IT tutorials
 
Applications Server
 

Monitoring Microsoft Lync Server 2010 : Securing OpsMgr

6/10/2013 4:18:33 AM
- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Security has evolved into a primary concern that can no longer be taken for granted. The inherent security in Windows 2008 is only as good as the services that have access to it; therefore, you should perform a security audit of all systems that access information from servers. This concept holds true for management systems as well because they collect sensitive information from every server in an enterprise. This includes potentially sensitive event logs that could be used to compromise a system. Consequently, securing the OpsMgr infrastructure should not be taken lightly.

Securing OpsMgr Agents

Each server that contains an OpsMgr agent and forwards events to management servers has specific security requirements. Server-level security should be established and should include provisions for OpsMgr data collection. All traffic between OpsMgr components, such as the agents, management servers, and database, is encrypted automatically for security, so the traffic is inherently secured.

In addition, environments with high security requirements should investigate the use of encryption technologies such as IPSec to scramble the event IDs sent between agents and OpsMgr servers, to protect against eavesdropping of OpsMgr packets.

OpsMgr uses mutual authentication between agents and management servers. This means that the agent must reside in the same forest as the management server. If the agent is located in a different forest or workgroup, client certificates can be used to establish mutual authentication. If an entire nontrusted domain must be monitored, the gateway server can be installed in the nontrusted domain, agents can establish mutual authentication to the gateway server, and certificates on the gateway and management server can be used to establish mutual authentication. In this scenario, you can avoid placing a certificate on each nontrusted domain member.

Understanding Firewall Requirements

OpsMgr servers deployed across a firewall have special considerations that must be taken into account. Port 5723, the default port for OpsMgr communications, must specifically be opened on a firewall to enable OpsMgr to communicate across it.

Table 1 describes communication for this and other OpsMgr components.

Table 1. OpsMgr Communication Ports
FromToPort
AgentRoot Management Server5723
AgentManagement server5723
AgentGateway server5723
Agent (ACS forwarder)Management server ACS collector51909
Gateway serverRoot Management Server5723
Gateway serverManagement server5723
Management or Gateway serverUNIX or Linux computer1270
Management or Gateway serverUNIX or Linux computer22
Management serverOperations Manager database1433
Management serverRoot Management Server5723, 5724
Management serverReporting data warehouse1433
Management server ACS collectorACS database1433
Operations ConsoleRoot Management Server5724
Operations Console (reports)SQL Server Reporting Services80
Reporting serverRoot Management Server5723, 5724
Reporting serverReporting data warehouse1433
Root Management ServerOperations Manager database1433
Root Management ServerReporting data warehouse1433
Web Console browserWeb Console server51908
Web Console serverRoot Management Server5724

The agent is the component that ports need to be opened most often, which is only port 5723 from the agent to the management servers for monitoring. Other ports, such as 51909 for ACS, are more rarely needed. Figure 1 shows the major communications paths and ports between OpsMgr components.

Figure 1. Communications Ports


Outlining Service Account Security

In addition to the aforementioned security measures, security of an OpsMgr environment can be strengthened by the addition of multiple service accounts to handle the different OpsMgr components. For example, the Management Server Action account and the SDK/Configuration service account should be configured to use separate credentials to provide for an extra layer of protection in the event that one account is compromised.

  • Management Server Action account— The account responsible for collecting data and running responses from management servers.

  • SDK and Configuration service account— The account that writes data to the operations database; this service is also used for all console communication.

  • Local Administrator account— The account used during the agent push installation process. To install the agent, local administrative rights are required.

  • Agent Action account— The credentials that the agent runs as. This account can run under a built-in system account, such as Local System, or a limited domain user account for high-security environments.

  • Data Warehouse Write Action account— The account used by the management server to write data to the reporting data warehouse.

  • Data Warehouse Reader account— The account used to read data from the data warehouse when reports are executed.

  • Run As accounts— The specific accounts used by management packs to facilitate monitoring. These accounts must be manually created and delegated specific rights as defined in the management pack documentation. These accounts are then assigned as run-as accounts used by the management pack to achieve a high-degree of security and flexibility when monitoring the environment.

 
Others
 
- Monitoring Microsoft Lync Server 2010 : OpsMgr Component Requirements, Advanced OpsMgr Concepts
- Migrating to Configuration Manager 2007 : Conducting an In-place Upgrade (part 6) - Upgrading SMS 2003 Clients
- Migrating to Configuration Manager 2007 : Conducting an In-place Upgrade (part 5) - Upgrading Secondary Sites
- Migrating to Configuration Manager 2007 : Conducting an In-place Upgrade (part 4) - Upgrading a Primary Site
- Migrating to Configuration Manager 2007 : Conducting an In-place Upgrade (part 3) - Database Upgrade Tips and Tricks
- Migrating to Configuration Manager 2007 : Conducting an In-place Upgrade (part 2) - Upgrading SQL Server
- Migrating to Configuration Manager 2007 : Conducting an In-place Upgrade (part 1) - Running the Prerequisite Checker
- Improving Dynamics GP with Hacks : Reducing licensing needs by preventing Multiple Company Logins
- Improving Dynamics GP with Hacks : Improving clarity by timing Depreciation Posting to the General Ledger
- Improving Dynamics GP with Hacks : Keeping the chart of accounts clean by reactivating Account Segment warnings
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS