Domain and Firewall Considerations for ITM On-Prem (ObserveIT) Installations

This topic describes the requirements for installations in which ITM On-Prem (ObserveIT) components belong to a domain. It also describes firewall considerations.

Domain Membership

Domain membership of a computer that runs any of the ITM On-Prem (ObserveIT) components is not mandatory. Servers or workstations that run the ITM On-Prem (ObserveIT) Agent and the ITM On-Prem (ObserveIT) server-side components may be configured either as standalone machines, or as members of a domain. There are two factors that should influence your decision regarding domain membership; Active Directory Connector, and DNS integration for policy-based Agent deployment.

  • Active Directory Connector: If the server on which the ITM On-Prem (ObserveIT) Application server is installed is a member of an Active Directory domain, that Active Directory domain will be automatically added to the list of LDAP Targets, and will be configured as an Automatic type LDAP Target. This will enable the usage of Active Directory users and groups from all domains in the Active Directory forests that are connected to the current forest.

    ITM On-Prem (ObserveIT) easily integrates with your Active Directory forest, enabling you to use user and group objects from any domain in the forest in which the ITM On-Prem (ObserveIT) server-side components are installed, and in which the ITM On-Prem (ObserveIT) Agents are deployed (if different). Cross forest trusts can also be used. Although using groups from Active directory domains is possible with any group scope (domain local, global, or universal), it is recommended that you follow Microsoft's best practices on group object usage (for details, refer to Active Directory Best Practices). Note that by default, the use of domain local groups is disabled. In order to use domain local groups, you must enable the "Allow LDAP local groups" option in the System Settings page of the Web Console (see Configuring System Settings).

    If the server was not a member of any domain during the ITM On-Prem (ObserveIT) installation, you can add that server to a domain afterwards. After adding the server to a domain, you will be able to add the Automatic type LDAP Target. If the server on which the ITM On-Prem (ObserveIT) Application server is installed is not a member of any Active Directory domain, you can still add Manual type LDAP Targets. This will enable the usage of Active Directory users; however you cannot use groups from that domain.

  • Group Policy-based Agent deployment: When considering the various methods of deploying the ITM On-Prem (ObserveIT) Agent on target machines, one of the options is to install it by using Group Policy Objects (GPO) in an Active Directory infrastructure. The Agent setup application is a standard Windows installer (.MSI) package that is well supported by software distribution applications and Group Policy.

  • DNS Integration for Agent auto-configuration: When the Agent software is deployed to the target machines, it uses DNS to query and locate the machine that provides the ITM On-Prem (ObserveIT) Application Server services. It does this by searching for an SRV Record named _oit._tcp.domain-name.suffix. In the case of https (SSL connections), the Agent searches for an SRV Record called _oits._tcp.domain-name.suffix. The information from DNS is inserted into the Agent configuration, and if properly configured, it allows the Agent to communicate with the correct server by using the correct TCP port.

Firewall Considerations

If there is a firewall between the ITM On-Prem (ObserveIT) Agents and the ITM On-Prem (ObserveIT) Application Server, you must allow traffic for the TCP ports on which the ITM On-Prem (ObserveIT) Application Server communicates through that firewall. For new ITM On-Prem (ObserveIT) installations, the default is 4884, but this port can be changed to meet the organization's requirements. Note that you can also configure ITM On-Prem (ObserveIT) to use SSL, which will change the port to 443.

If there is a firewall between the ITM On-Prem (ObserveIT) Application Server or ITM On-Prem Web Console and the SQL Server, you must allow traffic for the TCP ports on which the SQL Server communicates through that firewall. Regular SQL traffic uses TCP port 1433.

For detailed instructions on how to enable these rules, see the firewall documentation.