Guys, using PM internally but have 100 systems in a DMZ (multiple domains) to patch. Whats the bets approach? PM agent on 100 systems or put a PM server (AP and routing) that reports into our main PM server?
It's still fairly dependent on your environment and which option you view as better:
An Automation Server would be easier overall in my opinion, but would still require the WMI ports open to each node. If that's not a concern then I might go that route and the only port you would need to open is 4092 between the AS and PAS (and make sure WMI is available between the AS and nodes).
Using the agent instead would be deploying the agent software to each node, and you would need to open port 4092 between each agent node and the PAS.
Also:
Manage servers in a DMZ outside the local domain - SolarWinds Worldwide, LLC. Help and Support
Thanks! Looks like security team are happy with opening port 8530/8531 directly to our Internal WSUS server so that takes care of WSUS. IN terms of PM tasks though, these would require authentication in multiple domains. Does the agent method bypass this or would my AS need to be able to see the various DCs in order to run tasks against the the nodes?
The Authentication piece is handled by adding the credentials to the Credential Ring in Patch Manager. Your nodes would then authenticate the credentials for the task (oversimplifying, but I think you get it). Patch stores the credentials and then uses them as needed, the only time it is directly reaching out to a DC would be for the inventory tasks or finding the scope of machines based off of your domain. Otherwise everything else should pass through WMI or the agent.
Add a domain or workgroup in Patch Manager - SolarWinds Worldwide, LLC. Help and Support
Credentials - SolarWinds Worldwide, LLC. Help and Support
Credential rings - SolarWinds Worldwide, LLC. Help and Support
