none
SCOM - Multi-tenancy RRS feed

  • Question

  • Hi guys,

    My company is looking to use SCOM for multi-tenancy for various customers, my question is has anyone done this in the past and have any problems that they ran into?

    My number one question is around gateways, is it possible\best to set up a gateway over the internet or do you HAVE to have a gateway on each customer connected by a site to site VPN?

    Monday, April 24, 2017 10:04 AM

All replies

  • Bump :)
    Tuesday, April 25, 2017 9:40 AM
  • For secuirty point of view, it is better to set up a gateway on each customer site and connected to site VPN.
    Roger
    Wednesday, April 26, 2017 2:18 AM
  • Hello,

    You will need to install a gateway server for external networks that are in a different forest/security boundary. 

    Security is controlled by SSL Certificates and the port 5723 has to be open between the Gateway Server and your Management Server.

    Here is a discussion about this, please go through it:

    https://social.technet.microsoft.com/Forums/systemcenter/en-US/45e842d6-eafe-4184-aa3d-6f980badbd2e/functionality-for-multi-tenant-environment-assuming-scom-2102?forum=operationsmanagergeneral


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 26, 2017 5:43 AM
    Moderator
  • For a operations point of view I would use certificates with a long lifetime like more than 5 years. It is a hassle having to renew the certificates on the agent if you need to monitor many servers. Also SCOM does not have the most user friendly way of setting up the agent with certificates, so if you need to do often onboarding, you porbably need to create some script logic to do this for you as part of the tenant server rollout. 
    Wednesday, April 26, 2017 6:29 AM
  • Hi SCOM_Newbie12.

    I use one central SCOM server for monitoring several customers from 2007 (I used all versions from SCOM 2007 Beta to SCOM 2016 Update Rollup 2).

    The solution I adopt is to use PKI and NOT gateway servers but is up to you. I can swear you that I never had any issue using PKI and NOT GTW.

    Issues starts if you want to have Multi-Homed and PKI. In this case you need GTW.

    The complexity of creating a PKI does not vary using / not using a GTW Srv

    Fell free to ask for further questions / information.

    Bye!

    Wednesday, April 26, 2017 9:01 AM
  • Hi Elizabeth,

    Thanks for this, when you say you use PKI, I assume by this you have an internet facing CA and an GW in a DMZ which then forward to your central SCOM Server(s)?

    Could you explain your setup a little bit more as my company is looking to use this for approx 10 customers, I'm wondering how you get around using gateway servers...

    Thanks in advance

    Wednesday, April 26, 2017 10:18 AM
  • You do not need to use gateway server if you expose your mgmt servers to the tenants servers you want to monitor. You will then need to have the certificate you normaly use on the gateway on the mgmt servers instead. 

    The SCOM agent on the tenant will then communicate directly with the SCOM mgmt server. In my mind using a GW would be easier from a operations point of view when it comes to opening up FW and such.

    No matter what you choose from above you will still need to supply all parties with certificates from a trusted PKI. You can use your own internal one, though there are two challenges:

    1) All tenant monitored servers will need to have the root certificate of the PKI in use in the trusted cert store on each server

    2) You will need a mechanism of distributing certificates to onboarded servers, and a way to renew certificates on them. 

    One way of doing 2 is to use a MS PKI with the CEP and CES roles. These can be configured to auto renew certificates even on servers that are not part of the same domain (in workgroups or in other domains). As CEP and CES uses HTTPS you only need to expose these to your tenants (available in their network to query). The challange remaining is to get the certificate on the box during the onboarding process and import it into the SCOM agent.  

    • Proposed as answer by Tadgata Wednesday, April 26, 2017 7:03 PM
    Wednesday, April 26, 2017 12:49 PM
  • Hi SCOM_Newbie12!

    Agents must telnet on SCOM MS on TCP/IP Port 5723.

    SCOM MS must have enabled "Review new manual agent..." under Administration --> Setting --> Security.

    You must create a Stand Alone Root Certification Authority with Certificate Enrollment Web Service.

    Then on the SCOM MS and on each Agent you install (in the snap-in Certificates on local computer) the trusted Root Certificate Chain.

    Then for the SCOM MS and on each Agent you must create a certificate based on the FQDN's and child of Certificattion Authority afore created .

    Then you must execute momcertimport.exe on each agent passing the certificate based on its FQDN.

    Then you must accept it on the SCOM MS in Administration --> Device Management --> Pending Management.

    These are the mains steps...of course the actual steps are many and complex...

    Bye!

    Elizabeth

    Wednesday, April 26, 2017 12:53 PM
  • Not sure if this is still relevant, we a while back created a Multi-Tenant version of SCOM. we have just launched selling this as a solution to the public. This will allow you to have as many clients as you want in as many different companies and location. All client no matter how big or small can view their own end-points (Routers/Linux/Windows) from a portal. We have also included a ticketing and change management solution within the portal. 

    Each client can create rules and monitors or disable them, there is a granular security to suite most enterprises. The solution will allow for multiple installation of SCOM, the portal will see each install of SCOM from within the portal.

    Finally we included a Maps and Perf monitor module do you can display virtual maps of your infra layout as well as view any perf monitors from within the portal. We also created a automatic agent delivery system, which will also automate cert generation for non trusted clients.

    www.cequorum.com  


    Simon Skinner [MVP] using Nubi DB = new GB.Close


    Friday, October 18, 2019 6:45 AM
    Moderator
  • Not sure if this is still relevant, we a while back created a Multi-Tenant version of SCOM. we have just launched selling this as a solution to the public. This will allow you to have as many clients as you want in as many different companies and location. All client no matter how big or small can view their own end-points (Routers/Linux/Windows) from a portal. We have also included a ticketing and change management solution within the portal. 

    Each client can create rules and monitors or disable them, there is a granular security to suite most enterprises. The solution will allow for multiple installation of SCOM, the portal will see each install of SCOM from within the portal.

    Finally we included a Maps and Perf monitor module do you can display virtual maps of your infra layout as well as view any perf monitors from within the portal. We also created a automatic agent delivery system, which will also automate cert generation for non trusted clients.

    www.cequorum.com  


    Simon Skinner [MVP] using Nubi DB = new GB.Close


    Hi Simon,

    this sounds pretty interesting, thanks for sharing! Will look into it, hope you guys have also demo versions. :)

    I am curious, how did youi approach the challenge with the distribution of the management pack to the agents? It can be pretty hard at some point to ensure that customer A doesn't get the MP of customer B in its Health Service Cache..?

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov


    Wednesday, October 23, 2019 8:19 AM
    Moderator
  • How did you approach alerting in the scenario?  Previously in a single tenant scenario I've used the severity and priority as a way to filter out what I want and don't want to receive alerts on since I care about all the devices in that instance of SCOM.  When introducing devices I don't care to get alerting this can cause the need for lots of one off overrides.  Is it just a matter of using groups for each client to define what they want alerts on or is there a better/other way?

    Thanks,

    Jon

        
    Thursday, October 24, 2019 2:00 PM