(Post courtesy Rohit Kochher)
In part 1, we discussed scenarios where Operations Manager uses certificates to monitor computers in a workgroup or non-trusted domain. We also configured the certificate template for Operations Manager. In this post we will use certificates for gateway servers and deploy them. At the end we will also have the steps to monitor machines in a workgroup.
Open browser https://<servername>/certsrv where <servername> is name of server running Active Directory Certificate Services. On the welcome page click download a CA Certificate, certificate chain, or CRL
Save the certificate. Now to import it open MMC. From File, select Add/Remove Snap-in. Add certificates snap-in and select Computer Account.
Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. Use All tasks to Import the trusted root (CA) certificate.
We already covered on configuring template for SCOM in part 1.
Request a certificate for SCOM/Gateway server
1) Open browser with https://<servername>/certsrv again. In Select a task page click Request a certificate.
2) In request a Certificate page , select advanced certificate request.
3) In Advanced Certificate request , select Create and Submit a request to this CA
4) In Certificate template, from the drop down, select the certificate template that we configured in Part 1 of the series.
5) At the bottom of the page in Friendly Name, give the FQDN for SCOM Server/ Gateway server.
We need to install certificate both on SCOM server and gateway server.
On gateway server, open the media of SCOM. Click Install Operations Manager 2007 R2 Gateway. Enter the management group name, Management server.
Select Gateway Action Account and we have two options from Local System or Domain account
Click next and wait for installation to get complete.
Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager 2007 installation directory.
Open a Command Prompt window, and navigate to the \Program Files\System Center Operations Manager 2007 directory.
Syntax of command is Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
Importing Certificates with the MOMCertImport.exe Tool
We need to import certificate both on management and gateway server.
On Command prompt Navigate to \SupportTools\<platform> (i386 or ia64).
Run momcertimport.exe /SubjectName <certificate subject name>.
With this, I was able to monitor machines in non-trusting domain using gateway server and certificates. To confirm everything is good, you can check one thing.
Open the certificate that you install on management/gateway server. Click on Details Tab and check the Serial Number.
Now navigate to HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings and check the value of ChannelCertificateSerialNumber. Serial number of certificate should be listed backwards here in registry.
Further I can configure multiple gateway servers for agents to fail over. Also I can configure multiple SCOM servers for my gateways to fail over. This can be done using Power shell and is covered in the blog.
Now, we will discuss about how we can monitor machines which are in a workgroup. I have outlined this in few steps:
Name resolution between SCOM server and workgroup server can be done by host files which are located at C:\Windows\System32\drivers\etc
Make sure TCP port 5723 is opened for communication. You can telnet to confirm same.
You can manually install SCOM agent on workgroup server and later use certificates. Copy the AGENT folder from SCOM media. Based on 32/64 bit OS, run the MSI. Specify the management group and SCOM server name and complete the installation.
Check the Download and Import trusted Root (CA) Certificate in beginning of this blog. Perform that to download and import CA certificate on local computer. CA certificate should be imported in Trusted Root Certification Authorities store. Here I am assuming you can connect to https://<servername>/certsrv through your browser.
Next step is to get certificate for workgroup server. We already discussed in part 1 on how to configure certificate template for SCOM. Check Request a certificate for SCOM/Gateway server section at top of the blog to request certificate from workgroup server. You need to have permissions in domain of SCOM server for this. Also while requesting certificate, in FRIENDLY NAME give name of workgroup server.
Certificate will by default get installed in personal store of Current user. Open MMC and export that certificate from current user store to some location. Later import it in Personal section of Local computer.
Copy MOMCertImport from SCOM support tools on workgroup server.
Process Manual Agent Installations in Operations Manager 2007
On your Operations Manager server, configure the security settings for manually installed agent. It should be Review new manual agent installations in pending management view with/without Auto-approve new manually installed agents depending upon your security settings. Refer to the article for more details.
Thanks for reading!!
Is the same template to be used for getting a certificate for the gateway server and the monitored client? (I know it will work, but wanted to be clear whether the cert on the client needs to have server authentication capabilities as well)
Yes, Same template should work.
"Wanted to be clear whether the cert on the client needs to have server authentication capabilities as well"
Yes, the authentication is mutual. Both the Gateway/Agent and the Operations Manager Server has to be mutually authenticated with each other.
is it possible to use a 2012 agent with a 2007 R2 gateway? Thanks
There is a way to monitor agents from workgroups without using a gateway server. Is it a "Microsoft Supported" configuration to do gatewayless monitoring?