Professional Documents
Culture Documents
MANAGEMENT
PLATFORM
Monitoring Requirements
October 6th, 2020
Contents
1 Introduction ............................................................................................................................................................................................. 3
1.1 AMP Monitoring and the ServiceNow CMDB............................................................................................................................................................... 3
1.2 Determining Monitoring Accounts................................................................................................................................................................................... 3
5 Appendices ............................................................................................................................................................................................. 27
5.1 Configuring Windows Server OS for WMI Least Permissions .............................................................................................................................. 27
5.2 What is the CredSSP Authentication Mechanism? .................................................................................................................................................. 29
This document contains information regarding the account permissions, network port and protocol
requirements, and configuration requirements for monitoring supported applications, services, or devices
with the Avanade Management Platform monitoring agent.
Most of the systems being managed and monitored are server based systems
with both an operating system, such as Microsoft Windows, and a server
application or role such as Microsoft Exchange.
This example shows a generic application server broken out A real-world application server example could be a Microsoft
into managed components and then represented as Exchange Server.
Configuration Items (CI) in the ServiceNow CMDB.
In both examples you can see that the real world managed application server is logically expanded into its component parts:
the Windows operating system and the application running on that operating system.
Within the CMDB these two CI’s will have a logical relationship to each other. Typically this is Runs::RunsOn relationship where
the Windows operating system “Runs” the application and the application CI has an automatically inferred “Runs On”
relationship to the operating system.
With this in mind, it is important to remember that an account can be used for more than one purpose. For example, a single
Active Directory account could be granted all of the required monitoring permissions, and that single account would cover all
requirements for monitoring in a specific environment. In most cases, there will be more than one monitoring service account so
that separation of concerns and security can be managed.
In the following scenarios, we will review options for monitoring service accounts in an example environment with Windows
Server OS, Active Directory Domain Controllers, Exchange Servers, and SharePoint servers at a client named “Edanava.” Each
scenario will review a different monitoring service account configuration including:
• One Account – a single account for monitoring all targets in the environment
• Two Accounts – two accounts for segregated security concerns
• Multiple Accounts – expands on previous scenarios
• Standalone/Local Accounts – accounts which are local to a server OS, application, or device and are not directory managed
It is recommended to settle on the smallest number of monitoring accounts necessary to cover all monitored targets in an
environment. Each additional monitoring account creates additional configuration and management complexity.
In this scenario, a single account will be granted all of the permissions required to monitor Windows Server OS, Active Directory
Domain Controllers, Exchange Servers, and SharePoint servers.
1.2.2 Scenario 2: Two Accounts – Application Monitoring & Domain Controller Monitoring
In this scenario, application servers will be monitored with a single account. However, Domain Controllers need to be monitored
with a separate dedicated account for security reasons.
• The “Application Monitoring” account would be used to monitor Exchange servers, SharePoint servers, and their associated
Windows Server OS’s.
• The “Domain Controller Monitoring” account would be used to monitor Active Directory Domain Controllers and the
associated Windows Server OS’s.
In this scenario, application servers must be monitored with dedicated accounts for security reasons.
• The “Exchange Monitoring” account would be used to monitor Exchange servers and their associated Windows Server OS’s.
• The “SharePoint Monitoring” account would be used to monitor SharePoint servers and their associated Windows Server
OS’s.
• The “Domain Controller Monitoring” account would be used to monitor Active Directory Domain Controllers and their
associated Windows Server OS’s.
In this scenario, non-domain joined Exchange Edge application servers must be monitored with the local standalone account.
Additionally, there are F5 load balancers managing traffic to the Exchange servers which requires SNMP polling from AMP
monitoring.
• The “Exchange Edge Servers” account would be used to monitor Exchange Edge servers and their associated Windows
Server OS’s. Optimally the account would have a similar account name and password configured on all Exchange Edge
servers.
• The “F5 Load Balancer SNMP Polling” account would be used to monitor F5 Load Balancers.
2 Windows OS and Application Monitoring
The Avanade Management Platform monitoring functionality supports the following offerings.
The specific settings in this section are known to be applicable to Microsoft Windows Server 2012 R2 only. Some security groups
and settings may not be available or present in older or newer versions of Microsoft Windows Server. These settings do not
consider custom security settings, group policies, or other environmental configurations that may be in place. Specific
requirements for Microsoft Windows Server 2008 R2 are available in a separate document.
Local Administrator permissions are the recommended and fully supported method for all versions of Microsoft Windows Server.
If the Windows Server being monitored acts as a Microsoft Active Directory Domain Controller,
please review the Microsoft Active Directory Domain Controller section for alternative
monitoring permission requirements.
All ports and protocols included in the Microsoft Windows Server Network Ports and Protocols
section are required.
2.3 Microsoft Exchange Server
Group Membership
• Windows Server
o Local Administrator
• Active Directory
o N/A
• Application Specific
o N/A
All ports and protocols included in the Microsoft Windows Server Network Ports and Protocols
section are required.
Source Use Port Direction Protocol Destination
AMP Monitoring Agent Exchange Web Services 443 (https) Outbound TCP/HTTPS Exchange Server Target
2.4 Microsoft SharePoint Server
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
Use of non-SSL secured HTTP over port 80 is optional and only used if the environment is configured without SSL. If all
SharePoint Web Application endpoints are secured by an SSL configuration, then AMP will use HTTPS.
2.5 Microsoft Skype for Business Server
Group Membership
• Windows Server
o Local Administrator
• Active Directory
o N/A
• Application Specific
o N/A
Within Skype environments, it is possible to configure test users for pools via available Powershell cmdlets in the Skype
Powershell module. These test users are a pair of Skype-enabled user accounts which have been preconfigured for use
with synthetic transactions. Typically, these are test or service accounts and not accounts that belong to actual users.
For AMP to successfully monitor a Skype Pool, a minimum of two test user accounts are required.
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
2.6 Microsoft Lync Server
Please see the Microsoft Skype for Business Server section for requirements about Microsoft Lync
Server
2.7 Microsoft SQL Server
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
2.10 Microsoft System Center Data Protection Manager
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
2.11 Blackberry Enterprise Server
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
Full Blackberry Enterprise Server monitoring also includes SNMP trap monitoring. Please
see the SNMP monitoring section for Blackberry Enterprise Server for more information.
2.12 Veritas Enterprise Vault
All ports and protocols included in the Microsoft Windows Server Network Ports and
Protocols section are required.
3 SNMP Device and Application Monitoring
AMP Monitoring supports SNMP Traps/Informs and SNMP GET activities. The following sections cover the
general SNMP requirements along with support and configuration information for available managed target
types.
snmp-server user <username> <groupname(AMPMON)> v3 auth sha <password> priv aes 128
<encryption>
Code Block - Cisco NX-OS
snmp-server user <SNMP Username> network-operator auth sha <password> priv aes-128
<password>
Begin by starting an SSH session to the device management IP address. When authenticated and at a
prompt type 'snmpconfig'. Configure the following settings when prompted:
2. In the console tree, right-click WMI Control, and then click Properties.
3. Click the Security tab.
4. Select the namespace for which you want to give a user or group access, and then click Security.
5. In the Security dialog box, click Add.
6. In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want
to add. Click Check Names to verify your entry and then click OK.
7. Select the user added in the previous step
8. In the Security dialog box, under Permissions, select the Monitoring Account Permissions and then click OK.
Without
CredSSP Powershell Monitoring Managed Powershell Network Managed Powershell
AMP Site Session Account Server Session Account Server Session
Servers
By default, PowerShell remoting authenticates using a “Network Logon.” Network Logons work by proving to the remote
server that you have possession of the users credential without sending the credential to that server (Kerberos and NTLM
authentication). Because the remote server does not have possession of your credential, when the second hop is
attempted from Server A to Server B it fails because Server A does not have a credential with which to authenticate to
Server B. The solution is to enable CredSSP (Credential Security Support Provider) authentication.
The Credential Security Support Provider protocol (CredSSP) is a Security Support Provider that is implemented by using
the Security Support Provider Interface (SSPI). CredSSP lets an application delegate credentials from a client to a target
server for remote authentication. CredSSP provides an encrypted Transport Layer Security Protocol channel. The client is
authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either
Microsoft Kerberos or Microsoft NTLM.
Client Server A Server B
With
CredSSP Powershell Monitoring Managed Powershell Monitoring Managed Powershell
AMP Site Session Account Server Session Account Server Session
Servers
After the client and server are authenticated, the client passes the user's credentials to the server. The credentials are
doubly encrypted under the SPNEGO and TLS session keys.
Reference:
Security Support Provider Interface (SSPI)
• https://msdn.microsoft.com/en-us/library/windows/desktop/aa380497(v=vs.85).aspx
CMDLET: Enable-WSManCredSSP
• https://technet.microsoft.com/en-us/library/hh849872.aspx
6 Change Notes