it to read/write to your inboxes\auth\ddm.box, which is required to gather warranty data.

Privilege Manager

Privilege Manager doesn't require a Configuration Manager service connection, and your service account needs only to have the following permissions:

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory

Application Manager

MECM Integration 

  • Grant any of the following built-in roles/role combinations to the proxy account:
    • Full Administrator
    • Operations Administrator
    • Application Administrator and Compliance Settings Manager
    • Application Administrator and Read-only Analyst
  • Modify permissions to the SMB share (UNC path) that will be used to store downloaded applications




Install a Proxy

A service account proxy can be installed on the same server as the Recast Management Server, either during or after Recast Management Server installation. 

If the proxy is being installed in a different domain than the Recast Management Server, the Recast Proxy must be deployed separately after Recast Management Server installation. See Install Recast Proxy Separately.




Authorize a Proxy

By default, the Recast Management Server automatically authorizes any proxy installed in the same domain as the Recast Management Server. Proxies installed in other domains must be approved manually, unless you've edited the default setting to approve all proxies automatically.

Approve a Proxy Manually

If a proxy is installed separately in another domain, you must approve it manually.

To approve a proxy manually:

1. In your Recast Management Server, select Proxies in the navigation panel. 

On the Recast Proxies page, your newly installed proxy should be visible but not Authorized.

2. Click the Edit icon to the right of the proxy.

3. In the Edit Recast Proxy window, enable the Authorized checkbox and click Save.

Un-approve a Proxy

You can manually remove authorization from any Recast Proxy.

To remove proxy authorization:

1. On the Recast Proxies page, click the Edit icon to the right of the proxy.

2. In the Edit Recast Proxy window, disable the Authorized checkbox and click Save.

Approve All Proxies Automatically

You can choose to have your Recast Management Server automatically authorize all proxies regardless of the domain where they're installed.

To approve all proxies automatically:

1. In your Recast Management Server, navigate to Administration > Settings.

2. Under Recast Management Server, click the Edit icon to the right of Recast Proxy Approval.

3. In the Change Setting window, choose Automatically Approve All Agents from the Value drop-down menu.




Create a Proxy Route

A route determines the proxy to which your Recast actions are sent. In order for the Recast Management Server to run actions through the service account proxy, create a proxy route that uses the service account.

To create a Recast Proxy route:

1. In your Recast Management Server, navigate to Administration > Routes.

2. In the main window, click Create.

3. Set route Type to Recast Proxy.

4. Select your service account.

5. Set the Role to Administrators.

6. Click Create.

7. On the Routes page, click Save.




Run Actions as a Service Account with Recast Proxy

Once you've created a proxy route, you can direct Recast actions to it.

By default, new routes appear at the bottom of the table on the Routes page. To make actions run using a Recast Proxy route that is lower in the list, you must move that route above the Console Extension route in the table, as the first route to be successfully matched will be used.

To reorder routes, drag and drop them into the desired order. When you're done reordering the proxy route list, click Save to finalize the changes.




Configure a Recast Proxy for Management Tasks

A Recast Proxy can be used to manage a number of tasks, such as allowing access to Right Click Tools web dashboards, scheduling Recast Builder actions and Kiosk Manager actions, and collecting warranty information with Endpoint Insights.

To set up a proxy to manage tasks:

  1. Authorize the proxy in the Recast Management Server (if necessary).
  2. Create a Recast Proxy route.
  3. Reorder the routes to match your priorities (if desired).
    By default, new routes appear at the bottom of the table on the Routes page. If you only need your proxy to populate scopes, and you don't want to run any actions using that proxy, you can leave your proxy route at the bottom of the table. If you do reorder the proxy route list, click Save to finalize the changes.





Copyright © 2024 Recast Software Inc. All rights reserved.