Discovery Problem

Hi Ewan,

 

 

The credentials you are being prompted with, when you run the F5 Management Pack discovery wizard, are specific to the F5 device, and are used for the SSL communication with the device (certificate, encryption key exchange, etc). The F5 MP discovery wizard is using the logged-on user account (which is impersonated by the F5 Monitoring Service) to allow communication between the SCOM health service and the F5 Monitoring Service. So this happens on a different tier. There is also a secure token based mapping between the logged-on user account and the F5 device credentials, in the F5 Monitoring Service, but this is transparent for the user (running the F5 discovery wizard). So, the things you are concerned about are by design.

 

 

Now, coming back to your problem, regarding the communication with the F5 device through the firewall, did you actually get this working? Even if you have the ports 443 (HTTPS) and 4353 (iQuery) enabled through the firewall, for outbound communication with the F5 device, still the firewall could block inbound iControl/iQuery traffic from the device to the dynamic port opened by the F5 Monitoring Service for iControl requests or iQuery stats / callback notifications (i.e. device config updates, etc). Basically, the way this works is, the F5 Monitoring Service opens up a dynamic port locally (on the SCOM server) for sending iControl/iQuery requests, this request goes out to port 443/4353 on the F5 device, and then through the same communication channel the F5 device responds with an iControl/iQuery packet. Those packets are apparently blocked. I'm not a firewall expert, but there has to be some symmetrical communication policy that would have to be enabled.

 

 

Let me know your thoughts, and hopefully we can work this out, together.

 

 

Thanks,

 

Julian