Hi, We are creating a design plan for a SCOM 2007 R2 environment for multiple customers in one management group. This means that I only will have one RMS in our environment. We decided to use SCOM Gateways to communicate with the management server at our site. Customers will make use of Nworks and HP blade enclosure tool this will be installled on the customer's gateway. Ofcourse the gateway and management server will be installed with Certificates created by the DC in the main domain wich will be systemcenter.local or something. Here is an image of our planned environment: http://imageshack.us/photo/my-images/822/scomenv.jpg I was wondering a couple of things 1. Is this environment achievable? 2. Are customers a security risk to each other ? they will only communicate to our management server with certificate authentication is this enough ? What are common steps to make the communication more secure? 3. A note of Kevin Holman in a other topic to someone else was to use 2 management servers 1 for the gateway's and one to assign the agent's too would this still be necesary? 4. Am I right by saying ACS is as good as impossible to realise in this setup ?

HI 1. Yes - it is achievable and many enterprises do this. 2. You need to ensure that if you are giving customers access to views \ authoring that you set up security appropriately so that they don't see or are able to manipulate each others data. This can be made easier by use the sitename switch when you create the gateways http://social.technet.microsoft.com/wiki/contents/articles/how-to-use-sitename-when-deploying-operations-manager-2007-gateways-to-help-manage-alerts.aspx http://blogs.technet.com/b/momteam/archive/2009/03/05/using-sitename-when-deploying-gateways-to-help-manage-alerts.aspx 3. At present if your MS goes down, you lose visibility of all customers. What are your SLAs? I'd suggest 2 Management Servers to give you some resiliance. 4. No. ACS can be used. The easiest way is to have an ACS database collector pair per customer (so deploy ACS 3 times - once in each environment). If you wanted a single ACS solution covering each customer from your home environment then that would be more tricky. You'd need a certificate on every agent as ACS can't leverage gateway servers for passing ACS data and you'd also need to do a lot of certificate mapping. http://technet.microsoft.com/en-us/library/bb735416.aspx An alternative would be to add a gateway per customer environment (a gateway can host the ACS collector role) and make that an ACS collector using SQL authentication to its ACS database in your home environment. You'd still need an ACS database per customer (as each gateway \ collector needs its own database) but it would mean that the data was stored on your site. Good Luck GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Thanks Graham, All points are clear :) just one thing About answer 2. Customers won't access views views or anything. Do the certificates take the security risks away? Or are there still security issues due to using one and the same management group? Thanks, Tony

Hi Tony Not sure what you mean by security risks - the certificates are for the authentication of agent \ management server when kerberos is not available (e.g. across untrusted forests \ into workgroups). They don't change any "security" of SCOM. http://technet.microsoft.com/en-us/library/bb735408.aspx Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/