none
Gateway Server (use clarification please) RRS feed

  • Question

  • A very simple question.

    If we have a trusted domain where the Management Servers reside and we would like to monitor Workgroup clients in a DMZ, can we leverage a Gateway Server EVEN THOUGH these DMZ Workgroup clients (including the Workgroup GW server) do not have a domain affiliation?

    --------------------------------------------------------------------------------

    I fully understand the benefits of the Gateway server and why they are used, but now that I have begun the installation it appears as though the only time that Gateway servers are leveraged is when the GW and Clients reside in a trusted domain with one another.  In other words, can a Workgroup client get configured to report to a Workgroup GW server (via certificates) that communicate with an internal domain Management Server (via certificates)?

    --------------------------------------------------------------------------------

    It hit me when I kept only seeing references of GW servers being used when another untrusted domain was leveraged.  Any clarification around this would be greatly appreciated.

    If I am correct, then that will mean we need to poke holes in the FW to allow for DMZ systems to report in directly to the MS servers via certificates the exact same way SCCM leverages DMZ communication.

    Thanks,

    Blind





    • Edited by Blindf8th Wednesday, January 18, 2017 3:12 AM
    Wednesday, January 18, 2017 3:08 AM

Answers

  • Hi Blind,

    You are right that when both your workgroup clients (to be monitored) and the GW server are in a workgroup this will not ease the authentication. You will still need certificates on each of the monitored clients.

    Still you can use a Gateway server in order to group clients and compress the network traffic over the WAN back to a real Management server. Another advantage is the ability to have a better control over the network port opening when you go for a Gateway - you don't need to open ports for each client to the Mgmt server, but only from the GW to the Mgtm server.

    The answer to your question:

    "In other words, can a Workgroup client get configured to report to a Workgroup GW server (via certificates) that communicate with an internal domain Management Server (via certificates)?"

    Yes, this is posible, you need certificates on your clients and on your GW server as well.

    As a matter a fact I have already answered a similar question and was able to find my post.

    From:

    Building an environment

    "250 WOrkgroup servers which are not in any domain (StandAlone Servers)" - The only way to monitor those 250 servers is to create certificates and use them to authenticate to your SCOM management servers. Here is a good article about this:

    Monitoring non-domain members with OM 2012

    and here

    SCOM Monitoring of Windows Workgroup Servers

    Depending on the network segments the workgroup servers are located in you might need to install also a Gateway server, but it will be only used to compress the traffic and minimize port openings, not to ease the authentication. Why? Here is the answer:

    Can an Operations Manager gateway server help monitor a large number of machines in workgroups?

    If you go for the Gateway for your workgroup servers, then it will need also a certificate to communicate with the real management server."

    So a Gateway(s) might be usable if you have your workgroup clients in the same (or just a coulpe) network segment. Then the data will flow from the clients to the Gw, get compressed and send back to the SCOM management server. You can also control port openings this way.

    Hope this helps further. Best Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)


    Wednesday, January 18, 2017 8:04 AM
    Moderator

All replies

  • Hi Blind,

    You are right that when both your workgroup clients (to be monitored) and the GW server are in a workgroup this will not ease the authentication. You will still need certificates on each of the monitored clients.

    Still you can use a Gateway server in order to group clients and compress the network traffic over the WAN back to a real Management server. Another advantage is the ability to have a better control over the network port opening when you go for a Gateway - you don't need to open ports for each client to the Mgmt server, but only from the GW to the Mgtm server.

    The answer to your question:

    "In other words, can a Workgroup client get configured to report to a Workgroup GW server (via certificates) that communicate with an internal domain Management Server (via certificates)?"

    Yes, this is posible, you need certificates on your clients and on your GW server as well.

    As a matter a fact I have already answered a similar question and was able to find my post.

    From:

    Building an environment

    "250 WOrkgroup servers which are not in any domain (StandAlone Servers)" - The only way to monitor those 250 servers is to create certificates and use them to authenticate to your SCOM management servers. Here is a good article about this:

    Monitoring non-domain members with OM 2012

    and here

    SCOM Monitoring of Windows Workgroup Servers

    Depending on the network segments the workgroup servers are located in you might need to install also a Gateway server, but it will be only used to compress the traffic and minimize port openings, not to ease the authentication. Why? Here is the answer:

    Can an Operations Manager gateway server help monitor a large number of machines in workgroups?

    If you go for the Gateway for your workgroup servers, then it will need also a certificate to communicate with the real management server."

    So a Gateway(s) might be usable if you have your workgroup clients in the same (or just a coulpe) network segment. Then the data will flow from the clients to the Gw, get compressed and send back to the SCOM management server. You can also control port openings this way.

    Hope this helps further. Best Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)


    Wednesday, January 18, 2017 8:04 AM
    Moderator
  • Thought I already replied, but thank you for the information.

    Blind

    Thursday, February 16, 2017 4:50 PM