Hi, I have SCOM set up and working on our CORP domain. We have a second AD forest for our public facing web servers. This forest is setup with a public and private network. All file servers sit on the private network with the domain controllers, and all the web servers have two NICs - connecting to public and private network. Basic web farm setup. I am busy preparing the SCOM gateway servers, but not sure how to configure them, and where to place them. The domain controllers and file servers don't have NICs connecting to the public network, but they have a basic proxy server setup as their default gateway for Internet access. I was thinking of giving the GW servers two NICs, and setting up like the web servers, so that all agent traffic runs on the private network, then the GW forwards it on via its public NIC. Or is it better to put the GW solely on the private network and NAT the traffic to the RMS through the proxy server?

NAT should work if agent can resolve all ManagingSevers names, use hosts file if DNS resolution does not work ManaginServers can resolve agent name, use hosts file if needed agent+MS are configured to use certificate for communication we had similar schema using SSH tunneling. Agent was talking locally with SSH service on port 1270(thinking it talks with RMS/MS), SSH service was redirecting traffic through remote Linux server TCP 22 to , remote Linux was redirecting traffic to RMS/MS tcp1270. Agent->Local TCP 1270(SSHService)->SSHService->Remote Linux TCP 22->Remote RMS/MS TCP 1270 why did we use such sophisticated approach? Because we already had TCP 22 opened and it took 3 weeks for our service provider to implement "normal" firewall rules.

NAT should work if agent can resolve all ManagingSevers names, use hosts file if DNS resolution does not work ManaginServers can resolve agent name, use hosts file if needed agent+MS are configured to use certificate for communication we had similar schema using SSH tunneling. Agent was talking locally with SSH service on port 1270(thinking it talks with RMS/MS), SSH service was redirecting traffic through remote Linux server TCP 22 to , remote Linux was redirecting traffic to RMS/MS tcp1270. Agent->Local TCP 1270(SSHService)->SSHService->Remote Linux TCP 22->Remote RMS/MS TCP 1270 why did we use such sophisticated approach? Because we already had TCP 22 opened and it took 3 weeks for our service provider to implement "normal" firewall rules.