The major considerations for deploying and managing servers in this type of environment are the presence of a firewall between the target computers and the management servers, and the limited bandwidth. Of the two, the limited bandwidth is more likely to cause problems. If the environment outside the firewall is not in the same AD domain, then there are additional considerations. All of the servers at the Leaky Faucet remote sites are members of the LKF domain, so they don’t have to change the underlying security structure. Figure 3-25 shows the area of interest in the Leaky Faucet network.

For operational data, heartbeats, and management pack update communication, MOM agents communicate with their management server over TCP port 1270. It is easy to keep this port is open, so the presence of the firewall poses no problem. Agent-to-management-server communication resists being passed across a proxying firewall. If you try to, the management server will not recognize the agent, because the network traffic is coming from the proxying firewall, not the server on which the agent is installed. The workaround is to turn off proxying for port 1270 on the intervening firewall and pass the port 1270 traffic straight through using stateful inspection. However, agent installation is a different matter. For a management server to install an agent remotely and update the agent configuration, a variety of protocols and ports are ...