Domain Separation - Mult Domain MID and incorrect CI domain assignment.

stevevandermeer
ServiceNow Employee
ServiceNow Employee

Issue: 

When employing a multi domain MID server model in a domain separated instance, controlling which domain the discovered CIs are assigned to during a horizontal discovery can be controlled by ensuring the “Run As” field on the discovery schedule form is set to a user (with MID_Server role) from the CI’s intended domain.   

However, if an IP range configured on the schedule has IP addresses from a different customer, which are not intended for this schedule's domain, these devices will be added to the incorrect domain. This outcome is true for any MID server model (1 mid to many customers or 1 mid to 1 customer), if that MID has connectivity to the IP address and the correct credentials, it will discover. 

The above has a human element of error, when the incorrect IP address range is added to the discovery schedule. A solution must eliminate the human error factor. 

 

Possible Solution: 

To potentially mitigate or eliminate the above issue, the below configuration could be employed: 

 

  • A dedicated MID instance for each customer/domain is deployed onto a single physical/virtual server.  This server would host multiple MID servers intended for smaller customers/domain which don’t require a dedicated MID server on-premises (due to network security and workload/capacity considerations).  Hosting multiple MID servers on a single server would reduce the support footprint, this server could be hosted in cloud or customer DC. 
  • The dedicated MID instance for the intended customer/domain would be configured with a customer dedicated service account (non system), either Windows server local or AD domain account. 
  • Discovery schedules for each customer would be configured with “Run As” set to an instance user for the corresponding domain. 
  • Discovery Credentials defined at the domain level, no global credentials that could be shared across domains. 
  • If available, a whitelist would need to be implemented on the firewall between the MID server instance and the customers zone to only allow traffic from the customers MID Server service account. 

 

Without the last requirement (whitelist service account), there is still a low risk for other domain devices to be discovered and assigned to the incorrect domain if the domain specific credentials defined apply to another device in another domain, very low but still likely.  The risk increases if credential less discovery is used. 

0 REPLIES 0