Mananagement Pack Functionality Questions

Question

I have a couple questions I would like to run by the MP developers if possible: 
&nbsp;  
&nbsp;   
&nbsp;  
&nbsp; 1.  I would like to know if there is truly a dependency on administering the F5 agents from the physical Mgmt server where the agent was discovered and installed from.  The webcast " Tutorial - F5 Management Pack: DMS Discovery" indicated this to be the case.  Does this mean you need to physically be logged into the Mgmt server to remove the agent? 
&nbsp;  
&nbsp;   
&nbsp;  
&nbsp; 2.  The MP installation documentation says that discovery needs to occur from the RMS server see below.  But in the webcast stated above, the discovery and installation was done from the 2nd Mgmt server.  Please clarify which one is correct. 
&nbsp;  
&nbsp;   
&nbsp;  
&nbsp; Note - You must run discovery from the Root Management Server you installed the F5 Management Pack onto. You can use Remote Desktop or Terminal Services, but discovery will not work from another Management Server or the Web Console. 
&nbsp;  
&nbsp;   
&nbsp;  
&nbsp;   
&nbsp;  
&nbsp; 3.   What are the specific rights needed for the MP installation account and the Service account?  The documentation says domain admins for the installation account, but this seems like overkill.  Also what SQl rights does it need specifically? 
&nbsp;  
&nbsp;

vratix_97086 · Answer

On more question.  Is is still true with the newest version of the MP that you need the SCOM console installed on the Secondary Mgmt server in order to discover/install the F5 devices from it?  We would like to avoid installing the console on our Secondary Mgmt servers if possible.

stephen_fisher_ · Answer

Hello, 
&nbsp;  
&nbsp; Here are the answers to your questions: 
&nbsp;  
&nbsp; 1) Once a device is discovered on a Management Server, it can only be removed from that Management Server. However, with the 715 build of the Management Pack, you can execute the server task "Remove Device" which should execute remotely on the appropriate Management Server, without requiring you to login to it. 
&nbsp; Note that removing a device from monitoring by SCOM does not remove the big3d agent from the Big-IP. That must be done manually to ensure the Big-IP availability is minimally affected. 
&nbsp;  
&nbsp; We'll clarify the documentation to that effect. 
&nbsp;  
&nbsp; 2) Apologies for the confusion between the videos. You can initiate discovery from any Management Server, rather than only the RMS. However, you must initiate discovery on the Management Server, either via the GUI, PowerShell, or command line. 
&nbsp;  
&nbsp; We'll clarify the documentation to that effect. 
&nbsp;  
&nbsp; 3) The following permission requirements are required for setup: 
&nbsp;  Local System Admin for configuration of the service and software install 
&nbsp;  Member of SQL Admin for creation of necessary tables 
&nbsp;  Member of SCOM Admin for creation and modification of User Roles 
&nbsp;  
&nbsp; The same permissions are required for the F5 Monitoring Service account, which you can specify during setup. 
&nbsp;  
&nbsp; 4) It is not necessary to install the SCOM console on any machine, except the RMS. You can use PowerShell to start discovery. You can also use the f5mpcmd.exe command on the Management Server. The SCOM Console is only required if you want to use the SCOM UI to initiate discovery. 
&nbsp;  
&nbsp; We'll make sure this is updated more clearly in the documentation. 
&nbsp;  
&nbsp; Thank you, 
&nbsp; Stephen 
&nbsp; F5 Management Pack

vratix_97086 · Answer

Thank you for the response.  I need more clarification the answer to question 3. If I'm not mistaken the installation account's rights needs access to create the F5 MP SQL database correct?  Any SQL server with the full version of SQL can be used, it doesn't have to be the SCOM DB server correct?  Also, you mentioned that the service account needs the same rights as the installation account.  Why would this be?  None of the documentation or the webcasts stated as such.  The only rights required were SCOM Admin rights.  Am I incorrect on this? 
&nbsp;  
&nbsp; Thank you again, 
&nbsp; Marc

dave_ruddell_79 · Answer

That is correct, it can be any SQL server.  It defaults to the SCOM db server because it knows there is a SQL server there, but it is not required in any way. 
&nbsp;  
&nbsp; Originally we said that the service user had to be a domain admin, but this is not entirely accurate.  The user account actually requires full SQL access to the F5 database (you can manually adjust that later to really lock it down).  It is required to be a part of the Ops Manager Admin group, and it also needs to be a local admin on the box because of access issues.  And lastly, the user account needs to have general domain access so that it can be validated by operations manager and SQL.   
&nbsp;  
&nbsp; Thank you for pointing out that the information is not in the docs, I will update those to include the information above. 
&nbsp;  
&nbsp; Thank you, 
&nbsp; -Dave

Forum Discussion

Mananagement Pack Functionality Questions

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

iRule procs (functions)

F5 Cloud-Native Functions For Secure DNS

F5 Cloud-Native Functions For Modern Demands - Part 1

F5 Cloud-Native Functions For Modern Demands - Part 2

OWASP Tactical Access Defense Series: Broken Function Level Authorization (BFLA)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS