Joseph Chan from
Operations Manager product team updated me and the newsgroup with pretty workaround to install ACS on the same box with a Gateway server.
Gateway server can be installed on a standalone server or member server.
Sometimes when there are many server in your DMZ needed to be monitored and managed by Operations manager, and you don’t need to open many ports from DMZ to your LAN, so you need to install a Gateway server.
When you need to consolidate your security event by collecting it to a centralized location you need to install ACS Collector.
Problem: install ACS collector with less opened ports to LAN
Solution: promote the Gateway server located in your DMZ to be a domain controller, install ACS collector, created a computer account manually, and map a certificate to the created computer accounts. Start working with ACS as normal.
Source: Joseph ChanYou can install ACS Collector on a Gateway server.
However, the ACS Collector also has dependency on AD, so you have to promote your Gateway server to a Domain Controller - which can be a completely isolated and separate domain.
Since your agents are in a workgroup, you will need to use certificate auth between them and the Gateway+Collector box.
ACS needs AD to map certificate to machine accounts.