SQL Sentry Portal Configuration

Note:  SentryOne Portal requires SentryOne software version 20.0 or above. The installation and configuration options are a standard part of the setup and EPI commands in versions 2020.8.7 or later. We strongly recommend upgrading to the latest release to install SentryOne Portal and get the complete set of features. See the Release Notes for more information.

What is SentryOne Portal?

SentryOne Portal is a browser-based option for accessing your SentryOne environment data that uses your existing SentryOne database. It replaces the previous mobile applications and Cloud Sync options.

Additional Information: See the SentryOne Portal article.


Before installing SentryOne Portal on-premises, ensure your credentials and machine(s) meet the System Requirements as well as the security and additional requirements listed below:


SentryOne Portal Service Authentication Methods

The following authentication methods are available for connecting the SentryOne Portal service to your SentryOne database:

  • Integrated Windows Authentication is available in versions 2020.8.31 or later. It is not available in version 2020.8.
  • SQL Server Authentication is available in all versions.
    • The SQL Server account must have read, write, and execute access to the SentryOne database.

SentryOne Portal User Access Requirements

Note:  The access requirements in this section are for users logging into SentryOne Portal. SQL Server Authentication is not supported for users logging in to use the portal through a browser.

Accounts logging into the SentryOne Portal through a browser must have access to the Windows Server hosting SentryOne Portal. For a user to access SentryOne Portal, at least one of the following sets of requirements must be met:


  • The Windows user identity has login access to the SQL Server instance that hosts the SentryOne database or it is in an Active Directory group that has login access to the SQL Server instance that hosts the SentryOne database.
    • Note:  Read/write access to SentryOne database is not validated.

Rights Based Security

Starting with version 2021.1, SentryOne Portal supports Rights Based Security. See the Rights Based Security article for more information.

Additional Requirements

  • Chrome and Microsoft Edge (the Edge version based on Chromium) are the recommended browsers for using SentryOne Portal.
    • Only Windows devices are officially supported.
  • SentryOne database that's accessible by the web server hosting SentryOne Portal.
  • The preferred IP address and port that SentryOne Portal should use to listen for HTTP traffic.


  • If you plan to change the binding address or port, ensure that there isn't already something listening to that address and port on the machine.
  • The default IP address is SentryOne Portal listens to all IP addresses on the machine that are not listening to the selected port.
    • If you are running SentryOne Portal on a virtual machine, it's recommended to keep the default IP address of Setting it to may make it so that it can be accessed from the local host, but not other locations in the domain.
  • The default port is 9991.
  • It's recommended to set the IP address to if you're planning to route requests through IIS or other reverse proxy on the same machine as the service. This will prevent external requests from directly reaching the service.

Installing SentryOne Portal

SentryOne Portal may be installed via the classic SentryOne Setup Wizard or through the EPI commands, as long as the method you choose matches your existing SentryOne installation.

Where can SentryOne Portal be Installed?

SentryOne Portal can be installed on-premises with a self-hosted configuration as a service. It can be installed on a machine along with the SentryOne monitoring service and SentryOne client, or it can be installed on a machine by itself without any other SentryOne components 

Note:  When using the EPI version, the SentryOne controller must exist on the machine where you install SentryOne Portal. 

If you have more than one SentryOne database, you can view them with a single SentryOne Portal service. See the distributed databases article for more information.

Note:  SentryOne Portal cannot run as an Internet Information Services (IIS) site. IIS may only be used as a reverse proxy to the SentryOne Portal service for HTTPS and request filtering. See the IIS Reverse Proxy Configuration section below for details.

Installation Example

SentryOne SQL Sentry Installed Software Components and ArchitectureExample of SentryOne components installed across multiple machines (with EPI components when applicable)

Install SentryOne Portal using Setup Wizard

Follow the instructions in the SentryOne Installation article.

Install SentryOne Portal using EPI

Follow the Installation, Upgrade, and Uninstall instructions in the SentryOne Enhanced Platform Installer article.

SentryOne Portal Configuration Utility

Changes to your SentryOne Portal configuration must be made through the Portal Configuration Utility (PCU).

Note:  For the EPI version of SentryOne, the Portal Configuration Utility is only available in versions 2020.8.31 or later. Earlier EPI releases must uninstall/reinstall via command line to make changes.

Accessing the PCU


  1. Navigate to the MonitorPortal directory in your SentryOne installation. The default path is C:\Program Files\SentryOne\<Version>\MonitorPortal\PCU. In this example, it is C:\Program Files\SentryOne\2020.0\MonitorPortal.
  2. Locate the SentryOne.Monitor.WebClient.ConfigurationUtility file and use the Run as administrator option to open it.

    SentryOne Monitor Portal Configuration Utility Run as administrator

SentryOne EPI Version

  1. Use the so configmp command to launch the Portal Configuration Utility from Command Prompt.

    Note:  You must run this command on the machine where SentryOne Portal is installed.

  2. You must use the EPI commands so stopmp and so startmp after making changes to the configuration. The PCU does not restart the portal service in an EPI environment.

Using the PCU

The PCU allows you to change database, network, security, and web server binding-related properties for SentryOne Portal. Select the Verify & Save button to apply any changes.

The PCU also provides an option to stop/start the SentryOne Portal service (SentryOneMonitorPortal in Windows Services).

Note:  SentryOne Portal supports distributed SentryOne databases. The drop-down menu at the top allows you switch between the settings for each SentryOne database. 

Additional Information: If you have multiple SentryOne databases and would like to view all of them in the same SentryOne Portal, see the distributed databases article for setup and security details.

SentryOne Portal Configuration UtilitySentryOne Portal Configuration Utility

Additional Information: For more information about the settings in the Advanced Properties:


To use TLS for SentryOne Portal: 

  1. Select the box next to Use SSL. Once selected, you'll see the SSL Certificate section.
  2. Enter the name of the certificate in Subject.
  3. Select Verify & Save.
  4. The Messages section displays the progress. Note that the SentryOne Portal service will be restarted during this process.
SentryOne Portal SSL Certificate
Use HTTPS example
SentryOne Portal Restarting the Service message example
Messages example

Success: You have enabled TLS for SentryOne Portal. Use HTTPS:// at the beginning of the URL to open it in your browser.


  • For a signed certificate from a trusted authority, you must register it on the machine so it goes into the LocalMachine/My store.
  • When updating a certificate, you need to add it to the machine. SentryOne Portal will use the latest valid certificate (by expiration date) without requiring a restart of the machine or service. Older, invalid, and expired certificates will be ignored.
  • If you do not have IIS installed and are not using port 443 on this machine as part of any other web server, you can update the Port in the Binding section to 443. When SentryOne Portal uses port 443, you do not need to specify the port in the URL. For example, you can use https://localhost instead of https://localhost:443.

IIS Reverse Proxy Configuration (Optional)

Unsupported: The following steps cover the process required to set up IIS as a reverse proxy to the SentryOne Portal service for HTTPS and request filtering. For information about IIS administration, see IIS.net

This information is provided as an example to get you started with IIS Reverse Proxy Configuration. Please refer to the official IIS administration documentation for support with this process and up-to-date documentation.

See the Use TLS option in the Portal Configuration Utility section for the preferred method of enabling HTTPS/TLS in SentryOne Portal.

IIS Reverse Proxy Prerequisites

The following modules must be installed before configuring your reverse proxy:

Note:  These required modules are not installed by default.

IIS Reverse Proxy Instructions

Configure a reverse proxy in IIS to host SentryOne Portal by completing the following steps:

1. Create a website with your desired outward bindings. If you want to use HTTPS, this is where you will register your certificate. Point the site to the default IIS directory.

Note:  The default IIS directory is often C:\inetpub\wwwroot. The Application Pool settings wont have an effect on the behavior of this site because it will not be executing code. You can set the .NET CLR version to No Managed Code, but this is not required. 

2. Open the Home window for the new site, and select the URL Rewrite feature.

SentryOne Portal Configuration IIS select URL Rewrite

3. Select the Add Rule action from the right window pane, and then select Reverse Proxy rule from the Inbound and Outbound Rules category.

SentryOne Portal Configuration URL Rewrite Add Rule(s)
SentryOne Portal Configuration Add Rule(s) select Reverse Proxy

4. Enter the IP address and port of the service in the Inbound Rules server name input. Ensure that Enable SSL Offloading is selected. Select OK to save the rule. SentryOne Portal Configuration Add Reverse Proxy Rules enter Inbound Rule


  • Localhost:9991 is the default IP address. When you are setting this up, you may need to use your server's DNS name (e.g. ServerDNS:9991).
  • If your server has no IIS conflicts with port 443, you can bind SentryOne Portal to port 443, and use https://ServerDNS as the URL (no port required).

Success: IIS now routes all requests to the website to the SentryOne Portal service.

DEPRECATED: Installing SentryOne Portal On Premises Manually


  • SentryOne Portal must be installed outside of the user's directory.
  • These steps are included only for users who do not have the current release of SentryOne with the installation built in. It was added to the installer in version 2020.8. If you have version 2020.8 or later, you must use the EPI or Setup Wizard instructions to install it.
    • You need the original SentryOne.Monitor.WebClient.Web artifact or version of the Enterprise Platform Installer that was used for your SentryOne installation to follow these deprecated instructions.

After you have ensured that your machine meets the prerequisite requirements, you can begin installing SentryOne Portal. Install SentryOne Portal on your machine manually by completing the following steps:

1. Unzip the SentryOne.Monitor.WebClient.Web artifact at the desired location on the machine hosting SentryOne Portal.

SentryOne Portal Configuration Extract Zip folder
Extract Folder

SentryOne Portal Configuration Select a Destination and Extract Files
Select Destination and Extract Files

2. Update the appSettings.json file in the root of the project with the correct connection string for the client’s database.

SentryOne Portal Configuration open app.Settings.json
Open appSettings.json

SentryOne Portal Configuration Change Connection String
Update the Connection String

3. Run the service install script OnPremServiceInstall.ps1 as administrator. Enter the IP address and port that you want to bind the service to in the appropriate prompt.

SentryOne Portal Configuration Windows Powershell Run as administrator
Run Powershell as administrator

SentryOne Portal Configuration Execute OnPremServiceInstall.ps1
Execute the PowerShell Command, enter the IP, and enter the Port

Note:  To use integrated authentication for the database connection, you need to change the account that the SentryOne portal service is running under in the Windows Services Control panel after installation. The default account is LocalSystem.

Note:  You can re-run the service install script OnPremServiceInstall.ps1 at any time to change the IP address or port and update the service. The SentryOne Portal service will be turned off during the script's execution.