none
Monitor Servers from Non-trusted Domains and Workgroup RRS feed

  • Question

  • Hello All,

    I have DOmain ABC.COM domain and RMS is installed into ABC.COM domain. I have XYZ.COM domain Servers and some Workgroup Servers in DMZ and I have to monitor those Servers using RMS in ABC.COM domain. No trust relationship between domains.

    As per my understanding, I am planning to install Gateway Server in XYZ.COM domain and using this Gateway Server, I will monitor Servers which are in XYZ.COM

    For Servers which are part of Workgroup and are in DMZ, I am planning to install Certificates manually on those Servers and monitor using RMS Server which is in ABC.COM.

    Below are the Queries:

    1. Are these two approaches are correct to monitor Servers from XYZ.COM and Workgroup?

    2. Can I monitor Workgroup Servers using the Gateway Server in XYZ.COM? I am doughtful about Authentication & Certificates requirement if I can make use of Gateway Server to monitor Servers.

    3. What can be the best approach to monitor those Servers (XYZ.COM & Workgroup)?


    Thanks & Regards, Kedar
    Thursday, October 13, 2011 6:29 AM

Answers

  • Hi Kedar,

    1) yes you are right. You could of course also use the same method as for agents in workgroup for the other domain (have them all get certificates), but you might like a gateway solution more.

    2) Yes you can. Do the same. certificates for the gateway (which you have already) and all agents in dmz (which you were planning already). The agents just see the gateway as a management server.

    3) depends on the numbers of machines in the other domain and in workgroup. Also the routing and firewall stuff... is the gateway or the management server "closer" to those agents? Pick the easiest way I would think. SO if you have more than a handfull agents in xyz.com you can use a gateway there and if the dmz happens to be close (easy to reach with routing and firewall rules and perhaps name resolving even) to the gateway server than tell the dmz machines to talk to management server called gateway :-) Make sure they have certificates and that they are trusted certificates (otherwise import the CA root chain in the trusted root store of those machines).


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Thursday, October 13, 2011 6:52 AM
    Moderator
  • yes, internal ca is ok. but make sure the machines where you install these certificates do trust this CA. so import its ca root chain certificate into the trusted root certs store of the local machine of those machines. From that point on you can issue the certs from that CA and they will be trusted on both sides.
    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Thursday, October 13, 2011 9:30 AM
    Moderator

All replies

  • Hi Kedar,

    1) yes you are right. You could of course also use the same method as for agents in workgroup for the other domain (have them all get certificates), but you might like a gateway solution more.

    2) Yes you can. Do the same. certificates for the gateway (which you have already) and all agents in dmz (which you were planning already). The agents just see the gateway as a management server.

    3) depends on the numbers of machines in the other domain and in workgroup. Also the routing and firewall stuff... is the gateway or the management server "closer" to those agents? Pick the easiest way I would think. SO if you have more than a handfull agents in xyz.com you can use a gateway there and if the dmz happens to be close (easy to reach with routing and firewall rules and perhaps name resolving even) to the gateway server than tell the dmz machines to talk to management server called gateway :-) Make sure they have certificates and that they are trusted certificates (otherwise import the CA root chain in the trusted root store of those machines).


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Thursday, October 13, 2011 6:52 AM
    Moderator
  • Hi Bob

    So that means we can use the CA placed in ABC.com domain to issue certificates to Gateway and SCOM Agents in xyz.com domain in DMZ. Please correct me if I'm wrong - I understand that as long as the certificates issued to agent and servers are from trusted CAs the domain membership does not matter.

     

    Regards

     

     


    zamn
    Thursday, October 13, 2011 9:24 AM
  • yes, internal ca is ok. but make sure the machines where you install these certificates do trust this CA. so import its ca root chain certificate into the trusted root certs store of the local machine of those machines. From that point on you can issue the certs from that CA and they will be trusted on both sides.
    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Thursday, October 13, 2011 9:30 AM
    Moderator
  • Hi,

    You can find a lot of helpfull info on this link:

    http://systemcentercentral.com/BlogDetails/tabid/143/IndexID/90669/Default.aspx

    .. at the end of blog, there is lines under "To be more clear:" which can clear out doubts about certs.

     

    Also usefull blog regarding Expiration date of SCOM certificate:

    http://systemcentercentral.com/BlogDetails/tabid/143/IndexID/90670/Default.aspx

    Saturday, December 17, 2011 5:23 PM