none
When to use a gateway RRS feed

  • Question

  • I was always under the impression that if have machines that are in an untrusted domain or in workgroup mode, a gateway would be utilized. 

    Can you have a management server communicate directly with workgroup mode computers using certificates and skip the gateway?

    Wednesday, November 13, 2019 8:44 PM

Answers

  • Hi,

    A Gateway server is not required, you can have workgroup/DMZ agents communicate directly to a SCOM management server, you will use certificates to enable communication from the agents directly to your management servers.

    The whole process is described pretty well over here:
    Monitoring Servers in Untrusted Domains Without a Gateway Server

    If you have just a few agents this may be a better solution, if you have let's say more than 10 agents in a workgroup/DMZ environment, then a Gateway server might be a better option.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, November 13, 2019 9:12 PM
  • Note that you always need one certificate per server when they are in a workgroup, even with a gateway.

    However the gateway will allow you to open only one network port in that case (from gateway to SCOM server instead of from each agent to SCOM server)


    Wednesday, November 13, 2019 11:45 PM
  • Hi,
     
    Agree with Leon and CyrAz, Gateway is suggested when a lot of agents in untrusted boundary want to connect to Management server to monitor. This can reduce certificate management and reduce communication path allowed on Firewall. If the amount of the machines is not too much, you can use certificate to do the authentication with Management Server instead of adding a Gateway.
     
    Hope it can help.
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 1:46 AM

  • >>Can you have a management server communicate directly with workgroup mode computers using certificates and skip the gateway?
    The answer of the question is yes.  Management server can communicate with un-trust/ workgroup agent using certificate.
    Gateway servers are used when a firewall separates the agents from the management servers or when the agents are in a separate, un-trusted domain. The gateway server acts as a proxy between the agents and the management server. Without the gateway server, the agents could still perform certificate authentication with a management server, but an X.509 certificate would need to be issued and installed on each agent using the MOMCertImport.exe tool, and each would require access to the management server through the firewall. If the agents are in the same domain as the gateway server or if they are in a trusted domain, they may use Kerberos authentication. In this case, only the gateway server and the connected management servers will require certificates.

    Roger
    Thursday, November 14, 2019 2:37 AM

All replies

  • Hi,

    A Gateway server is not required, you can have workgroup/DMZ agents communicate directly to a SCOM management server, you will use certificates to enable communication from the agents directly to your management servers.

    The whole process is described pretty well over here:
    Monitoring Servers in Untrusted Domains Without a Gateway Server

    If you have just a few agents this may be a better solution, if you have let's say more than 10 agents in a workgroup/DMZ environment, then a Gateway server might be a better option.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, November 13, 2019 9:12 PM
  • Note that you always need one certificate per server when they are in a workgroup, even with a gateway.

    However the gateway will allow you to open only one network port in that case (from gateway to SCOM server instead of from each agent to SCOM server)


    Wednesday, November 13, 2019 11:45 PM
  • Hi,
     
    Agree with Leon and CyrAz, Gateway is suggested when a lot of agents in untrusted boundary want to connect to Management server to monitor. This can reduce certificate management and reduce communication path allowed on Firewall. If the amount of the machines is not too much, you can use certificate to do the authentication with Management Server instead of adding a Gateway.
     
    Hope it can help.
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 1:46 AM

  • >>Can you have a management server communicate directly with workgroup mode computers using certificates and skip the gateway?
    The answer of the question is yes.  Management server can communicate with un-trust/ workgroup agent using certificate.
    Gateway servers are used when a firewall separates the agents from the management servers or when the agents are in a separate, un-trusted domain. The gateway server acts as a proxy between the agents and the management server. Without the gateway server, the agents could still perform certificate authentication with a management server, but an X.509 certificate would need to be issued and installed on each agent using the MOMCertImport.exe tool, and each would require access to the management server through the firewall. If the agents are in the same domain as the gateway server or if they are in a trusted domain, they may use Kerberos authentication. In this case, only the gateway server and the connected management servers will require certificates.

    Roger
    Thursday, November 14, 2019 2:37 AM
  • Hi,

    How's everything going? Would like to confirm with you if there's anything else we can help? If yes, feel free to let us know.

    Thanks and have a nice day!

    Best regards.
    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:23 AM