MOM and IPSec

Do you know which part of MOM that is encrypted?

When a new agent is installed is that traffic not encrypted. When the installation is done the communication is encrypted as default, if the agent is member of a domain. When the information has reached the Management server and is going to the database, the traffic is no longer encrypted. IPSec is a protocol that can provide this security.  

IPsec (IP security) is a suite of protocols for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.
Source: Wikipedia 

IPSec can be used between the following machines

  • Management server and MOM database server
  • MOM database server and reporting database
  • Management server and computer without agent
  • Management server and operator console or administrator console (if they are running from another computer)

Traffic between agent and management server is encrypted by default and don’t need IPSec.

In this example the traffic will be encrypted based on information from the domain. If the machines is not in a common domain you can use shared keys or certification to encrypt the traffic. Below there is a walkthrough how to enable IPSec. There is other ways, for example Netsh and group policy objects.

  1. Start by running MMC and add the “IP Security on Local Computer” snap-in
  2. Right-click and choose “Create IP Security Policy
  3. Input a suitable name, for example MOM IPSec Policy
  4. Uncheck “Activate the default response rule”
  5. In “IP Security Policy Wizard” verify that “Edit Properties” is marked and then click “Finish”
  6. In “Policy Properties” unmark “Use Add Wizard” and verify that ” is unmarked and then click add..
  7. Under “IP Filter List” click Add..
  8. Input a suitable name in “IP Filter List”, then uncheck “Use Add Wizard” and click Add
  9. Choose “My IP Address” under “Source address” and choose “A specific IP Address” under “Destination address”. Input the IP of the other server and verify that “Mirrored” is marked, then click “OK”
  10. In “IP Filter List” click OK
  11. Back in “New Rule Properties” mark you new rule under “IP Filter Lists:”
  12. Under “Filter Action” choose “Require Security”
  13. Under “Authentication Methods” choose “Kerberos”
  14. Under “Tunnel Settings” choose “This rule does not specify an IPSec tunnel”
  15. Under “Connection Type” choose “All network connection”
  16. Click Apply and then OK
  17. In Properties, choose the new policy and click OK
  18. Right-click the new policy and choose Assign
  19. If you add “IP Security Monitor” snap-in in MMC you can verify that your new policy is active

Now do the same steps on the other server, don’t forget to change IP at 9.




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.