SCOM Agents (push question)

All replies

• 

  

  0

  Sign in to vote

  Hello, 

  In my opinion, if the gateway server is in workgroup, then certificates are needed for communication between the gateway server and management server, and also communication between gateway server and agents needs certificates. 

  Why not adding a management server in the DMZ instead of gateway server?

  Regards,

  Yan Li

  ---

  Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  • Proposed as answer by Stoyan ChalakovMVP Friday, February 17, 2017 9:35 AM
  • Marked as answer by Blindf8th Saturday, February 18, 2017 1:03 AM

  Friday, February 17, 2017 2:35 AM
• 

  

  0

  Sign in to vote

  Hi Blind,

  Yan Li has a point here. What I mean with this is that you need some form of authentication, so that you can push the agents from the GW (workgroup) to the clients (domain joined). As your GW is non Kerberos aware (workgroup member), the only way for this to work is to have certificate authentication between the GW and all the clients. This on its turn would be a big nonsense, because of the fact that you have to deploy certificates on each cleint and also because you can solve the whole "riddle" just by making the GW member of the same domain or if this GW has some other purpose, just install a new GW and make it part of the domain.

  Hope this helps. Regards,

  ---

  Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

  
  

  • Edited by Stoyan ChalakovMVP Friday, February 17, 2017 9:35 AM
  • Proposed as answer by Stoyan ChalakovMVP Friday, February 17, 2017 9:35 AM
  • Marked as answer by Blindf8th Saturday, February 18, 2017 1:02 AM

  Friday, February 17, 2017 9:34 AM
• 

  

  0

  Sign in to vote

  Thank you both for your reply and information (it really helped).

  In a use case where both system types are in a DMZ (WORKGROUP & Domain joined) it seems there are multiple options. Having Domain joined systems in a DMZ is not preferred in general from my experiences and in a case where both types need to be managed, I think I lean towards just leveraging certificates for both WORKGROUP & Domain joined systems all together.  The benefits would mean not adding more Domain joined systems to a DMZ (GW Server) and also not having to add the ACLs required for kerberos authentication.  The downside of course would be using certificates for those systems that are Domain joined where a push installation could be leveraged.

  I can see both schools of thought, so thank you both again for your input.

  Blind

  
  

  Saturday, February 18, 2017 1:15 AM
• 

  

  0

  Sign in to vote

  IN Your case , from GW's will not able to push agent to dmz domain machines , since .pdf and root ca is missing for authentication. 

  • Marked as answer by Blindf8th Tuesday, February 21, 2017 2:56 PM

  Monday, February 20, 2017 1:50 AM
• 

  

  0

  Sign in to vote

  Thanks for pointing that one out.  In this particular case,  using the manual installation with the certificates will have to do the trick for both WORKGROUP and Domain joined unfortunately.  I prefer the push method for the obvious reasons, but as pointed out above, when you have both types of clients that need to be managed I prefer to limit the ACL requirements and keep the AD footprint as small as possible in any DMZ if that makes sense.

  Thanks all,

  Blind

  Tuesday, February 21, 2017 2:56 PM