none
SCOM ACS between untrusted domains RRS feed

  • Question

  • I have some thoughts on SCOM ACS:

    • Precondition
    I have a SCOM environment in its own domain. We want to install SCOM ACS application.
    How can I solve this best when the customer's domain is not in trust with SCOMs domain?

    • Some ideas:

    1) The customer has a SCOM GW in theirs domain. One solution is to install the Collector in SCOM domain and all customer Forwards send audit events via SCOM GW to our Collector.
    Question , will the audit traffic use the way through SCOM GW or directly to the Collector?

    2) To minimize the traffic between the customer's network and SCOM networks
    perhaps I could put the Collector in the customer domain.
    Question 1 , can I put a Collector in the customer domain which is not in trust with SCOMs domain?
    Question 2 , will the audit traffic from the customer's network go through the collector> GW in theirs domain to the
    ACS db in SCOM domain?

    3) I have read that we also can use the collector as a GW to save HW cost.
    Question , is this correct and is it anything we can recommend?

    4) Number of audit events, I know that we can calculate the number of audit events that are sent by running a script.
    Question , do someone have any idée of the audit event volume an approximation of a normal audit policy on AD and Exchange server per second?

    5) Is there any sort of failover to secure the uptime for audit data to SCOM?

     

    //Mats A


    Wednesday, September 29, 2010 2:07 PM

Answers

  • Hi there.

    >>Question , will the audit traffic use the way through SCOM GW or directly to the Collector?
    ACS Forwarders send audit data directly to a collector, they cannot use a gateway.  Since there is no trust between the domains you'd have to use certificates on each of the forwarders, and on the collector, which would be a Management Server.  You'll have to open TCP 51909 on the Collector.  There are a few extra steps needed, like creating a computer account for the non-trusted machine andmapping the certificate to the computer account.

    >>Question 1 , can I put a Collector in the customer domain which is not in trust with SCOMs domain?
    The Collector has a dependency on AD, so you would need to have the collector in the same domain as SCOM. 

    >>5) Is there any sort of failover to secure the uptime for audit data to SCOM?
    There is no redundancy for ACS collectors as there is a 1-to-1 relationship between collectors and ACS databases.  You can cluster the ACS database.

    http://technet.microsoft.com/en-us/library/bb381258.aspx


    Layne
    Wednesday, September 29, 2010 3:17 PM
  • Just to add a more specific link for using cerrtificates with ACS:

    http://technet.microsoft.com/en-us/library/bb735416.aspx

    Also, there was the capability to have failover of collectors which I think was introduced in SP1. So you can have 1 ACS database but 2 Collectors in a failover pair using that database. All Forwarders must use the same collector but if it becomes unavailable, they failover to the second collector.

    You can cluster the ACS database for high availability.

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, September 30, 2010 3:53 PM
    Moderator

All replies

  • Hi there.

    >>Question , will the audit traffic use the way through SCOM GW or directly to the Collector?
    ACS Forwarders send audit data directly to a collector, they cannot use a gateway.  Since there is no trust between the domains you'd have to use certificates on each of the forwarders, and on the collector, which would be a Management Server.  You'll have to open TCP 51909 on the Collector.  There are a few extra steps needed, like creating a computer account for the non-trusted machine andmapping the certificate to the computer account.

    >>Question 1 , can I put a Collector in the customer domain which is not in trust with SCOMs domain?
    The Collector has a dependency on AD, so you would need to have the collector in the same domain as SCOM. 

    >>5) Is there any sort of failover to secure the uptime for audit data to SCOM?
    There is no redundancy for ACS collectors as there is a 1-to-1 relationship between collectors and ACS databases.  You can cluster the ACS database.

    http://technet.microsoft.com/en-us/library/bb381258.aspx


    Layne
    Wednesday, September 29, 2010 3:17 PM
  • Just to add a more specific link for using cerrtificates with ACS:

    http://technet.microsoft.com/en-us/library/bb735416.aspx

    Also, there was the capability to have failover of collectors which I think was introduced in SP1. So you can have 1 ACS database but 2 Collectors in a failover pair using that database. All Forwarders must use the same collector but if it becomes unavailable, they failover to the second collector.

    You can cluster the ACS database for high availability.

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, September 30, 2010 3:53 PM
    Moderator
  • This was bad... It's difficult to handle to many CA certification...

     

    Do have any idea if there will be any change on this ACS limitation in SCOM2010?

     

    //Mats A

    Monday, October 4, 2010 8:21 AM
  • Layne, on my question you says:

    >>Question 1 , can I put a Collector in the customer domain which is not in trust with SCOMs domain?
    The Collector has a dependency on AD, so you would need to have the collector in the same domain as SCOM.  

     

    One new thought, I can read in the ACS document that the ACS Collector can be installed on MS or GW... That mean maybe that I can install the Collector in the SCOM gateway in the customers domain that we have today.

     

     

    //Mats A


    Monday, October 4, 2010 12:10 PM
  • Hi Mats

    Yes you can. You could either host a SQL Server in that domain and have the gateway \ collector use that with windows authentication.

    Or you can create a SQL Server in your home forest, and use sql authentication from the gateway to the SQL Server

    The main thing to remember is that you have to have ACS database  <--> Collector pairs.

    Cheers

    Graham


    Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Monday, October 4, 2010 12:29 PM
    Moderator