On-Premise Monitoring Stations (OPMS)

To monitor transactions behind a firewall, install OPMS in your intranet.
cacm82
HID_OPMS1
To monitor transactions behind a firewall, install OPMS in your intranet. See the following demo on
How to Deploy On-Premise Monitoring Stations
:

Architecture Overview
On-Premise Monitoring Stations were created to allow customers to monitor services that are only accessible from within their internal network. OPMS is a server that performs the following tasks:
  • Processes check request from the monitors
  • Issues probes to monitored services
  • Returns results to ASM
Tunnel Clients
To be able to send requests to OPMS from the Internet, a WebSocket tunnel is used. The WebSocket tunnel has one endpoint that is on the OPMS and the other one on ASM servers. Because the OPMS initiates the tunnel connection, no NAT or VPN is needed. The only requirement is access to outbound port 443. Optionally, an HTTP proxy can be used. Since ASM 10.1, OPMS maintains multiple redundant tunnel connections. Multiple stations can share a single tunnel client but the client has to run on one of the OPMS instances.
Network Architecture
Network Architecture
Monitors
To set up a monitor, one tunnel client and a group with one or more OPMS is required. Groups are created during installation. After you install the OPMS, it is available on the monitor settings page, as a part of checkpoint selection options.
Groups
  • The installer lets you create a group and install a tunnel client on a host.
  • Each OPMS is assigned to a group.
  • Monitor uses the groups to select monitoring stations.
  • In the installation, you can use an existing group or an existing tunnel client.
The following architecture diagram shows the two typical host configurations:
  • Host configuration A (Recommended):
    Includes an OPMS and a tunnel client.
  • Host configuration B
    : Includes only the OPMS. Assign the OPMS to an existing tunnel client that runs on an installed OPMS host.
In configuration B, if the configuration A OPMS is removed, the configuration B OPMS does not work. To avoid a non-working configuration B OPMS, Assign a New Tunnel Client.
Host Configurations
Host Configurations
Multiple Groups
With multiple groups you can perform the following tasks:
  • Perform monitoring checks with one OPMS group in your intranet.
  • Monitor applications that are intranet-based and in data centers that use different sets of OPMS.
  • Monitor applications in the intranet and in data centers with different sets of OPMS.
  • Create two groups to distinguish the OPMS based on the environment. For example, create one Intranet group in each office, and one back-end group in each data center.
  • Create multiple groups for user access control. Give access to OPMS in a specific group only to certain users.
To manage your groups, go to the
ASM Dashboard
, select
Subscription
,
Manage On-Premise
,
Groups
.
FAQs
Is the data transfer secure?
  • All OPMS data stays inside the firewall
  • Secure intranet communications are allowed but not required
  • Only the tunnel client communicates with the public Internet and uses SSL encryption
  • The central-to-OPMS communication uses a secure Web Socket tunnel to pass through corporate proxies and firewalls (HTTP Proxy)
Which data is transferred to the central servers?
  • The transported data includes check result metrics and check result details that are stored in a database. The database is located in the USA.
  • The stations register themselves on the network to the central server. No transactional data is transferred publicly.
What data is stored on the OPMS?
  • Short-term cache for check results
  • Result assets like screenshots and HAR files that can be stored for up to a month. On first access, these assets are cached on ASM servers.
Why use the Web Socket Protocol?
  • The
    Web Socket Protocol
    is the new standard for long-lived connections
  • The protocol passes through proxies transparently.
  • Plain tunnels are less versatile and less proxy-friendly
  • A VPN option would need significant configuration and is also not always compatible
How to Use Ports
:
How do I use SSH certificates?
The stations do not have SSH certificates set up by default. You can set up certificates inside your firewall.