Do you know which part of MOM that is encrypted?
When a new agent is installed is that traffic not encrypted. When the installation is done the communication is encrypted as default, if the agent is member of a domain. When the information has reached the Management server and is going to the database, the traffic is no longer encrypted. IPSec is a protocol that can provide this security.
IPsec (IP security) is a suite of protocols for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.
IPSec can be used between the following machines
- Management server and MOM database server
- MOM database server and reporting database
- Management server and computer without agent
- Management server and operator console or administrator console (if they are running from another computer)
Traffic between agent and management server is encrypted by default and don’t need IPSec.
In this example the traffic will be encrypted based on information from the domain. If the machines is not in a common domain you can use shared keys or certification to encrypt the traffic. Below there is a walkthrough how to enable IPSec. There is other ways, for example Netsh and group policy objects.
- Start by running MMC and add the “IP Security on Local Computer” snap-in
- Right-click and choose “Create IP Security Policy
- Input a suitable name, for example MOM IPSec Policy
- Uncheck “Activate the default response rule”
- In “IP Security Policy Wizard” verify that “Edit Properties” is marked and then click “Finish”
- In “Policy Properties” unmark “Use Add Wizard” and verify that ” is unmarked and then click add..
- Under “IP Filter List” click Add..
- Input a suitable name in “IP Filter List”, then uncheck “Use Add Wizard” and click Add
- Choose “My IP Address” under “Source address” and choose “A specific IP Address” under “Destination address”. Input the IP of the other server and verify that “Mirrored” is marked, then click “OK”
- In “IP Filter List” click OK
- Back in “New Rule Properties” mark you new rule under “IP Filter Lists:”
- Under “Filter Action” choose “Require Security”
- Under “Authentication Methods” choose “Kerberos”
- Under “Tunnel Settings” choose “This rule does not specify an IPSec tunnel”
- Under “Connection Type” choose “All network connection”
- Click Apply and then OK
- In Properties, choose the new policy and click OK
- Right-click the new policy and choose Assign
- If you add “IP Security Monitor” snap-in in MMC you can verify that your new policy is active
Now do the same steps on the other server, don’t forget to change IP at 9.