Endpoint Protection

 View Only
  • 1.  SEPM + AD Domains - Admin Access

    Posted Mar 06, 2014 02:21 PM

    Hello All,

     

    We are planning on deploying SEPM soon.  We currently have 2 AD domains.  Neither AD domain is allowed to talk to the other.  I would like to be able to manage SEP clients in those domains from a single SEPM server.  NOTE: We will not be using SEPM to push the clients, so standard SMB ports will not be allowed/required. Correct me if I'm wrong, please! smiley  Also, we will not be using AD to import computers into SEPM.

     

    My plan was the following:

    1) Install SEPM and SQL Db in a zone that has access (to an extent) to both domains.  This will allow us to manage all SEP clients and get reporting for both domains in one console.

    2) Create SEPM admin/reporting accounts that authenticate to a single AD.

     

    Questions:

    1. If SEPM console admins/reporters use AD authentication on Domain A and a SEPM admin/reporter tries to access the SEPM console in Domain B, does SEPM handle the AD authentication or does the client?  The latter would be an issue because Domain B would not be able to access Domain A.  From what I've seen, you're authenticating to SEPM and I think SEPM handles the auth for the user instead of the user's computer talking directly to AD for auth.
    2. I was just wondering with 2 AD domains if we created SEPM accounts that authenticated to one AD domain, should they be able to access all of the SEPM data/reporting for all clients in the SEPM? It sounds logical, but I want to make sure.
    3. Does the SEPM need access to the AD in Domain B for any reason if we will not be performing AD imports or push deployments? SEPM would be used mostly for policy deployments and LiveUpdate.

     

    Thanks,

    Mitesh

     



  • 2.  RE: SEPM + AD Domains - Admin Access

    Posted Mar 06, 2014 02:23 PM

    SEPM domains are different and not related in any way to MS domains

    About domains (Endpoint Protection 12.1.2)

    You can setup 2 domains in the SEPM and manage each individually

    Adding a domain

    Switching to the current domain



  • 3.  RE: SEPM + AD Domains - Admin Access
    Best Answer

    Posted Mar 06, 2014 02:29 PM

    Questions:

    1. If SEPM console admins/reporters use AD authentication on Domain A and a SEPM admin/reporter tries to access the SEPM console in Domain B, does SEPM handle the AD authentication or does the client?  The latter would be an issue because Domain B would not be able to access Domain A.  From what I've seen, you're authenticating to SEPM and I think SEPM handles the auth for the user instead of the user's computer talking directly to AD for auth.

    ---> if he is a full admin and mentions the domain name at the log on prompt, he can log in to Domain B.( SEPM domain)

    or once logged in to sepm, he can go to admin - domains tab and switch domains

     

    1. I was just wondering with 2 AD domains if we created SEPM accounts that authenticated to one AD domain, should they be able to access all of the SEPM data/reporting for all clients in the SEPM? It sounds logical, but I want to make sure.

    - > You can create two different domains in SEPM, based on reporting right, he can create computer status report, specifiying domain

     

    1. Does the SEPM need access to the AD in Domain B for any reason if we will not be performing AD imports or push deployments? SEPM would be used mostly for policy deployments and LiveUpdate.

    No 



  • 4.  RE: SEPM + AD Domains - Admin Access

    Posted Mar 06, 2014 04:12 PM

    Thanks Brian and Rafeeq.

    I think you answered my questions. Let me reiterate for clarity.

     

    I understand that SEPM domains are different than AD domains.  I don't think we will be creating separate domains in SEPM.  I think we will only create two groups named after the domains.

    Given the closed nature of the two AD domains I just wanted to make sure that if I create an Admin account in SEPM and tie it to an admin AD account in Domain A, and SEPM and SEP client comm ports are open (80 and 8014), I should be able to manage SEP clients from both AD domains, using one SEPM server, in which the SEPM console can be accessed from Domain A and Domain B.

    I rather not have a SEPM server per domain and separately manage the clients, if for some reason the SEPM must communicate with AD in Domain A and Domain B for authentication/communication.

     

    Rafeeq:

    "---> if he is a full admin and mentions the domain name at the log on prompt, he can log in to Domain B.( SEPM domain)

    or once logged in to sepm, he can go to admin - domains tab and switch domains"

     

    This has got me a little confused.  Does this apply if I will not be creating SEPM domains, just groups with the same names as the AD domains?  I would think that SEPM handles the AD authentication when you login to the console regardless of what AD domain you're in?  If Domain A is the only domain tied to SEPM for authentication and SEPM handles the AD auth, I should not need to specify the domain, correct?

     

    Sorry for being confusing.  Thanks to the both of you for the help.

     

    -Mitesh

     



  • 5.  RE: SEPM + AD Domains - Admin Access
    Best Answer

    Posted Mar 06, 2014 04:19 PM

    Yes, if only having one domain than this won't apply.



  • 6.  RE: SEPM + AD Domains - Admin Access

    Posted Mar 06, 2014 05:48 PM

    Thanks Brain and Rafeeq.

     

    -Mitesh



  • 7.  RE: SEPM + AD Domains - Admin Access

    Posted Mar 07, 2014 12:05 AM

    If its as single domain, those does not apply, use wil be authenticted against AD,