Extending Operations Monitor Beyond the Trust: Part 1

Extending Operations Monitor Beyond the Trust

Part 1: System Center 2012 Operations Manager: An Overview

Please click the +1 button if you find this post helpful.

Operations Manager relies on Kerberos to perform authentication, but there are some instances when Operations Manager needs to monitor a host which resides outside of a Kerberos Realm.

• The host is a member of a Workgroup (not joined to a domain)
• The host reside in an untrusted Active Directory Domain

A comprehensive monitoring  system needs to be flexible and account a variety of environment configurations, since most networks are dynamic and include a variety of security related controls which can limit our designs. It's rare that what we work with in real life will ever look like a textbook example. Operations Manager is able to be adapted to many of these challenges furthering it's reach and usefulness.

Scenario 1: Using Certificate Based Authentication

When Operations Manager and the client it needs to monitor reside on opposite sides of a trust boundary, mutual authentication can not be performed using Kerberos. 

Scenario 2: Deploying a Gateway Server

While it is possible to use certificate based authentication on every client, management of the clients and certificates can become a time consuming task, as the number clients outside of the trust boundary grows. When numerous clients in a non-trusted domain, or domain separated by a firewall need to be monitored, deploying an Operations Manager Gateway Server will help to simplify management.

When a Gateway Server is deployed client agents use Kerberos to mutually authenticate with the Gateway Server, in the same way that clients would normally authenticate with the Operations Manager Management Server. Once authenticated, the Gateway Server uses Certificate Based Authentication to traverse the enclave and/or trust boundary and communicate with the Management server as depicted in the figure below.

The benefits of a deploying a Gateway Server are:

• Only one certificate needs to be obtained to allow mutual authentication between the Gateway Server and Management Server.
• Firewalls can be configured to permit traffic between a limited set of Gateway and Management servers, which are unlikely to change as often as individual clients.
• Agents can be automatically deployed. Manual or scripted installation and configuration of the Operations Manager Agent is not required.

 Each Gateway Server can support a maximum of 2000 Agent Managed hosts.

For more details, check out the up coming articles:

• Part 2: Extending Operations Monitor Beyond the Trust: Step By Step: Scenario 1: Using Certificate Based Authentication
• Part 3: Extending Operations Monitor Beyond the Trust: Step By Step: Scenario 2: Deploying a Gateway Server

Topics: Windows Server 2012, System Center 2012 Operations Manager, Managed Agent, Monitoring, Gateway Server, Active Directory, Kerberos, Trust Relationship, Authentication, Certificate,