- SolarWinds Orion Network Performance Monitor
- Joe Dissmeyer
- 2475字
- 2021-07-27 18:00:48
Orion Website Administration
The Orion Website Administration page is where an Orion administrator not only completes the initial configuration of a new Orion NPM installation, but also returns to continually in order to manage Orion NPM. It can be accessed at any time from any web page in the Orion website by clicking on the Settings link in the upper-right corner of the screen.
All of the core configuration options for the entire Orion NPM installation are located in the Orion Website Administration console. The admin console allows you to perform the following actions:
- Add nodes and interfaces to Orion NPM either manually or by network discovery
- Manage nodes, groups, and dependencies
- Edit web page views and module views
- Manage Microsoft and VMware credentials
- Configure Orion dashboard settings, polling settings, and thresholds
- Manage user account permissions
- Manage Windows credentials for monitoring Windows-based computers
- Edit the look and feel of the tabs, menu bars, web pages, and modules in the dashboard
- Manage alerts and thresholds
- Check for product updates and view the Orion product team blog
- View details about Orion licensing, the Orion database, and polling engines
Authentication and access
SolarWinds Orion has its own robust user authentication system. Managing user accounts is a routine procedure for an Orion administrator and is very easy to understand when viewing the Manage Accounts screen.
After configuring Orion NPM for the first time, you should perform the following two tasks:
- Change the default Admin account password
- Disable the Guest account
Changing the default Admin password is critical in order to secure your new Orion NPM installation. The second task of disabling the Guest account is not required as that account only has read-only access to the Orion website. However, it is wise not to allow access to Orion NPM until you are actually monitoring your network.
A brand new installation of SolarWinds Orion NPM sets the local Admin account password completely blank. One of the first steps you should take as an Orion administrator is to create a password for this user account. Perform the following steps to change the default administrator password:
- Open the Orion Website Administration page and under the Accounts section click on Manage Accounts.
- On the Individual Accounts tab, check the box next to Admin and click on the Change Password button.
- Enter a new password and click on the Change Password button.
- Click on Continue to finish changing the Admin password.
Perform the following steps to disable the Guest user account in Orion NPM:
- On the Individual Accounts tab, place a check next to Guest and click on Edit.
- Change the Account Enabled option to No.
- Scroll to the bottom of the window and click on the Submit button.
The default admin password is now changed and the Guest account is disabled, which will prevent people from accessing Orion NPM.
Orion NPM supports individual user accounts that are local to Orion NPM itself, as well as Active Directory domain accounts. Local Windows accounts, such as a Windows account that is local to the server that Orion NPM is installed on, are not supported.
Individual user accounts are local to the SolarWinds Orion installation and are only specific to Orion NPM. If you try to use a local Windows Server user account to log into the dashboard, it will not work! SolarWinds Orion only allows individual user accounts to be added one at a time, and cannot be added in bulk. If you do not have the need to manage a large number of user accounts in Orion NPM, setting up individual user accounts may be more than sufficient.
An alternative method of setting up user authentication is through Active Directory. Active Directory (AD) is a centralized authentication service for Microsoft-based networks and simplifies user account management for the Orion dashboard. Active Directory is a staple in the enterprise and is wildly popular. Enabling Active Directory Authentication in Orion allows you to add both, single domain accounts as well as Active Directory security groups.
The best practice when using Active Directory Authentication is to create a new security group in Active Directory and add domain accounts to the group whom you wish to give access to Orion NPM. Finally, add the security group to the authentication settings in the Orion dashboard. As long as a domain user account is a member of the security group, that user account will, or will not, have rights to the Orion dashboard.
One final thing to know about security groups is that if a user has an individual Orion account and the user is a member of an Active Directory security group added to Orion, the individual Orion user account "wins" and the security group permissions will be completely ignored.
As an Orion administrator, it is up to you to decide how you want to handle user authentication to your Orion NPM system. You can always start with assigning individual accounts, then implement Active Directory Authentication at a later date. Or, you can use both methods at the same time. There is no "user licensing" for SolarWinds Orion NPM. You can create/add/edit as many user accounts as you want!
You can manage user account access in two ways, by using individual accounts or Active Directory security groups.
The Individual Accounts tab shows how easy it is for an Orion administrator to see who has been logging into the dashboard, what type of user accounts have access to the dashboard, what user accounts may need to be deleted due to inactivity, and a general idea of what permissions a user account may have.
Active Directory security groups are added to Orion from the Groups tab in the Manage Accounts page. The process for adding a group, as well as assigning permissions to a group, is precisely the same as individual accounts. Groups can be added only if Active Directory authentication was enabled from the Orion Configuration Wizard.
Use the following example to create an individual user account:
- From the Orion dashboard, click on the Settings link on the upper-right corner of the window.
- Under the Accounts module, click on Manage Accounts.
- Select the Individual Accounts tab and click on the Add New Account button.
- Choose the Orion individual account option and click on Next.
- Type in a user name and password and click on Next.
- Define the permissions for this new user account. When finished, scroll to the bottom of the page and click on Submit.
The new user account will be listed in the Individual Accounts tab. If you make a mistake, you can always go back and edit the account permissions. Otherwise, delete the account then create a new one.
Use the following example to grant an Active Directory domain account access to the Orion dashboard:
- Select the Individual Accounts tab and click on the Add New Account button.
- Choose the Windows individual account option and click on Next.
- Under the ACTIVE DIRECTORY OR LOCAL DOMAIN AUTHENTICATION section, enter the credentials of a domain user account that has administrative access to the Active Directory database. The following example shows me my user ID
JOEDISSMEYERfrom theJOEDISSMEYER.LOCALdomain.
- Scroll down to the SEARCH FOR ACCOUNT section, enter the domain user account in the textbox using the
DOMAIN\USERNAMEsyntax, then click on the Search button.
- Under the ADD USERS section, place a check mark next to the user ID to add it to the list on the right-hand side. Click on Next when you are ready to continue.
Note
You can add as many Active Directory user accounts as you like at once. Simply clear the SEARCH FOR ACCOUNT box and type in a new user ID to search for, and then check the box to add the user ID to the list to the right-hand side.
If your search for an account fails, try using the FQDN of the domain instead (that is,
DOMAIN.COMinstead of justDOMAIN). You can also use "fuzzy" search terms that include the first or last name of the account. For example, you can search forjoedissmeyer\joeinstead of the full user ID. - Define the permissions for this new user account then click on Next. Remember that if you added multiple accounts, this will define permissions for all of them.
The new user account(s) will be listed in the Individual Accounts tab. Notice that the Account Type states it is a Windows domain user account. Accounts that are local to the Orion server will say Orion.
If you made a mistake when adding the accounts in the dashboard, you can always go back and edit or delete them.
Adding Active Directory groups to Orion can be done in one of the two ways; directly from the Groups tab or from the Individual Accounts tab. But, for the sake of simplicity, we will see how to do this from the Groups tab.
- Click on the Groups tab, then click on the Add New Group Account button in the menu bar.
- Under the ACTIVE DIRECTORY OR LOCAL DOMAIN AUTHENTICATION section, enter the credentials of a domain user account that has administrative access to Active Directory.
- Under the SEARCH FOR ACCOUNT section, enter the domain group account in the textbox using the
DOMAIN\GROUPNAMEsyntax and then click on the Search button. If your search fails, try using the FQDN of the domain instead of its common name.
- Under the ADD GROUPS section, place a check mark next to the group name to select it. If you want to add more groups at this time, clear the SEARCH FOR ACCOUNT textbox and type in a new name to search. Click on Next to continue.
- Define the permissions which will be assigned to this addition then click Next. Remember that if you added multiple groups, Orion will define permissions for all that were added at this time.
Your Active Directory groups will be listed in the Groups tab. Again, remember that if a user account has an individual account in Orion and is also a part of the Active Directory security group, Orion will ignore the group permissions.
SolarWinds Orion is fully compliant with the concept of "the principle of least privilege". It allows an administrator to be extremely granular regarding permissions to tabs, pages, and modules. Almost every aspect of the Orion dashboard has a user permission which can be allowed or denied per user account or per Active Directory group. It is even possible to limit one user account to a single node! You would want to limit access because some modules actually allow you to change a setting on the actual node. You wouldn't want a virtualization administrator to start making changes to your core production routers, would you? If you need to know what options allow or deny, a full description for each permission is displayed in the account edit screen.
Setting thresholds
Prior to adding nodes to Orion NPM, thresholds need to be configured. At this point you may be asking, "Joe, what is a threshold?" A threshold is the level at which Orion will take action on a given value. For example, if one of your monitored servers has a CPU load of more than 80 percent, Orion will warn you about the problem in the dashboard. After the CPU load is more than 90 percent, Orion will trigger an alert action, such as sending a text message to a mobile device or an e-mail notification. Thresholds are how Orion knows how to warn and notify against certain situations. It is up to you to make sure that the threshold levels are not set too high so that events are not missed, or set too low so that Orion doesn't generate a great deal of alerts under what may be considered "normal" conditions. The default threshold settings in a new Orion NPM installation are more than suitable for almost every situation. However, it is still a good idea to look over the levels in case you feel something needs to be changed in the future.
There are two levels of thresholds, the warning and high level.
- The warning level notifies an administrator in the dashboard allowing you to take a "pre-emptive strike" action to resolve the issue on a node before the situation has a chance to get out of hand.
- When a node reaches the high level, an Orion alert will be generated and triggers an action, such as sending a text message to an administrator's mobile device or sending an e-mail (or both). Almost all threshold settings are set to a percentage.
Beyond the two threshold levels, there are three different threshold types as follows:
- Orion general thresholds
- Network performance monitor thresholds
- Virtualization thresholds
Orion general thresholds are thresholds that encompass every single node that is monitored in Orion. These are the "general" monitored levels for everything. Even certain devices that do not necessarily fall into a specific category, such as a battery backup unit, are still bound to these default threshold rules. The following are the five general thresholds:
- Average CPU load
- Disk usage
- Percent memory used
- Percent packet loss
- Response time
Every general threshold is measured by a percentage except for response time, which is measured by milliseconds. The settings for general thresholds are global settings for Orion NPM. You cannot change general thresholds for different nodes or different interfaces. If you are not sure what threshold settings you may need to change, it is suggested to leave the default options. You can always come back and edit thresholds as you see fit.
The NPM thresholds are specific to all nodes in the NETWORK tab and apply in addition to the general threshold settings. Nodes that NPM thresholds would apply to include switches, routers, firewalls, servers, and any other network node type. There are three options in the NPM thresholds:
- Cisco buffer misses
- Interface errors and discards
- Interface percent utilization
Again, the default general threshold options will suffice for almost every network environment.
The final threshold type is Virtualization Thresholds for VMware monitored nodes. There is only one threshold to configure, VMware Network Utilization, and it applies in addition to the general threshold settings for VMware nodes.
