Domain and Firewall Considerations for ObserveIT Installations
This topic describes the requirements for installations in which ObserveIT components belong to a domain. It also describes firewall considerations.
Domain Membership
Domain membership of a computer that runs any of the ObserveIT components is not mandatory. Servers or workstations that run the ObserveIT Agent and the ObserveIT server-side components may be configured either as standalone machines, or as members of a domain. There are two factors that should influence your decision regarding domain membership; Active Directory Connector, and DNS integration for policy-based Agent deployment.
- Active Directory Connector: If the server on which the ObserveIT Application server is installed is a member of an Active Directory domain, that Active Directory domain will be automatically added to the list of LDAP Targets, and will be configured as an Automatic type LDAP Target. This will enable the usage of Active Directory users and groups from all domains in the Active Directory forests that are connected to the current forest.
ObserveIT easily integrates with your Active Directory forest, enabling you to use user and group objects from any domain in the forest in which the ObserveIT server-side components are installed, and in which the ObserveIT Agents are deployed (if different). Cross forest trusts can also be used. Although using groups from Active directory domains is possible with any group scope (domain local, global, or universal), it is recommended that you follow Microsoft's best practices on group object usage (for details, refer to Active Directory Best Practices). Note that by default, the use of domain local groups is disabled. In order to use domain local groups, you must enable the "Allow LDAP local groups" option in the System Settings page of the Web Console (see Configuring System Settings).
If the server was not a member of any domain during the ObserveIT installation, you can add that server to a domain afterwards. After adding the server to a domain, you will be able to add the Automatic type LDAP Target. If the server on which the ObserveIT Application server is installed is not a member of any Active Directory domain, you can still add Manual type LDAP Targets. This will enable the usage of Active Directory users; however you cannot use groups from that domain.
-
Group Policy-based Agent deployment: When considering the various methods of deploying the ObserveIT Agent on target machines, one of the options is to install it by using Group Policy Objects (GPO) in an Active Directory infrastructure. The Agent setup application is a standard Windows installer (.MSI) package that is well supported by software distribution applications and Group Policy.
- DNS Integration for Agent auto-configuration: When the Agent software is deployed to the target machines, it uses DNS to query and locate the machine that provides the ObserveIT Application Server services. It does this by searching for an SRV Record named _oit._tcp.domain-name.suffix. In the case of https (SSL connections), the Agent searches for an SRV Record called _oits._tcp.domain-name.suffix. The information from DNS is inserted into the Agent configuration, and if properly configured, it allows the Agent to communicate with the correct server by using the correct TCP port.
Firewall Considerations
If there is a firewall between the ObserveIT Agents and the ObserveIT Application Server, you must allow traffic for the TCP ports on which the ObserveIT Application Server communicates through that firewall. For new ObserveIT installations, the default is 4884, but this port can be changed to meet the organization's requirements. Note that you can also configure ObserveIT to use SSL, which will change the port to 443.
If there is a firewall between the ObserveIT Application Server or ObserveIT Web Console and the SQL Server, you must allow traffic for the TCP ports on which the SQL Server communicates through that firewall. Regular SQL traffic uses TCP port 1433.
For detailed instructions on how to enable these rules, see the firewall documentation.