Enrolling a Server

To manage access to a server with ScaleFT, you’ll need to install the ScaleFT Server Agent on the server, and enroll your server into a project.

If you are using the default configurations, the agent will begin managing user accounts on your server, and enable client certificate authentication for SSH or RDP.



Enrollment is the process where the ScaleFT agent configures a server to be managed by a specific project.

With an Enrollment Token

An enrollment token is a base64 encoded object with metadata that the ScaleFT Agent can configure itself from.

To create an enrollment token in the ScaleFT Dashboard, browse to the desired project, then select “Server Enrollment Tokens”. Either use an existing token, or generate a new Enrollment Token with a description of what the token is used for, such as “First Production Buildout”, or “Testing ScaleFT”.

Once you have a token, ensure it exists on the server in question either via your configuration management system, or by just writing the token to a file yourself.

On Linux, the enrollment token path is /var/lib/sftd/enrollment.token.

On Windows, the enrollment token path is C:\windows\system32\config\systemprofile\AppData\Local\ScaleFT\enrollment.token.

To validate that the server is enrolled, run sft list-servers on a client machine. You should see the enrolled server listed.

Associating an AWS Account with a ScaleFT Project

ScaleFT supports optionally associating an AWS account with a ScaleFT project.

The ScaleFT Server Agent uses AWS’s signed instance metadata to identify itself, and can automatically enroll into a project in your team.

This method is best when all your AWS servers from a specific AWS account will belong to only one project. You can use this method to enroll servers into that project instead of using an Enrollment Token. For bare metal or on-premise servers, or when cloud metadata-based enrollment is not available, enroll servers using per-project Enrollment Tokens.

To associate an AWS account with a ScaleFT project:

  1. Locate your AWS account number by logging into the AWS web console, opening the “Support” dropdown in the top right corner, then selecting “Support Center”.
  2. In the ScaleFT Dashboard browse to the desired project, click “Add AWS Account”, then enter the account number you located in step #1 under Associated AWS accounts.

From this point forward, when the agent starts on a server that belongs to this AWS account, if that server has not been previously enrolled in ScaleFT, the agent will submit the server’s signed AWS metadata as proof of its identity, and enroll it in your ScaleFT project.

Reassigning a Server to a New Project

Note: This is an EA feature, contact support to request that it be enabled on your account.

Instead of going through the process of creating a new enrollment token for the target project, re-enrolling the target server to the target project, and waiting for the server to expire from its original project, a team administrator can reassign a server to a new project from the dashboard. Navigate to the target server, click the reassign action, and choose a new project for the server. Users of the previous project will be unable to connect to the server following a reassignment.

Warning: When a server is reassigned, established SSH connections are not terminated.