The untrusted environment at Leaky Faucet consists of IIS servers in a workgroup configuration in the DMZ. These servers are separated from the management servers by a firewall, do not share a security account structure with the management server nor do they have an AD trust between them. If mutual authentication is left enabled it will prevent agents from installing, so it must be disabled. However, Leaky Faucet has a high-bandwidth and a reliable connection to the management servers. Figure 3-33 shows this portion of the Leaky Faucet network.

Fortunately, these servers do share name resolution services (WINS) and that means that the management servers can browse to the DMZ servers and vice versa. NetBIOS must be enabled on the management servers and the appropriate ports must be open on the firewall. If there was no firewall between them MOM would support remote installation into a workgroup via the Install/Uninstall Agents Wizard or the Create computer discovery rule methods of agent deployment. During the installation process, you must substitute the domain name\computer name with workgroupname\computer name. Then provide credentials that have local administrator rights to the workgroup machine for the “install as” credentials. Also, you will have to use the local system account or another local account as the agent action account. This is because there is no trust to the AD domain that the management servers are ...