Your company has a private cloud that contains two Active Directory forests named contoso.com and adutum.com. The contoso.com network and the adatum.com network are separated by a firewall.
No trusts exist between the forests.
You deploy System Center 2012 Operations Manager to contoso.com.
You install agents on 100 servers in both forests.
You need to ensure that you can monitor all 100 servers. The solution must minimize the traffic between the two networks.
What should you install? (Each correct answer presents part of the solution. Choose all that apply.)
A.
a server certificate on the gateway server in adatum.com
B.
client certificates on all of the servers in adatum.com
C.
a gateway server in contoso.com
D.
client certificates on all of the servers in contoso.com
E.
a server certificate on the gateway server in contoso.com
F.
a server certificate on the management server in contoso.com
G.
a gateway server in adatum.com
Explanation:
About Gateway Servers in Operations ManagerSystem Center 2012 Operations Manager requires mutual authentication be performed between agents and management servers prior to the exchange of information between them. To secure the authentication process between the two, the process is encrypted. When the agent and the management server reside in the same Active Directory domain or in Active Directory domains that have established trust relationships, they make use of Kerberos V5 authentication mechanisms provided by Active Directory. When the agents and management servers do not lie within the same trust boundary, other mechanisms must be used to satisfy the secure mutual authentication requirement.
In Operations Manager, this is accomplished through the use of X.509 certificates issued for each computer. If there are many agent-monitored computers, this results in high administrative overhead for managing all those certificates. In addition, if there is a firewall between the agents and management servers, multiple authorized endpoints must be defined and maintained in the firewall rules to allow communication between them.
To reduce this administrative overhead, Operations Manager has a server role called the gateway server. Gateway servers are located within the trust boundary of the agents and can participate in the mandatory mutual authentication. Because they lie within the same trust boundary as the agents, the Kerberos V5 protocol for Active Directory is used between the agents and the gateway server. Each agent then communicates only with the gateway servers that it is aware of. The gateway servers communicate with the management servers.
To support the mandatory secure mutual authentication between the gateway servers and the management servers, certificates must be issued and installed, but only for the gateway and management servers. This reduces the number of certificates required, and in the case of an intervening firewall it also reduces the number of authorized endpoints to be defined in the firewall rules. The following illustration shows the authentication relationships in a management group using a gateway server.
http://technet.microsoft.com/en-us/library/hh212823.aspx