System Center 2007: How do I monitor as system thats in an untrusted domain or workgroup?

  • Article

This question has come up a few times in the last few events I've had. Ideally, all the System Center Operations Management servers and the monitored machines are in a trusted boundary, i.e. same domain or forest. But what if you want to monitor machines that are outside the trust boundary? That's not a problem. Those agents in the untrusted domain will still have the same environmental prerequisites as for those that lie inside the trust boundary, but with some additions.

Since the device is going to have an installed agent that means the software, service, and port requirements remain the same. Great! Well, not so fast. Operations Manager 2007 requires that agents and Management Servers authenticate each other and establish an encrypted communication channel before they exchange information. Kerberos is the authentication protocol used for the agent-to-server and server-to-agent authentication. In this situation with an untrusted domain there is no underlying infrastructure to support Kerberos authentication on the devices, so how is that going to occur? The answer is certificates, they must be used on both sides of the connection.

OK, fair enough, but what if I want to manage a bunch of machines, thats a little bit too much work for my liking, opening up all those ports, and putting certificates on EVERY machine. Theres gotta be a better way!!

You're right! If you need to monitor many devices in the untrusted location, simply install an Operations Manager Gateway Server in the same network and trust boundary as the devices you want to monitor. This Gateway Server will act as a proxy and all the communications between the Management Server and agents is in the untrusted environment. The Gateway Server is the only machine that needs a certificate to communicate with the Management Server, and you only need to open ONE port, TCP 5723. Another benefit is that the Gateway Server performs discovery and installation, and relays ongoing administration traffic on behalf of the Management Server.

Ah, if only life were always this simple!