Who should read this document? This information will be helpful to the IT managers and security officers that sign up for the New Signature IMX service. What does Connector do? New Signature Connector (“connector” or “NS connector” where ambiguous) is a proprietary transport mechanism that delivers relevant information from the customer’s SCOM instance into New Signature’s 24/7/365 NOC facility. The connector aggregates information from multiple unrelated SCOM instances into the single operations console, allowing NOC staff to monitor customer networks in near-real time. Currently the connector is seen handling close to 5000 alerts a day (1.8+ million alerts a year), and several orders of magnitude more heartbeat messages. In addition to streaming alert information from the monitored servers, NOC operators are also made aware of incidents that compromise the monitoring infrastructure itself, such as internet outages, SCOM server outages, and individual SCOM agent outages. In most cases customer alerts light up on the New Signature dashboards in about a minute, and some types of alerts are raised in seconds. How is Connector connecting to NewSignature? The connector uses Windows Communications Framework (WCF) and it connects to the New Signature host in one direction only, outbound from the customer’s network, using HTTPS protocol on port 443/tcp. In the majority of cases, no new firewall rules are necessary to enable this communication pattern. How is Connector interacting with SCOM? The connector hooks into SCOM using the SCOM Software Development Kit (SDK), which is the Microsoft-supported method for such interactions. Once the NS connector is installed and launched on the SCOM server, we dynamically create a new SCOM Connector facility, and associate a new SCOM Subscription with that connector. The subscription criteria is configured to capture all alert information from a particular SCOM group, membership of which boils down to the objects that NS is asked to monitor. We then poll this SCOM connector/subscription for any new events every minute (polling more frequently is possible but not recommended for performance reasons). Any new alerts, as well as existing alert updates, found in the connector are communicated back to New Signature and then are acknowledged as “read” back to the SCOM connector. NS connector has a resilient acknowledgement mechanism that ensures that no alerts/updates are lost in transit under any circumstances – in other words SCOM server outages may only slow down alert flow but will not result in any loss. In addition to the SCOM SDK, NS connector uses direct SQL queries of the SCOM data warehouse database and the main operations database. We do this to obtain additional information that we need in order to deliver a more complete IMX experience (please refer to the next section for details). In making these queries, NS uses SCOM database views and canned SCOM reporting stored procedures whenever possible, trying to avoid direct table queries. What information is Connector passing to NewSignature? The information passing from the customer’s network to New Signature is as follows: * New alert information for all monitored assets * Alert updates for all monitored assets * List of other SCOM assets that are not monitored * SCOM server health state * SCOM agent health state on monitored assets * Proprietary heartbeats that verify internet connectivity back to New Signature * Requests for current status of all customer alerts that are still open on New Signature side * Requests for alert updates and closures that are done by NOC operators on New Signature side * 9 performance metrics covering only the monitored servers (RAM, CPU, disk stats that are used in month-end reporting) * 9 “top 50” utilization reports covering only the monitored servers (month-end reporting) All communications are originated by the connector from the customer’s SCOM system. How is Connector authenticating to New Signature? In addition to using TLS encryption, the connector uses transport-level PKI-based authentication. All connections coming into New Signature are verified to contain a New Signature-issued X.509 certificate. If this certificate is not present or does not pass our validation procedures, we immediately terminate all further processing and don’t look at the payload of the communication in question. The PKI certificate must be issued by New Signature’s CA and must be installed on the same system where NS connector will be running. In addition, PKI certificate is installed by a New Signature representative, ensuring that the private key is marked as non-exportable, and that PFX password is not disclosed to the customer. This ensures that only the authorized hosts are able to communicate with New Signature, which in turn raises the overall security within our system for all customers.