Step 5: Determine the Agent Security Strategy
Published: June 27, 2008
System Center Operations Manager requires mutual authentication between Management Servers and agents. This can be achieved using one of the following methods:
If all computers defined as in scope for monitoring in Step 1 are located within trust boundaries and that is not expected to change, skip this step and move on to Step 6. If computers in scope for monitoring are located beyond trust boundaries, decision makers must evaluate the readiness of the organization to support mutual authentication between System Center Operations Manager server and agent roles. If the necessary infrastructure does not exist, a design will be created in this step. Decision FlowFigure 4 illustrates the decision flow for designing an infrastructure that provides mutual authentication with agents that are beyond the trust boundary of the Operations Manager management server. The planner will need to use this flow for each group of untrusted agents that will connect to each Management Group.
Figure 4. Decision Flow to Design Mutual Authentication Decision 1: Are Agents in An Active Directory Forest?Kerberos authentication is possible only between computers located within the same trust boundary. The trust boundary can be extended to include untrusted agents, provided that those agents are in an Active Directory forest. So the first thing to determine is whether the agents are in an Active Directory forest. Option 1: Yes If the agent computers are in an Active Directory forest, proceed to the next decision. Option 2: No If the agent computers are not in an Active Directory forest, proceed to Task 1 to deploy a certificate on each agent computer. Decision 2: Can a Forest Trust or Cross-Domain Trust Be Used?The trust boundary can be extended to include agent computers that are in a different Active Directory forest. Extension would require agreement from the group responsible for security in that forest. Option 1: Yes If a trust relationship can be established, extending the trust boundary of the management server beyond the forest in which it resides will require a decision to be made between a cross-forest trust and a cross-domain trust. For additional information, refer to the Infrastructure Planning and Design for Windows Server 2008 Active Directory Domain Services at https://www.microsoft.com/ipd, then set up the trust. Option 2: No If a trust cannot be used, proceed to the next decision. Decision 3: Can an Operations Manager Gateway Be Set Up with a Certificate?If a trust cannot be used, it will be necessary to implement certificate authentication. The management overhead and cost of this may be minimized by implementing a Gateway in the other forest, and deploying a certificate to that Gateway. The Gateway Server and the Management Server to which it will connect must both be issued certificates by the same trusted certificate authority. Option 1: Yes If a Gateway can be set up in the other forest, and that Gateway can authenticate with the agents, it can be used as an authentication concentrator. In this case, implement the Gateway in the other forest and deploy a certificate to it, and to the Management Server that it will connect to. Option 2: No If a Gateway cannot be deployed into the other forest, proceed to Task 1 to deploy a certificate on each agent computer. Task 1: Deploy a Certificate to Every Computer Beyond the Trust BoundaryIf the computers outside the Active Directory forest that hosts System Center Operations Manager are not within a trusted forest or are in a workgroup configuration, a certificate will have to be deployed to each computer to provide mutual authentication. In this case, the planner must determine whether the organization’s public key infrastructure (PKI) meets System Center Operations Manager requirements. The PKI requirements for the System Center Operations Manager infrastructure can be met by one of the following:
If no PKI infrastructure exists in the organization, the organization can either design and deploy a PKI, or purchase digital certificates from a third-party provider. To determine which option is best, compare the cost of certificates for computers outside the trust boundary with the cost of server hardware and Windows licensing to establish an internal PKI infrastructure. Repeat this decision-making process for each Management Group that includes resources beyond its Active Directory trust boundary. Summary of Step 5Step 5 determines the readiness of the organization to support mutual authentication between System Center Operations Manager server and agent roles. The output of this step is a strategy that supports mutual authentication between System Center Operations Manager components, across trust boundaries. Additional Reading
|
|
.jpg)
.gif)
Note A Windows Server 2003 enterprise CA running on Windows Server 2003 Standard Edition does not meet System Center Operations Manager requirements because certificates based on version 2 certificate templates cannot be issued to computers from an enterprise CA running on this version of the Windows Server 2003 operating system..jpg)