ANS Monitoring as a Service Customer requirements
Version History Version: 1.0 Date: 29/03/2015 Version Date Summary Of Changes Pages Changed Author 0.1 17/07/15 Initial document created ALL Dale Marshall 0.2 29/07/15 Updated with feedback from CH ALL Chris Hodgson V1 27/08/15 Final document Chris Hodgson ANS Group Reviewers This document has been reviewed by the following ANS Group contacts. Name Role Email Address Chris Hodgson Director of Managed Services Chris.Hodgson@ansgroup.co.uk Dale Marshall Service Delivery Architect Dale.Marshall@ansgroup.co.uk Restriction on Disclosure This data shall not be disclosed in whole or in part to any third party without the express written permission of ANS Group plc. This does not restrict customer from using the data contained herein, provided it is obtained from a source other than ANS Group plc, or is independently developed by the recipient. E. & O. E. throughout the document The Supplier Terms and Conditions are located at http://www.ans.co.uk/site-info/terms-conditions, as currently in force are incorporated into and form part of this Contract. Page 2 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL
Contents Version History... 2 1. Overview... 4 2. Solution Architecture... 4 3. Customer Requirements... 5 3.1 Collector Server Specification... 5 3.2 Service Account Configuration... 6 3.3 Cisco Device Configuration... 6 3.4 NetApp Configuration... 6 3.5 VMware Configuration... 6 3.6 Windows Configuration... 7 3.7 SQL Configuration... 7 3.8 Other devices or applications... 7 4. Collector Installation... 7 Appendix A Checklist... 8 Page 3 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL
1. Overview The ANS Enterprise Monitoring System (EMS) is an IT Infrastructure monitoring system that enables ANS support to monitor and manage the availability, performance and capacity of customers supported devices. This enables the ANS support team to quickly and proactively detect and diagnose issues within your infrastructure. ANS have teamed up with LogicMonitor to implement industry leading monitoring and deliver the most advanced Enterprise Monitoring System to date with EMS 4.0. EMS 4.0 offers an improved insight into how your network, applications and infrastructure are performing. You will have access to real time and historical information from each device with a 1- Year Historical Data Minimum. The system also features alert escalations and predictive tools, ensuring issues can be caught before they cause an impact to your business. Our customers will have the ability to create private dashboards and personalise your view of the portal to enable you to prioritise the information that is most important to you. EMS 4.0 will feature customisable widgets within the portal including comparison views, custom performance graph and Network Operations Centre Views. The remainder of this document will detail how the system works and what we need from customers in order to install and configure the system. 2. Solution Architecture The EMS 4.0 solution consists of collector servers deployed within the customer s network. The collector uses a range of APIs and protocols (e.g. ICMP, SNMP, WMI, etc) to gather availability, capacity, and performance information for supported devices. This is then encrypted and transmitted through an outgoing SSL connection to LogicMonitor servers in a secure UK datacentre. Alert and performance data is then displayed within the EMS Portal and can generate email or telephone alerts to the ANS service desk. A ReportMagic Server is also installed at ANS. This is used to retrieve data from LogicMonitor and report upon it. Page 4 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL
3. Customer Requirements The following requirements need to be met before a collector can be deployed: 3.1 Collector Server Specification The collector server requires a Windows server to run from. It is best practice to use a dedicated server so it is unaffected by maintenance work to other systems or applications. The collector server should meet the following requirements: Windows 2008 or 2012 (physical or virtual) server. If possible please name the server <Customer-Site-EMS01>, e.g. ANS-DC01-EMS01 A minimum of 4GB of RAM. Able to make an outgoing https connection (TLS on port 443) to the LogicMonitor servers (proxies are supported). This can be via standard Internet access or can be locked down to the following: o If DNS names in firewall access control rules are supported: account.logicmonitor.com o appproxy.logicmonitor.com If DNS names in firewall access control rules are not supported 212.118.245.0/24 (UK) 63.251.201.0/24 74.201.65.0/24 69.25.43.0/24 54.193.15.255 54.209.7.170 54.194.232.54 54.254.224.41 The collector must be able to reach all the hosts from which it will be collecting data by the appropriate methods, for example, SNMP, WMI, HTTP, JDBC. For reference those ports are: o ICMP for ping monitoring o 80 for HTTP monitoring o 135 and high ports for WMI o 161 for SNMP o 162 for SNMP traps o 443 for HTTPS o 445 for Perfmon o 1433 for SQL o 1521 for Oracle o 2055 for Netflow o 3306 for MySQL o 22 for Router and Switch Config Backups Minimize network impediments between the collector and the monitored hosts/devices. For example, it should not traverse any NAT (network address translation) gateways to do so. If firewalls or NAT devices are an issue, we recommend you install multiple collectors - one in each security zone. Install at least one collector per physical datacentre if possible. The collector should have reliable time - thus it should have NTP setup or Windows Time Services to synchronize via NTP. If running on a VMware virtual machine, install VMware tools with VMware tools periodic Time Sync disabled. For further information, see this VMware document. The collector should be added into the customer s domain, specifically the domain we will be monitoring any devices in to. Anti-Virus installed on the collector. This can be provided by the customer or ANS can provide a WebRoot Anti-Virus client if required. Please discuss with your Account manager. Page 5 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL
Configure Windows Update to automatically download and install updates at 3am every Sunday. 3.2 Service Account Configuration A service account is required to run the collector application and to make WMI connections from the application to any supported Windows devices. ANS recommend the service account is given domain admin level permissions. The customer can enter the username and password during collector installation without ANS seeing it. The username and password specifies never leaves customer site and is not stored on ANS or LogicMonitor Servers. When creating the account please ensure that the Password never expires and User cannot change password options are checked. 3.3 Cisco Device Configuration Cisco Devices are monitored via SNMP. All that is required in order to monitor is an SNMP community string. Please also ensure that any Access Control Lists set up on the devices allow the collector s servers IP address to communicate with the device. EMS 4.0 is also able to backup Cisco device configurations. The collector makes an SSH call to the device to retrieve the current config. To use this functionality please provide ANS with a local admin account for the device. Note: for current EMS v3.0 customers, ANS may already have details of SNMP community strings. 3.4 NetApp Configuration There are two kinds of data collection used on NetApp Filers: SNMP and the NetApp API. For comprehensive monitoring, both must be configured. Please provide ANS with a valid community string configured on the NetApp device in question. To create a new user called ansmonitoring with read-only API access, on your NetApp filers perform these operations: useradmin role add ANSMonitorRole -a api-*,login-http-admin useradmin group add ANSMonitorGroup -r ANSMonitorRole useradmin user add ANSmonitor -g ANSMonitorGroup New password:<secret> Retype new password:<secret> Note: for current EMS v3.0 customers, ANS may already have details of SNMP community strings. 3.5 VMware Configuration EMS 4.0 uses the VMware API to provide comprehensive monitoring of VMware Virtual Center or standalone ESX hosts. All that s required is an account with read-only permissions to the vcenter or ESX host in question. Permissions should be set at the top level vcenter object. Page 6 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL
3.6 Windows Configuration As outlined in section 3.2. A service account with sufficient permissions is required in order to monitor Windows devices via WMI. Windows Firewalls also need to allow inbound ICMP, WMI and DCOM requests from the collector server. 3.7 SQL Configuration For the SQL Server Connections checks to function, no specific rights are needed except the ability to connect to the database. Please assign the service account used to set up the collector with this ability. 3.8 Other devices or applications EMS 4.0 has the ability to monitor 1000 s of devices and Services. Please contact your Account Managed for help on other specific systems or applications. 4. Collector Installation When the requirements listed above have been met and the collector server is installed, a member of the ANS monitoring team will make contact to install the collector application software. This can be carried out remotely via WebEx or via any existing remote access solutions. Page 7 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL
Appendix A Checklist Collector Server Details Customer Name Site Name Collector Server Name Collector Server IP Address Domain Name Proxy Server Address (if applicable) vcenter or Virtual Machine Manager name that the VM was built in, or of this is a physical server. Anti-virus installed (YES/NO) Domain Username Password SNMP Community String(s) SNMP ACLs configured? Service Account Details Cisco Device Configuration (if applicable) NetApp Configuration (if applicable) SNMP Community String(s) NetApp Read-Only account Username NetApp Read-Only account Password VMware Configuration (if applicable) vcenter Read-Only Account Username vcenter Read-Only Account Password ESXi Host Read-Only Account Username ESXi Host Read-Only Account Password Windows Configuration Windows Firewall configured to allow WMI, DCOM and ICMP from Collector Server IP SQL Configuration Service Account configured with permissions to connect to SQL database? Port 445 enabled on local Windows firewall from Collector IP. Other services (Please detail as required) Page 8 of 8, Issue No: 1 Issue Date: 27/08/2015: CLASSIFIED: CONFIDENTIAL