(Post courtesy Rohit Kochher)
In part 1, we discussed scenarios where Operations Manager uses certificates to monitor computers in a workgroup or non-trusted domain. We also configured the certificate template for Operations Manager. In this post we will use certificates for gateway servers and deploy them. At the end we will also have the steps to monitor machines in a workgroup.
Open browser https://<servername>/certsrv where <servername> is name of server running Active Directory Certificate Services. On the welcome page click download a CA Certificate, certificate chain, or CRL
Save the certificate. Now to import it open MMC. From File, select Add/Remove Snap-in. Add certificates snap-in and select Computer Account.
Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. Use All tasks to Import the trusted root (CA) certificate.
We already covered on configuring template for SCOM in part 1.
Request a certificate for SCOM/Gateway server
1) Open browser with https://<servername>/certsrv again. In Select a task page click Request a certificate.
2) In request a Certificate page , select advanced certificate request.
3) In Advanced Certificate request , select Create and Submit a request to this CA
4) In Certificate template, from the drop down, select the certificate template that we configured in Part 1 of the series.
5) At the bottom of the page in Friendly Name, give the FQDN for SCOM Server/ Gateway server.
We need to install certificate both on SCOM server and gateway server.
On gateway server, open the media of SCOM. Click Install Operations Manager 2007 R2 Gateway. Enter the management group name, Management server.
Select Gateway Action Account and we have two options from Local System or Domain account
Click next and wait for installation to get complete.
Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager 2007 installation directory.
Open a Command Prompt window, and navigate to the \Program Files\System Center Operations Manager 2007 directory.
Syntax of command is Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
Importing Certificates with the MOMCertImport.exe Tool
We need to import certificate both on management and gateway server.
On Command prompt Navigate to \SupportTools\<platform> (i386 or ia64).
Run momcertimport.exe /SubjectName <certificate subject name>.
With this, I was able to monitor machines in non-trusting domain using gateway server and certificates. To confirm everything is good, you can check one thing.
Open the certificate that you install on management/gateway server. Click on Details Tab and check the Serial Number.
Now navigate to HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings and check the value of ChannelCertificateSerialNumber. Serial number of certificate should be listed backwards here in registry.
Further I can configure multiple gateway servers for agents to fail over. Also I can configure multiple SCOM servers for my gateways to fail over. This can be done using Power shell and is covered in the blog.
Now, we will discuss about how we can monitor machines which are in a workgroup. I have outlined this in few steps:
Name resolution between SCOM server and workgroup server can be done by host files which are located at C:\Windows\System32\drivers\etc
Make sure TCP port 5723 is opened for communication. You can telnet to confirm same.
You can manually install SCOM agent on workgroup server and later use certificates. Copy the AGENT folder from SCOM media. Based on 32/64 bit OS, run the MSI. Specify the management group and SCOM server name and complete the installation.
Check the Download and Import trusted Root (CA) Certificate in beginning of this blog. Perform that to download and import CA certificate on local computer. CA certificate should be imported in Trusted Root Certification Authorities store. Here I am assuming you can connect to https://<servername>/certsrv through your browser.
Next step is to get certificate for workgroup server. We already discussed in part 1 on how to configure certificate template for SCOM. Check Request a certificate for SCOM/Gateway server section at top of the blog to request certificate from workgroup server. You need to have permissions in domain of SCOM server for this. Also while requesting certificate, in FRIENDLY NAME give name of workgroup server.
Certificate will by default get installed in personal store of Current user. Open MMC and export that certificate from current user store to some location. Later import it in Personal section of Local computer.
Copy MOMCertImport from SCOM support tools on workgroup server.
Process Manual Agent Installations in Operations Manager 2007
On your Operations Manager server, configure the security settings for manually installed agent. It should be Review new manual agent installations in pending management view with/without Auto-approve new manually installed agents depending upon your security settings. Refer to the article for more details.
Thanks for reading!!
In this series of two blogs, we will discuss about monitoring machines in non-trusted domain. In part one we will discuss about scenarios to use certificates and configuring certificate template for Operations Manager. In part two, we will talk about installation, approval of gateway servers and configuring monitoring for Workgroup machines.
Kerberos or Certificates
System Center Operations Manager 2007 R2 uses mutual authentication to communicate with agents. This can be done using Kerberos v5 or certificates. In case the monitored computers are in the same domain as that of Operations Manager server, or if the two domains have a two way trust we can use Kerberos. But if you want to monitor machines in a workgroup or in a non-trusted/one way trusted domain we need certificates. Certificates help in Mutual authentication.
The following blog post from the Operations Manager support team has a nice diagram that shows where you would use Kerberos vs. certificates for authentication: Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server.
Scenarios to used Certificates
If my Operations Manager server is in domain A and I want to monitor machines which are in a workgroup, I need to use certificates. I will install certificates on my Operations Manager server and on each workgroup machine that I want to monitor.
If my Operations Manager server is in domain A and I want to monitor machines in untrusted domain B, I will use certificates along with a gateway server. But this time I don’t need to install certificates on all machines in domain B. I can simply install the Gateway Server in domain B and have certificates installed on the Operations Manager server of domain A and the Gateway Server of domain B. Within Domain B, Kerberos is the security mechanism between the agents and the Gateway server. Between the Gateway and Operations Manager servers, certificates are used to provide mutual authentication.
Another benefit of gateway servers is that I need to open only 1 port 5723 (TCP) between the Gateway and Operations Manager servers.
We will also need name resolution between the Operations Manager server and gateway server. This can be done using DNS, host files etc.
Let’s get it Started
I have installed Active Directory Certificate Services (AD CS) and Certificate Authority Web Enrollment roles on 2008 R2. Certificate Authority is of Enterprise type. More on 2008 R2 CA can be found here. Also to configure HTTPS binding for CA, check this article.
Configuring certificate template for SCOM
1) On 2008 R2 Server, Click Start, then Administrative Tools and open Certification Authority snap-in. Click on Certificate templates, then on Manage.
2) Right Click on IPSec (offline request) template and select Duplicate Template option.
Select Windows Server 2003 Enterprise option for the version.
3) In Properties of new Template on General tab, give any name to template like OpsMgr Certificate using Template Display Name.
4) On request handling tab check Allow private key to be exported.
5) Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.
6) Click Add and then select Client Authentication and Server Authentication and click OK.
7) Click on Security tab and give Authenticated users Read and Enroll permissions.
8) Close the Certificate templates console.
Add the configured templates to certificate templates folder
Right click Certificate templates in CA console. Click on New and then Certificate template to issue. Select the certificate template that we named in step 3.
This way we configure our certificate for SCOM. In part 2 we will discuss about installation of certificates and deployment of gateway server.
Stay Tuned!!
Additional Resources
(Post courtesy of Yashkumar Tolia. Steps below are from the Virtual Application Management with Microsoft Application Virtualization 4.5/4.6 and System Center Configuration Manager 2007 R2 White Paper)
Previous Post: Integration of System Center Configuration Manager and App-V (part 2)
Configure Configuration Manager Distribution Point Servers and Client to Enable Virtual Application Deployment
1. Enable Standard Distribution Point server(s) to Deliver Virtual Applications to Configuration Manager Clients
a. Install the BITS and IIS Server software on all Configuration Manager standard Distribution Point servers that you plan to use for delivery of virtual applications.
b. Configure the standard Distribution Point server(s) to enable virtual application delivery as follows:
i. In the Configuration Manager Admin Console, open the properties of a specific standard Distribution Point server.
ii. On the General tab, select “Communication Settings à Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.”
Figure 12 – Configuration Manager Admin Console Distribution Point Properties
iii. If streaming delivery will be used with this Distribution Point, on the Virtual Applications tab, select “Enable virtual application streaming.”
Note: If you plan to only use local delivery for virtual applications (i.e., no streaming delivery), then do not select this option. If you plan to use a combination of local delivery and streaming delivery for virtual applications, then do select this option.
The following screen shot highlights the setting described above:
Figure 13 – Configuration Manager Admin Console Distribution Point Properties
a. In the Configuration Manager Admin Console, edit the properties of a specific Branch Distribution Point.
b. On the Virtual Applications tab, select “Enable virtual application streaming.”
Figure 14 – Configuration Manager Admin Console Distribution Point Properties
a. In the Configuration Manager Admin Console, open the properties of the Advertised Programs Client Agent and select “Allow virtual application package advertisement.”
Figure 15 – Configuration Manager Admin Console Advertised Programs Client Agent Properties
IMPORTANT: This action gives Configuration Manager, control of the App-V Client on the Configuration Manager Client PC.
This will cause the Configuration Manager Advanced clients to remove all previously deployed virtual application packages (published through an App-V Full Infrastructure or standalone MSI).
Deploy a Virtual Application to Configuration Manager Clients
A sequencing engineer uses the App-V Sequencer program to sequence an existing application and saves the new virtual application package to a specified content directory.
Use the New Virtual Application Package Wizard to specify the sequenced application source directory location and import the sequenced application into the Configuration Manager site.
The New Virtual Application Package Wizard is launched as follows:
Figure 16 – Installing the program according to the distribution boundary
After a virtual application package has been imported into Configuration Manager, the package must be replicated to the Distribution Points that will be used to deliver the virtual application package to clients. The Configuration Manager administrator chooses which Distribution Points the virtual application package will be sent to.
Configuration Manager Advertisements are targeted at collections. These can be collections of computers or users. Both user- and machine-based targeting are fully supported.
After a virtual application package has been replicated to Distribution Points, it can be advertised to any Configuration Manager collection. This can be done according to the steps shown earlier. The New Advertisement Wizard can specify things such as:
Verify Virtual Application Delivery to a Specific Client
Previous Post: Integration of System Center Configuration Manager and App-V (part 1)
How to Perform Common Virtual Application Management Tasks with Configuration Manager
App-V integrates seamlessly with System Center Configuration Manager workflows, enabling IT administrators to manage physical and virtual applications through a single management experience. IT administrators can follow known processes and workflow for delivering virtual applications to end users. This reduces the learning curve and enables IT to deliver applications more quickly. Using Configuration Manager, virtual applications can be delivered to either machines or users. Administrators can inventory virtual applications, meter the virtual application licenses, and deliver virtual applications as part of Operating System Deployment Task Sequences. Together, App-V and System Center Configuration Manager 2007 R2 provide a full PC lifecycle management solution for deploying and managing both physical and virtual applications for enterprise customers.
Deploy the App-V Client Software to Configuration Manager Client PCs
1. Obtain the App-V Client software from Microsoft (i.e., download the MDOP 2011 software form the Microsoft Volume Licensing Services Web site) and extract the App-V Client software into a source directory. This directory should include the following App-V Client assets:
2. Customize the AppVirtMgmtClient.sms package definition file to suit your App-V Client installation requirements.
Before proceeding to the next step to create the software distribution package, edit the AppVirtMgmtClient.sms package definition file and add/change the command line options for the setup.exe program to customize the App-V Client installation options.
The default command line provided in the AppVirtMgmtClient.sms file follows:
COMMANDLINE=setup.exe /s /v"/quiet /norestart /qn"0\"\"
The above command line performs a silent installation of the App-V Client software with all of the default values and suppresses the client PC reboot.
Note: Because the App-V Client includes a virtual file system driver, it is necessary to reboot the client PC when upgrading the App-V Client. However, a reboot is not required for installation of the App-V Client on a client PC that does not already include the App-V Client software.
3. Use the AppVirtMgmtClient.sms to create a Configuration Manager software distribution package for the App-V Client software as follows:
Figure 1 – Configuration Manager Admin Console Distribution Point Properties
The Create Package from Definition Wizard will appear. For Welcome, click Next.
Figure 2 – Create Package from Definition Wizard
For Package Definition, click Browse… and navigate to the AppVirtMgmtClient.sms package definition file.
Figure 3 – Package Definition
Note: The default location of the AppVirtMgmtClient.sms file is C:\Program Files\ Microsoft Configuration Manager\Tools\VirtualApp\AppVirtMgmtClient.sms.
Click on the AppVirtMgmtClient.sms file and click Open.
Figure 4 – Selection of the Package
Figure 5 – Configuration Manager Admin Console Distribution Point Properties
Figure 6 – New Advertisement Wizard
Figure 7 – Providing appropriate schedule information
Figure 8 – Installing the program locally and running; or streaming delivery
Figure 9 – User Interaction Page
Figure 10 – Provision of appropriate permissions to access the package
Figure 10 – App-V Client is published
Note: With App-V 4.6, there are both 32-bit and 64-bit versions of the client. Two separate packages, programs, and advertisements will need to be created in order to accommodate both platforms. The appropriate collections for 32-bit and 64-bit applications will need to be used to ensure delivery to the correct platform.
Next post: Integration of System Center Configuration Manager and App-V (part 3)
Application Virtualization is an important component of the virtualization stack. An important and a vital ingredient in the Virtual Desktop Infrastructure cuisine, it separates out the application from the Operating System. Configuration Manager, on the other hand, is widely used for patching, updating and management of an entire IT infrastructure. The integration of these two technologies gives the freedom of managing the virtualized application and leverages it by rapid deployment of the App-V client.
Configuration Manager includes capabilities to integrate with App-V out-of-the box. Configuration Manager Uses only publicly documented interfaces to interact with the App-V Client software. All integration is implemented with the following methods:
App-V Integration with Configuration Manager is streamlined as Configuration Manager is simply automating tasks that can be done with App-V. Organizations with Configuration Manager already in place or those in the process of implementing Configuration Manager; can implement one infrastructure using a seamless, scalable solution to deliver, report, and manage the application lifecycle from one console.
Configuration Manager and App-V Infrastructure Overview
Configuration Manager and App-V can be integrated to provide a comprehensive deployment and update service for virtual applications. With Configuration Manager, the typical App-V infrastructure is reduced to the App-V Sequencer and Client. Configuration Manager takes the place of the publishing and streaming components in a typical App-V full infrastructure. The following figure illustrates the minimal Configuration Manager and App-V processes and components required to manage virtual applications with Configuration Manager. The App-V Sequencer produces packages that can be distributed via a Configuration Manager infrastructure to the App-V Clients. This eliminates the need for two separate infrastructures to support application deployment. Configuration Manger can be used to deploy both traditional and virtual applications.
Figure 1 – Configuration Manager and App-V Infrastructure
Publishing virtual applications using Configuration Manager requires a simple process to be followed. The following section describes the virtualization (using App-V) and distribution (using Configuration Manager) process.
Process
At a high level, managing virtual applications with Configuration Manager requires applications to be sequenced, published using Configuration Manager Advertisements, and delivered to the end clients. The following minimum process is required to support App-V in a Configuration Manager infrastructure.
Sequencing – The process of taking a physical application and turning it into a virtual application. Configuration Manager requires sequencing applications with an App-V 4.5 or newer Sequencer to create the necessary files for publishing and delivery (Manifest.xml file).
Publishing – The process of provisioning virtual applications to users or computers in Configuration Manager. Configuration Manager utilizes the Site Server components for publishing applications. This process will present the application to the computer before the application assets have been delivered.
Delivery – The process of moving the virtual application assets to the client computers. This is normally referred to as “streaming” in an App-V full infrastructure. Configuration Manager provides two options for delivery of virtual applications (“Streaming” and “Download and Execute”).
Components
Managing virtual applications with Configuration Manger will require an App-V Sequencer for creating packages, a Configuration Manager Site Server, Configuration Manager Distribution Point(s) for delivery of the packages, and Configuration Manager client computers with the App-V Client installed. The following minimum components are required to support App-V in a Configuration Manager Infrastructure.
Microsoft App-V Sequencer – The App-V Sequencer ‘program’ is used to package virtual applications for deployment with Configuration Manager.
Configuration Manager Site Server – A part of the Configuration Manager Site hierarchy, the Configuration Manager Site Server manages virtual application distribution through Configuration Manager Distribution Points to target systems, either as a streaming service, or as a locally delivered package.
Configuration Manager Distribution Point (Distribution Point) – Configuration Manager Distribution Point site roles provide management services such as hardware and software inventory, operating system deployment, and software updates, as well as software distribution of both physical and virtual applications, to Configuration Manager target systems (often referred to as ‘clients’).
Configuration Manager / App-V Clients – Client devices include desktop/laptop PCs, terminal servers and Virtual Desktop Infrastructure (VDI) clients. Configuration Manager Clients that receive delivery of virtual applications from a Configuration Manager infrastructure require both the Configuration Manager Advanced Client and App-V Client software to be installed and configured. The Configuration Manager and App-V Client software work together to deliver interpret and launch virtual application packages. The Configuration Manager Client manages the delivery of virtual application packages to the App-V Client. The App-V Client executes the virtual application on the client PC.
Next Post: Integration of System Center Configuration Manager and App-V (part 2)