Windows Server

Sam Hobday, Solsoft · Guest

Hi there,

We are currently in the process of installing MOM 2005.

We will have 2 machines using MOM.
1) The MOM database server, which will also have the MOM reporting services
(data warehouse)
2) The MOM management server

Our MOM database server is on our internal network (192.168 address) running
on SQL Server 2000 on a machine in an AD domain. It has been set up correctly
using the standard install and no problems are reported. We only want access
to this data internally or from the management server.

The Management server is in a DMZ. This is so it can access MOM agents on
external servers without having a port open on the firewall to our internal
network. The Management server is NOT on the AD domain (it's in a workgroup)
as there is no access to the domain from the DMZ (port 135 etc. is blocked)
or externally
The machine in the DMZ has access to the database server on the SQL port -
1433. This has been enabled on the firewall.

So firewall set up will allow the Management server and the database to talk
to each other via 1433 with no restriction. And the Management server to any
server on the Internet via 1270.

Now, for the actual question...
The management server will not install. It simply says it cannot find the
MOM database. We have worked out that this is an authentication issue. If you
log in to the management server using a local account which has the same
username and password as a domain account that has SQL access, then the
installation will work - presumably using passthrough authentication.

So, the question is, how do we set up authentication access between the
management server and the database server.
I can see two obvious possibilities - can people provide their view or
alternatives?

1) we create a local account on the DMZ Management server with the same
username and password as the domain account the MOM database service runs as
(currently username MOM-service). It uses passthrough authentication. This
means the two accounts HAVE to be synchronised. And I'm not sure whether
there are any other issues here.

2) We add the management server to the domain. This would mean opening more
ports on the firewall to allow windows networking communication, though would
still be restricted to communication between the DMZ computer and the
internal network.

Hope that all makes sense, comments appreciated.

Regards,

Sam
Network Engineer
Solsoft Technology Limited

Brian Desmond [MVP] · Guest

Sam,

What about option 3) Join the Mgmt Server to the domain, and add a firewall
rule from the DMZ to the management server on port 1270?

--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

www.briandesmond.com
"Sam Hobday, Solsoft" <Sam Hobday, Solsoft@discussions.microsoft.com> wrote
in message news:E51399CD-8CD9-4929-B53B-D997EF96F34F@microsoft.com...

Sam Hobday, Solsoft · Guest

Isn't this is the same as my option 2 - join the Mgmt Server to the domain
keeping the Mgmt Server in the DMZ? This would involve opening domain
communication on the firewall between the internal network and the Mgmt
server.

The problem with doing that is that we have a machine on our internal domain
on the DMZ - which means if the Mgmt server was breached, it would almost
defeat the point of having a DMZ as the infiltrator would have access to the
domain.

Maybe we're being overparanoid about security - but ideally I don't want any
machines on our internal domain on the DMZ.

Any more suggestions?

I'm interested in how Microsoft themselves actually do it. I'm sure they use
AD for all their authentication, but do they have management servers on the
Internet that are also part of an AD domain for monitoring any external
servers? (I'm not expecting an actual answer here! Doubt MS will provide
internal network details)

"Brian Desmond [MVP]" wrote:

Gordon · Guest

Hi Sam,

Read back through your notes, think I understand what your trying to achieve
with the DMZ, just not sure how you are going to get the authentication
working over ODBC in your scenario, would be intrested to know if you get
around it.

Post back if you get a solution and best of luck,

Gordon.

"Sam Hobday, Solsoft" wrote:

Sam Hobday, Solsoft · Guest

Cheers for the help.

I can understand a lot of what you're saying. I think we've still got
crossed wires to some extent as to the exact set up I mean and I'm still
convinced using a DMZ is a good idea.
I'm gonna have a think and chat with my colleagues.

Thanks for the help,

Sam

"Gordon" wrote:

Gordon · Guest

Hi Sam,

If I understand rightly the issues here is about access from the internal
network to the DMZ.
You say that you do not want to open port 1270 from the internal to the DMZ
because it is open to the internet yet you seem happy to open 1433 from the
internal to the DMZ so what is the difference.

I would much rather have TCP 1270 open than ODBC 1433, surely the 1433 is a
MUCH bigger risk than 1270.

With regards to locking down the IP address this is on the firewall between
your internal network and DMZ i.e. the management server accesses the
internal domain via 1270 and th9is port is tied to your database server.

I really think you are making things difficult for yourself by trying to
communicate through your firewall from your MS to DB.

MOM is designed with the TCP port to make it easy to communicate with your
agents.

Let me give you an example of an install that I have put in for a service
provider.

MOM Database & Management Server on the internal domain.
145 agents across the internet on different domains.
The Firewall has a public IP address which is Natted (via port 1270) on the
firewall to the IP address of the management server on the internal domain.

The agents are installed with the public IP address as the management server
address, the agents connect over the internet to the firewall and are
forwarded to the management server.

You could even assign a DNS alias to the IP address to make it easier to
setup the agents.

If anybody tries to hack your TCP port, MOM will alert that a malformed MOM
data packet has been recieved which could possibly be a hacking attempt (you
can try this by telneting to the TCP port [telnet momservername 1270]) and
then you can take the appropiate action to secure.

As far as I know (and Im sticking my neck out here) there are no known MOM
exploits, however this can not be said of SQL, in a nutshell if someone hacks
the MOM port you will know about it, where I do not know if the same can be
said of someone hacking your SQL port.

The choice is yours, but I know which way I would feel most secure with,

Gordon.

"Sam Hobday, Solsoft" wrote:

Gordon · Guest

Hi Sam,

I agree with Brian here,

I have set MOM up in this scenario many times,
my advice would be to install the Management Server in the domain, open up
TCP 1270 (UDP 1270 for heartbeat) through the firewall but tie the port down
on the firewall to the ip address of your management server.

This way you only open a single TCP port rather than the SQL 1433 port.
I think this is more secure as a hacker is always going to go after an open
SQL port as this normally leads to a database containing possibly sensitive
data.

I hope this helps,

Gordon,
Ancoris

http://www.ancoris.com/mom

"Sam Hobday, Solsoft" wrote:

Sam Hobday, Solsoft · Guest

Thanks for the info, but I don't think we're talking about quite the same
issue.

Port 1270 - ie. communication between the Mgmt server and the agents, is NOT
the issue.
The servers we will be monitoring are NOT on our internal network - they are
servers on the Internet. Therefore we will definately need 1270 open between
the outside world and our Mgmt Server. The reason we want this on the DMZ is
so there is protection to our internal network in case someone finds a
security issue in MOM or another way to exploit an open port, or if the
machine is used for some other purpose.
Port 1433 is ONLY open on our firewall between the DMZ and the internal
network. There is no access from the outside world so that's not a problem.

The issue is...
if the Mgmt server is in the DMZ, then how does it talk to the SQL server.
The port (1433) is open between these machines - fine, but there is an
authentication issue. How does the Mgmt Server authenticate with the SQL
server running the MOM database. If I join the Mgmt Server to the domain and
KEEP it in the DMZ, then doesn't it start defeating the point of a DMZ. If I
move the Mgmt Server to the internal network and put it on the domain, it
means opening up a port (1270) to our internal network accessible by the
whole of the internet. It is not practical to lock down 1270 port to certain
IPs, because there are some servers on on dynamic IPs (ADSL) and there a
simply too many servers on very different IPs.

Thanks,
Sam
Solsoft

"Gordon" wrote:

Monkey · Guest

can you not have the management server using its own SQL database on a box in
the dmz?

"Gordon" wrote:

Authentication Setup for distributed MOM 2005. Recommendatio

	Windows Server Forum Index -> MOM	All times are GMT
Page 1 of 1