OpsMgr 2007 PKI and Gateway Scenarios Part 3: When should I use a Gateway Server
Certificate-based authentication in general is a frequent source of communication. Mutual authentication via certificates does not require a Gateway. You could just as easily have an agent authenticate via certificate directly with a Management Server, or even the Root Management Server. So when and why should I use a Gateway Server?
Let’s start by discussing the real purpose of the Gateway Role.
The Gateway role has 2 primary functions:
- Minimize the number of points of traffic between two secured environments, (for example, an Intranet and a DMZ).
A Gateway allows all agent traffic to be channeled through a single host.
- Maximize the use of Kerberos based authentication when it is available, because the TCO associated with Kerberos is lower than with certificates.
In an untrusted AD environment, a gateway can allow agents to authenticate via Kerberos while the Gateway uses certificate-based authentication to communicate with the upstream management server.
It’s important to remember that the Gateway role is licensed as a Management Server, so it may not make sense from a budgetary perspective to deploy a Gateway for only a small number of agents, as significant hardware and software costs are involved. See the licensing brief for more info HERE.
So, when should a I use a Gateway Server? There are no hard-and-fast guidelines, but here are some examples.
- When security requires that you proxy agent traffic through a single host to-from a perimeter network.
- When you have enough agents in an untrusted environment to economically justify the hardware and licensing expense.
- And if you exceed the recommended scalability limits of a single gateway
For a detailed HOW-TO on gateway and certificate-based authentication scenarios in Operations Manager 2007, see our recently updated Gateway and PKI Scenarios Guide.
FYI - You can pre-order you copy Operations Manager 2007 Unleashed HERE. (Release date in January ‘08)
