SCOM environment for multiple customers in one management group
Hi,
We are creating a design plan for a SCOM 2007 R2 environment for multiple customers in one management group. This means that I only will have one RMS in our environment. We decided to use SCOM Gateways to communicate with the management server at our site.
Customers will make use of Nworks and HP blade enclosure tool this will be installled on the customer's gateway. Ofcourse the gateway and management server will be installed with Certificates created by the DC in the main domain wich will be systemcenter.local
or something. Here is an image of our planned environment:
http://imageshack.us/photo/my-images/822/scomenv.jpg
I was wondering a couple of things
1. Is this environment achievable?
2. Are customers a security risk to each other ? they will only communicate to our management server with certificate authentication is this enough ? What
are common steps to make the communication more secure?
3. A note of Kevin Holman in a other topic to someone else was to use 2 management servers 1 for the gateway's and one to assign the agent's too would
this still be necesary?
4. Am I right by saying ACS is as good as impossible to realise in this setup ?
May 26th, 2011 2:58am
HI
1. Yes - it is achievable and many enterprises do this.
2. You need to ensure that if you are giving customers access to views \ authoring that you set up security appropriately so that they don't see or are able to manipulate each others data. This can be made easier by use the sitename switch when you create
the gateways
http://social.technet.microsoft.com/wiki/contents/articles/how-to-use-sitename-when-deploying-operations-manager-2007-gateways-to-help-manage-alerts.aspx
http://blogs.technet.com/b/momteam/archive/2009/03/05/using-sitename-when-deploying-gateways-to-help-manage-alerts.aspx
3. At present if your MS goes down, you lose visibility of all customers. What are your SLAs? I'd suggest 2 Management Servers to give you some resiliance.
4. No. ACS can be used. The easiest way is to have an ACS database collector pair per customer (so deploy ACS 3 times - once in each environment). If you wanted a single ACS solution covering each customer from your home environment then that would
be more tricky. You'd need a certificate on every agent as ACS can't leverage gateway servers for passing ACS data and you'd also need to do a lot of certificate mapping.
http://technet.microsoft.com/en-us/library/bb735416.aspx
An alternative would be to add a gateway per customer environment (a gateway can host the ACS collector role) and make that an ACS collector using SQL authentication to its ACS database in your home environment. You'd still need an ACS database per customer
(as each gateway \ collector needs its own database) but it would mean that the data was stored on your site.
Good Luck
GrahamView OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 3:29am
Thanks Graham,
All points are clear :) just one thing About answer 2. Customers won't access views views or anything. Do the certificates take the security risks away? Or are there still security issues due to using one and the same management group?
Thanks,
Tony
May 26th, 2011 3:37am
Hi Tony
Not sure what you mean by security risks - the certificates are for the authentication of agent \ management server when kerberos is not available (e.g. across untrusted forests \ into workgroups). They don't change any "security" of SCOM.
http://technet.microsoft.com/en-us/library/bb735408.aspx
Cheers
Graham
View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 3:44am