Home / server / Questions / 102014
In Process
Will
Asked: 2010-01-13 11:08:20 +0800 CST

Systems Center Operations Manager on Dual-Homed Server

  • 772

I am attempting to start playing with SCOM 2007 but I've run into a brick wall.

The box SCOM 2007 is installed on is a dual NIC machine, one network connected to the public Internet and the other connected to a private network. Our internal AD resolves DNS names to IPs on the private network.

I have SCOM 2007 up and running and installing agents onto servers on that private network, but I am unable to add agents to servers that are connected only on the public segment of the network.

What do I need to do in order to manage agents on the local AD network (our servers) as well as servers not on any AD domain and connected to our public segment (our customers)?

routing domain-name-system scom mom

1 Answers

  1. You question is more about routing and DNS then about SCOM.

    You could:

    1. Update your routing on your default gateway to route to the private network from public through your firewall. Alternatively use a local static route on each host in the public network to route through the SCOM public IP to get to the private IP. Hosts on the public network would then know how to get to the private network IP of the SCOM server.

    2. Update/create a DNS server in the public network to point to the public IP of the SCOM server. Alternatively use local hosts file on each host in the public network. Hosts in the public network would then resolve the SCOM server name to the public IP address.

    But…

    The problem is that both if these options or any options where the SCOM server is directly connected to both public and private network creates a security vulnerability. The SCOM server could be used to gain access into the private network.

    The recommended approach would be to set the SCOM server up with a single private network IP address on the private network only. Then route any monitoring traffic through the firewall connecting private and public.

    You could also improve on this by using a SCOM Gateway server role in the public network. This is essentially a proxy for monitoring data. In a nutshell, all the public network hosts send to at least one Gateway host (with other roles or dedicated as preferred) on the public network. The Gateway host then sends that information to a management server. If you want to know more see http://technet.microsoft.com/en-us/library/bb432132 and http://technet.microsoft.com/en-us/library/bb432149.aspx.

    Also as an extra note, you have computers that do not exist in the same Active Directory as the SCOM management servers. You will need to take extra steps to distribute certificates to each node. For some info see http://technet.microsoft.com/en-us/library/dd362553.aspx.

    Hope this helps.

    • 1