Client Requirements Checklist
What the client's IT team needs to provide for a PMS Sync deployment — a single, hand-over-ready list. The guiding principle is least exposure: the on-premise agent is read-only, the connection is outbound-only, and no inbound firewall ports are opened. Items tagged Client IT are the client's to provide;Alterspective and Joint items we lead or do together.
On-premise host for the agent
Client ITA small, always-on Windows host inside the client network, next to the Aderant SQL Server, runs the read-only agent.
- Windows Server 2019+ (or Windows 10/11) host. Physical or VM. ~2 vCPU / 4 GB RAM / 5 GB free disk is ample — the agent is lightweight and bundles its own runtime.
- Always-on / auto-start. The agent installs as a supervised Windows service set to automatic start, so it survives reboots without anyone logging in.
- Local admin for the one-time install. Needed only to run the MSI and register the service. Day-to-day operation needs no interactive login.
- Line-of-sight to the Aderant SQL Server. The host must be able to reach the SQL Server over the LAN (typically TCP 1433).
Database access (read-only)
Client ITThe agent reads Aderant data only. No write access to the Aderant database is required or requested for the import path.
- A dedicated read-only SQL login. db_datareader on the Aderant Expert database. The agent never writes to Aderant in the standard import flow.
- SQL TCP/IP enabled on a known port. SQL Server Express ships with TCP/IP disabled — enable it and set a static port (1433) in SQL Server Configuration Manager, then restart the instance.
- Connection details. Server / instance name, database name, and the read-only login credentials. During the current MSI install these are provided through the local service environment file; deployment can source them from Key Vault, but runtime reads environment variables.
Network & firewall
Client ITThe connection is outbound-only. The client opens no inbound ports and exposes no database to the internet.
- Outbound HTTPS (TCP 443) from the agent host. To the Azure Relay / tunnel endpoint. This is the only egress the agent needs.
- No inbound firewall rules. Nothing listens for inbound internet traffic — the agent dials out and the relay rendezvous handles the rest.
- Allow-list the tunnel endpoint (if egress is restricted). For Azure Relay: *.servicebus.windows.net (TCP 443). For an ngrok pilot: connect.ngrok-agent.com, regional connect endpoints, and update.ngrok-agent.com; use ngrok diagnose to confirm the exact endpoints for the tenant network.
- Keystone egress — only if the SQL API MCP service is enabled. If the agent’s /mcp service is used, the host also needs outbound HTTPS to the Keystone identity service to validate OAuth tokens. Not required for the standard import path.
Tunnel authorization
JointAlterspective provisions the Azure Relay; the client authorizes that the tunnel may operate from their network.
- Approval to run an outbound tunnel. Azure Relay (Microsoft-operated rendezvous, outbound-only) is the recommended default; ngrok is acceptable for short pilots if the client approves.
- Choice of tunnel technology. A client network/security policy decision — Azure Relay (no third-party tunnel vendor) vs ngrok. Alterspective creates the relay namespace and least-privilege Listen/Send keys.
Clio Operate / Sharedo tenant access
JointThe proxy writes imported matters into the client tenant, and the embed widget, import page, and required linked services are deployed there.
- API / OAuth client credentials for the tenant. Identity URL, API URL, client ID and secret, instance, and scope — so the proxy can create work items and ODS parties as configured.
- Permission to deploy widgets to the Sharedo IDE. The PMS Sync embed widget is deployed to /_ideFiles/Alterspective/PmsSync/Embed; diagnostics are deployed under /_ideFiles/Alterspective/Insight as separate widgets.
- Required linked services configured. aderant-import-proxy and aderant-sql-api point at the hosted proxy and the on-prem agent (Alterspective configures these). aderant-rest-api is optional until Phase 2 write-back is enabled.
- Approved test identity for verification. Used to validate the embed renders and the import works end to end in the live tenant. Prefer an approved, non-personal test account where permitted; otherwise use a client-approved account under normal MFA/conditional-access controls or an approved time-boxed exception.
Identity & users
JointStandalone portal/admin sign-in is via Keystone (OIDC). Sharedo-embedded imports use the Sharedo page and signed embed handoff instead.
- Organisation provisioned in Keystone for standalone/admin access. Maps the client to its environment and isolates its config from other tenants. Required for standalone portal users, administrators, and backend MCP access.
- Embedded import users granted Sharedo access. Staff importing from inside Sharedo need access to the PMS Import page and its linked-service path. They do not need separate Keystone importer accounts unless they also use the standalone portal.
Firewall summary
| Source | Destination | Port | Direction |
|---|---|---|---|
| Agent host | Azure Relay (*.servicebus.windows.net) | TCP 443 | Outbound |
| Agent host | Aderant SQL Server (LAN) | TCP 1433 | Internal (LAN) |
| Agent host | Keystone identity (only if SQL API MCP is used) | TCP 443 | Outbound |
| Agent host | — (no inbound rules) — | — | Inbound: none |
For how these pieces fit together, see the Deployment Topology. For the engineer-facing setup steps (Azure Relay, agent install, verification), see the Deployment Guide.