none
Why enable SCOM proxy agent ?

    Question

  • Hi guys,

    What on purpose SCOM agent have to enable proxy ? I don't understand "..discover managed objects on other computer", and there's a note potential risk when I want to enable it.

    What roles for windows 2008 that useful so I have to enable it, example I have a Hyper-V server, is it worth it to enable the proxy ? If someone have the link at MS that explain it, I will appreciate it. Thanks all!

    Sunday, April 17, 2011 1:03 PM

Answers

  • The allow this agent to act as a proxy and discover managed objects on other computers is used for several purposes. In general it is one entity talking on behalf of another one. For instance...

    Cluster nodes talking on behalf of virtual resources. domain controlelrs talking on behalf of domain. ISA/CSS/TMG servers on behalf of the array. Exchange on behalf of organizational entities, SQL, scom management server on behalf of agents, citrix for the farm. So there are a lot of roles that would need this setting. In every management pack guide (so for every mp guide) it states whether or not this setting is needed. For an example check this page http://technet.microsoft.com/en-us/library/dd491041.aspx for the clustering MP.

    The potential risk this poses is that an agent that has this setting enabled could be flooded by a hack or whatever and thus pass everything on to the scom servers and flood that one as well. Potentially generating alerts coming from another server (proxy) or flooding the boxes. I have never seen or heard anything like this happening. It is just mentioned as a possibility.

    There are environments where they run a script every day or week that just enables all agents for proxy. I would not be too worried about it in most cases.

    I think for Hyper-v it is not needed as that MP does not say much about the guests, but is more targetted at the host itself, its role, performance, events and things like that. However it doesnt hurt to enable the proxy.


    Bob Cornelissen - BICTT (My BICTT Blog)
    Sunday, April 17, 2011 1:26 PM
    Moderator
  • The risk would be exploitable through a management pack only, so if you dont import "untrusted" mp's, it's gonna be harmless to set all agents as proxy.

    When you worry about it you could use a script similar like us and have it enabled for just the classes that need agent proxy: http://jama00.wordpress.com/2010/01/21/setting-agent-proxying/


    Rob Korving
    http://jama00.wordpress.com/
    Sunday, April 17, 2011 7:08 PM

All replies

  • The allow this agent to act as a proxy and discover managed objects on other computers is used for several purposes. In general it is one entity talking on behalf of another one. For instance...

    Cluster nodes talking on behalf of virtual resources. domain controlelrs talking on behalf of domain. ISA/CSS/TMG servers on behalf of the array. Exchange on behalf of organizational entities, SQL, scom management server on behalf of agents, citrix for the farm. So there are a lot of roles that would need this setting. In every management pack guide (so for every mp guide) it states whether or not this setting is needed. For an example check this page http://technet.microsoft.com/en-us/library/dd491041.aspx for the clustering MP.

    The potential risk this poses is that an agent that has this setting enabled could be flooded by a hack or whatever and thus pass everything on to the scom servers and flood that one as well. Potentially generating alerts coming from another server (proxy) or flooding the boxes. I have never seen or heard anything like this happening. It is just mentioned as a possibility.

    There are environments where they run a script every day or week that just enables all agents for proxy. I would not be too worried about it in most cases.

    I think for Hyper-v it is not needed as that MP does not say much about the guests, but is more targetted at the host itself, its role, performance, events and things like that. However it doesnt hurt to enable the proxy.


    Bob Cornelissen - BICTT (My BICTT Blog)
    Sunday, April 17, 2011 1:26 PM
    Moderator
  • The risk would be exploitable through a management pack only, so if you dont import "untrusted" mp's, it's gonna be harmless to set all agents as proxy.

    When you worry about it you could use a script similar like us and have it enabled for just the classes that need agent proxy: http://jama00.wordpress.com/2010/01/21/setting-agent-proxying/


    Rob Korving
    http://jama00.wordpress.com/
    Sunday, April 17, 2011 7:08 PM