(Post courtesy Rohit Kochher)
In this series of two blogs, we will discuss about monitoring machines in non-trusted domain. In part one we will discuss about scenarios to use certificates and configuring certificate template for Operations Manager. In part two, we will talk about installation, approval of gateway servers and configuring monitoring for Workgroup machines.
Kerberos or Certificates
System Center Operations Manager 2007 R2 uses mutual authentication to communicate with agents. This can be done using Kerberos v5 or certificates. In case the monitored computers are in the same domain as that of Operations Manager server, or if the two domains have a two way trust we can use Kerberos. But if you want to monitor machines in a workgroup or in a non-trusted/one way trusted domain we need certificates. Certificates help in Mutual authentication.
The following blog post from the Operations Manager support team has a nice diagram that shows where you would use Kerberos vs. certificates for authentication: Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server.
Scenarios to used Certificates
If my Operations Manager server is in domain A and I want to monitor machines which are in a workgroup, I need to use certificates. I will install certificates on my Operations Manager server and on each workgroup machine that I want to monitor.
If my Operations Manager server is in domain A and I want to monitor machines in untrusted domain B, I will use certificates along with a gateway server. But this time I don’t need to install certificates on all machines in domain B. I can simply install the Gateway Server in domain B and have certificates installed on the Operations Manager server of domain A and the Gateway Server of domain B. Within Domain B, Kerberos is the security mechanism between the agents and the Gateway server. Between the Gateway and Operations Manager servers, certificates are used to provide mutual authentication.
Another benefit of gateway servers is that I need to open only 1 port 5723 (TCP) between the Gateway and Operations Manager servers.
We will also need name resolution between the Operations Manager server and gateway server. This can be done using DNS, host files etc.
Let’s get it Started
I have installed Active Directory Certificate Services (AD CS) and Certificate Authority Web Enrollment roles on 2008 R2. Certificate Authority is of Enterprise type. More on 2008 R2 CA can be found here. Also to configure HTTPS binding for CA, check this article.
Configuring certificate template for SCOM
1) On 2008 R2 Server, Click Start, then Administrative Tools and open Certification Authority snap-in. Click on Certificate templates, then on Manage.
2) Right Click on IPSec (offline request) template and select Duplicate Template option.
Select Windows Server 2003 Enterprise option for the version.
3) In Properties of new Template on General tab, give any name to template like OpsMgr Certificate using Template Display Name.
4) On request handling tab check Allow private key to be exported.
5) Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.
6) Click Add and then select Client Authentication and Server Authentication and click OK.
7) Click on Security tab and give Authenticated users Read and Enroll permissions.
8) Close the Certificate templates console.
Add the configured templates to certificate templates folder
Right click Certificate templates in CA console. Click on New and then Certificate template to issue. Select the certificate template that we named in step 3.
This way we configure our certificate for SCOM. In part 2 we will discuss about installation of certificates and deployment of gateway server.
Stay Tuned!!
Additional Resources
(Post courtesy of Yashkumar Tolia. Steps below are from the Virtual Application Management with Microsoft Application Virtualization 4.5/4.6 and System Center Configuration Manager 2007 R2 White Paper)
Previous Post: Integration of System Center Configuration Manager and App-V (part 2)
Configure Configuration Manager Distribution Point Servers and Client to Enable Virtual Application Deployment
1. Enable Standard Distribution Point server(s) to Deliver Virtual Applications to Configuration Manager Clients
a. Install the BITS and IIS Server software on all Configuration Manager standard Distribution Point servers that you plan to use for delivery of virtual applications.
b. Configure the standard Distribution Point server(s) to enable virtual application delivery as follows:
i. In the Configuration Manager Admin Console, open the properties of a specific standard Distribution Point server.
ii. On the General tab, select “Communication Settings à Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.”
Figure 12 – Configuration Manager Admin Console Distribution Point Properties
iii. If streaming delivery will be used with this Distribution Point, on the Virtual Applications tab, select “Enable virtual application streaming.”
Note: If you plan to only use local delivery for virtual applications (i.e., no streaming delivery), then do not select this option. If you plan to use a combination of local delivery and streaming delivery for virtual applications, then do select this option.
The following screen shot highlights the setting described above:
Figure 13 – Configuration Manager Admin Console Distribution Point Properties
a. In the Configuration Manager Admin Console, edit the properties of a specific Branch Distribution Point.
b. On the Virtual Applications tab, select “Enable virtual application streaming.”
Figure 14 – Configuration Manager Admin Console Distribution Point Properties
a. In the Configuration Manager Admin Console, open the properties of the Advertised Programs Client Agent and select “Allow virtual application package advertisement.”
Figure 15 – Configuration Manager Admin Console Advertised Programs Client Agent Properties
IMPORTANT: This action gives Configuration Manager, control of the App-V Client on the Configuration Manager Client PC.
This will cause the Configuration Manager Advanced clients to remove all previously deployed virtual application packages (published through an App-V Full Infrastructure or standalone MSI).
Deploy a Virtual Application to Configuration Manager Clients
A sequencing engineer uses the App-V Sequencer program to sequence an existing application and saves the new virtual application package to a specified content directory.
Use the New Virtual Application Package Wizard to specify the sequenced application source directory location and import the sequenced application into the Configuration Manager site.
The New Virtual Application Package Wizard is launched as follows:
Figure 16 – Installing the program according to the distribution boundary
After a virtual application package has been imported into Configuration Manager, the package must be replicated to the Distribution Points that will be used to deliver the virtual application package to clients. The Configuration Manager administrator chooses which Distribution Points the virtual application package will be sent to.
Configuration Manager Advertisements are targeted at collections. These can be collections of computers or users. Both user- and machine-based targeting are fully supported.
After a virtual application package has been replicated to Distribution Points, it can be advertised to any Configuration Manager collection. This can be done according to the steps shown earlier. The New Advertisement Wizard can specify things such as:
Verify Virtual Application Delivery to a Specific Client
Previous Post: Integration of System Center Configuration Manager and App-V (part 1)
How to Perform Common Virtual Application Management Tasks with Configuration Manager
App-V integrates seamlessly with System Center Configuration Manager workflows, enabling IT administrators to manage physical and virtual applications through a single management experience. IT administrators can follow known processes and workflow for delivering virtual applications to end users. This reduces the learning curve and enables IT to deliver applications more quickly. Using Configuration Manager, virtual applications can be delivered to either machines or users. Administrators can inventory virtual applications, meter the virtual application licenses, and deliver virtual applications as part of Operating System Deployment Task Sequences. Together, App-V and System Center Configuration Manager 2007 R2 provide a full PC lifecycle management solution for deploying and managing both physical and virtual applications for enterprise customers.
Deploy the App-V Client Software to Configuration Manager Client PCs
1. Obtain the App-V Client software from Microsoft (i.e., download the MDOP 2011 software form the Microsoft Volume Licensing Services Web site) and extract the App-V Client software into a source directory. This directory should include the following App-V Client assets:
2. Customize the AppVirtMgmtClient.sms package definition file to suit your App-V Client installation requirements.
Before proceeding to the next step to create the software distribution package, edit the AppVirtMgmtClient.sms package definition file and add/change the command line options for the setup.exe program to customize the App-V Client installation options.
The default command line provided in the AppVirtMgmtClient.sms file follows:
COMMANDLINE=setup.exe /s /v"/quiet /norestart /qn"0\"\"
The above command line performs a silent installation of the App-V Client software with all of the default values and suppresses the client PC reboot.
Note: Because the App-V Client includes a virtual file system driver, it is necessary to reboot the client PC when upgrading the App-V Client. However, a reboot is not required for installation of the App-V Client on a client PC that does not already include the App-V Client software.
3. Use the AppVirtMgmtClient.sms to create a Configuration Manager software distribution package for the App-V Client software as follows:
Figure 1 – Configuration Manager Admin Console Distribution Point Properties
The Create Package from Definition Wizard will appear. For Welcome, click Next.
Figure 2 – Create Package from Definition Wizard
For Package Definition, click Browse… and navigate to the AppVirtMgmtClient.sms package definition file.
Figure 3 – Package Definition
Note: The default location of the AppVirtMgmtClient.sms file is C:\Program Files\ Microsoft Configuration Manager\Tools\VirtualApp\AppVirtMgmtClient.sms.
Click on the AppVirtMgmtClient.sms file and click Open.
Figure 4 – Selection of the Package
Figure 5 – Configuration Manager Admin Console Distribution Point Properties
Figure 6 – New Advertisement Wizard
Figure 7 – Providing appropriate schedule information
Figure 8 – Installing the program locally and running; or streaming delivery
Figure 9 – User Interaction Page
Figure 10 – Provision of appropriate permissions to access the package
Figure 10 – App-V Client is published
Note: With App-V 4.6, there are both 32-bit and 64-bit versions of the client. Two separate packages, programs, and advertisements will need to be created in order to accommodate both platforms. The appropriate collections for 32-bit and 64-bit applications will need to be used to ensure delivery to the correct platform.
Next post: Integration of System Center Configuration Manager and App-V (part 3)
Application Virtualization is an important component of the virtualization stack. An important and a vital ingredient in the Virtual Desktop Infrastructure cuisine, it separates out the application from the Operating System. Configuration Manager, on the other hand, is widely used for patching, updating and management of an entire IT infrastructure. The integration of these two technologies gives the freedom of managing the virtualized application and leverages it by rapid deployment of the App-V client.
Configuration Manager includes capabilities to integrate with App-V out-of-the box. Configuration Manager Uses only publicly documented interfaces to interact with the App-V Client software. All integration is implemented with the following methods:
App-V Integration with Configuration Manager is streamlined as Configuration Manager is simply automating tasks that can be done with App-V. Organizations with Configuration Manager already in place or those in the process of implementing Configuration Manager; can implement one infrastructure using a seamless, scalable solution to deliver, report, and manage the application lifecycle from one console.
Configuration Manager and App-V Infrastructure Overview
Configuration Manager and App-V can be integrated to provide a comprehensive deployment and update service for virtual applications. With Configuration Manager, the typical App-V infrastructure is reduced to the App-V Sequencer and Client. Configuration Manager takes the place of the publishing and streaming components in a typical App-V full infrastructure. The following figure illustrates the minimal Configuration Manager and App-V processes and components required to manage virtual applications with Configuration Manager. The App-V Sequencer produces packages that can be distributed via a Configuration Manager infrastructure to the App-V Clients. This eliminates the need for two separate infrastructures to support application deployment. Configuration Manger can be used to deploy both traditional and virtual applications.
Figure 1 – Configuration Manager and App-V Infrastructure
Publishing virtual applications using Configuration Manager requires a simple process to be followed. The following section describes the virtualization (using App-V) and distribution (using Configuration Manager) process.
Process
At a high level, managing virtual applications with Configuration Manager requires applications to be sequenced, published using Configuration Manager Advertisements, and delivered to the end clients. The following minimum process is required to support App-V in a Configuration Manager infrastructure.
Sequencing – The process of taking a physical application and turning it into a virtual application. Configuration Manager requires sequencing applications with an App-V 4.5 or newer Sequencer to create the necessary files for publishing and delivery (Manifest.xml file).
Publishing – The process of provisioning virtual applications to users or computers in Configuration Manager. Configuration Manager utilizes the Site Server components for publishing applications. This process will present the application to the computer before the application assets have been delivered.
Delivery – The process of moving the virtual application assets to the client computers. This is normally referred to as “streaming” in an App-V full infrastructure. Configuration Manager provides two options for delivery of virtual applications (“Streaming” and “Download and Execute”).
Components
Managing virtual applications with Configuration Manger will require an App-V Sequencer for creating packages, a Configuration Manager Site Server, Configuration Manager Distribution Point(s) for delivery of the packages, and Configuration Manager client computers with the App-V Client installed. The following minimum components are required to support App-V in a Configuration Manager Infrastructure.
Microsoft App-V Sequencer – The App-V Sequencer ‘program’ is used to package virtual applications for deployment with Configuration Manager.
Configuration Manager Site Server – A part of the Configuration Manager Site hierarchy, the Configuration Manager Site Server manages virtual application distribution through Configuration Manager Distribution Points to target systems, either as a streaming service, or as a locally delivered package.
Configuration Manager Distribution Point (Distribution Point) – Configuration Manager Distribution Point site roles provide management services such as hardware and software inventory, operating system deployment, and software updates, as well as software distribution of both physical and virtual applications, to Configuration Manager target systems (often referred to as ‘clients’).
Configuration Manager / App-V Clients – Client devices include desktop/laptop PCs, terminal servers and Virtual Desktop Infrastructure (VDI) clients. Configuration Manager Clients that receive delivery of virtual applications from a Configuration Manager infrastructure require both the Configuration Manager Advanced Client and App-V Client software to be installed and configured. The Configuration Manager and App-V Client software work together to deliver interpret and launch virtual application packages. The Configuration Manager Client manages the delivery of virtual application packages to the App-V Client. The App-V Client executes the virtual application on the client PC.
Next Post: Integration of System Center Configuration Manager and App-V (part 2)
(Post courtesy Anil Malekani)
The Software Catalogue portal is a cool new feature in System Center Configuration Manager 2012. Administrators can publish applications for end users, and optionally they can enforce authorization before actual deployment of the application. I tried to configure the feature in the release candidate of Configuration Manager 2012 and captured screenshots at each important step.
Before you start to configure the Application Catalogue, look for prerequisites at the following TechNet link
Prerequisites for Application Management in Configuration Manager
Now, Right click on one of the SCCM 2012 Primary site systems, to add new Role.
Select Application Catalog Web Service Point and Application Catalog Website Point
You may specify a name for the web application
Provide Organization name and web theme.
That done, you have the website ready but you still need to publish applications for users.
1. Publish Application to Catalogue, from application properties > Application Catalog tab.
2. Deploy application to all users. Make it available and (optionally) set "approval required" if users requests application .
Finally, define Application Catalog synchronization frequency. Right click on site server and go to "Site Maintenance" option. Scroll down to the bottom of the list and select Update Application Catalog Tables option. In to properties define an interval in minutes.
Configure Application Catalogue update setting
User Experience
When a users opens the application catalog website, he can see a list of published applications and request application.
If an application requires approval before deployment, the administrator will see a pending approval request under Application Management. Administrators can either approve or deny the deployment request and also write comments.
Once approved, the client will see the following on their workstation