Deploying SCOM Gateway server
- Put a change request into the Network group to open TCP port 5723 both ways from the Gateway server to the MS server
- Certificates need to be deployed (2 types of certificates)
- The root CA needs to be installed on all management servers
- A custom cert template needs to be created on the issuing CA for OpsMGR
- The Custom OpsMgr cert needs to be installed on all management servers
- Run the momcertimport on all management server after the certs have been installed. This makes some specific registry changes for scom to help pick the correct cert.
- Approve gateway server on RMS using a approval tool.
- Manual install of agents on servers to be monitored
- Approve agents in SCOM console
Download the PDF deploying-scom-gateway-server2
Open and test ports
Put a change request into the Network group to open TCP port 5723 both ways from the Gateway server to the MS server.
To test if the ports are open. Log on to gateway server. From a command prompt type
telnet SRVNAME261 5723
If you get a cursor at the top left corner then the port is open. Any other errors indicate that the port is still closed.
Do the same from the management server back to the gateway server.
Certificates need to be deployed (2 types of certificates)
1. Root certificate
a. Import the root certificate for the management servers on the same domain as the CA server
i. Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/
ii. Click on Download a CA certificate, certificate chain, or CRL
iii. Click on Download CA Certificate chain
iv. Click on save. And save to a location of your choice. The default file name is certnew.p7b. This is fine. (you can use this cert for all your management servers and gateway server to skip the initial download on this servers if you like.
b. To import the downloaded cert open the certificate MMC
i. Open run and type MMC
ii. Click on file, add/remove snap-in
iii. Click on Add and select Certificates, and click on add again.
iv. Select computer account and say finish
v. Close the window and say ok to the add remove window.
vi. Expand certificates and right click on “Trusted Root Certification Authorities”
vii. When the wizard opens navigate to the downloaded cert is certnew.p7b . You will need to change the file type to PKCS #7
viii. Accept the defaults and finish
ix. Do this on all management servers inside the domain
c. Import the root certificate for the Gateway server that is not attached to the domain as the CA server.
i. Perform step one above to save certnew.p7b. Or use the same cert that was downloaded above. And copy to the gateway server. Then perform step 2 above.
2. Create the Custom OpsMgr Certificate
a. To create the cert. We will use two consoles to do this. Certification Authority mmc and certificate templates mmc
i. Open run and type MMC
ii. Click on file, add/remove snap-in
iii. Click on Add and select Certificate Templates and Certification Authority, and click on add again. And finish
b. Select Certificate Templates
c. In the Certificate Templates Console right click IPSec (Offline request) and then select duplicate template
i. General Tab
ii. Type a name
Request Handling
1. select Allow private key to be exported
2. Click on CSPs…
3. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000
iii. Extensions Tab
iv. select the Applications Policies and click on edit
1. remove IP security IKE intermediate
2. Click on add..
3. Select Client Authentication and Server Authentication, and clink on ok twice.
v. Security Tab
1. Users should have read
2. Say ok and close.
3. Add the new custom cert to the certificate authority
i. Open the Certification Authority mmc console
ii. Expand it and right click on certificate templates
iii. Select new, certificate template to issue
iv. Scroll through the list until you find the one you just created. Select it and say ok.
v. It should now show in the right window.
4. Deploy the Custom OpsMgr Certificate to the management servers on the same domain as the CA (need to do the full steps individually for each server)
a. Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/
b. Click on Request a certificate
c. Click on Create and submit a request to this CA
d. Select the custom Template
e. Enter a name for the template. This is the full unc name of the server that you are going to install the cert on.
f. Enter the rest of the identity info if you like.
g. Under Key options select the csp that fits your operating system. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000
h. Key size 1024
i. Mark keys as exportable
j. Check off Store cert in local computer cert store…
k. Use full unc path as friendly name.
l. Click on submit, say yes.
m. Click on Install this certificate
n. Open run and type MMC
o. Click on file, add/remove snap-in
p. Click on Add and select Certificates, and click on add again.
q. Select computer account and say finish
r. Close the window and say ok to the add remove window.
s. Expand certificates and right click on Personal certificates
t. You should see the new cert here.
5. Deploy the custom Certificate to the Gateway sever in the DMZ.
a. Because the gateway is not part of the same domain as the CA. We need to create the certificate on a different server and export it to a usb drive or other storage device. Then manually copy it to the gateway server and import it.
b. First create the cert from a server on the same domain as the CA. Follow the steps in step 4 first.
c. Next we will export the cert
i. Open run and type MMC
ii. Click on file, add/remove snap-in
iii. Click on Add and select Certificates, and click on add again.
iv. Select computer account and say finish
v. Close the window and say ok to the add remove window.
vi. Expand certificates and right click on Personal certificates
vii. You should see the new cert here.
viii. Right click on the cert and select All tasks, export
ix. The export wizard will open, say next
x. Select Yes, export private key
xi. Select enable strong protection
xii. Enter a password for the import. You will need this password when you export the cert.
xiii. Specify a location and name to save it too.
xiv. And finish
d. Import the cert.
i. Copy the cert to the gateway server. It will have a .pfx extension.
ii. Open run and type MMC
iii. Click on file, add/remove snap-in
iv. Click on Add and select Certificates, and click on add again.
v. Select computer account and say finish
vi. Close the window and say ok to the add remove window.
vii. Expand certificates and right click on Personal certificates
viii. Select All tasks, Import
ix. Browse to the cert you coppied over. You will need to change the file type to PFX to see the cert.
x. Select open, say next, enter password.
xi. Check off Mark this key as exportable.
xii. Say next, make sure the certificate store is personal , click next and finish.
6. Run the momcertimport utility
a. In this step we are going to use the same pfx certificate (the custom personal cert) that we created in step 4. This tool writes the certificate serial number to the registry. This will help OpsMgr components find the the proper certificate for authenticatin easily.
b. You will find the momcertimport utility on the install cd under supporttools\i386.
c. Copy momcertimport.exe and the pfs certificate into the same folder.
d. Open a command prompt, navigate to the folder with both files and type the following command
i. C:\>MOMCertImport.exe certfilename.pfx
ii. There is NO response after the command is successfully initiated.
e. So this on all SCOM management servers. RMS, MS, and Gateway
7. Approve the Gateway Server
a. We will use the gateway approval tool to achieve this. This will setup the gateway server as a management server in SCOM. Once done you can confirm this by looking in the SCOM console under administration, Device Management, Management Servers.
b. The tool has to be run from c:\program Files\System Center Operations Manager 2007
c. Copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the support tools directory to c:\program Files\System Center Operations Manager 2007
d. Open the command prompt and type the following command
i. microsoft.enterprisemanagement.gatewayapprovaltool.exe /managementservername=SRVNAME261.domainName.com /gatewayname=domainNamedmz22.domainNamedmz.com /action=create
8. Next you now ready to manually install the agents on the servers in the DMZ
9. Approve the agents in the SCOM console.
Comments
16 Responses to “Deploying SCOM Gateway server”
Got something to say?
You must be logged in to post a comment.
I’m in the process of deploying to Moscow Russia via a gateway server through a TCP forwarder. (think NAT routing)
The gateway is going to be collecting data and sending it to the firewall on port 4033 and then the firewall will forward it to the RMS on 5723. This has been tested in the lab and I’m just waiting on security to approve the design.
This takes some registry manipulation and after I write it up, I’ll post it.
Regards,
Ron Hagerman
That sounds really cool. Please post how your project works out.
We did a proof of concept in the lab. We placed a gateway server behind the Sidewinder appliance and set up the filters to route the traffic through port 4033. It appeared to work since we were able to see traffic at the sidewinder from the gateway to the RMS. What we did not see however, was traffic on port 5723 as well.
I have the Moscow gateway in place and set up, if I create a VPN to the United States, it works well but without the VPN I get events in the Ops Mgr event log that state a connection was established on port 4033. YAY! Management packs are requested as well. If I deploy an agent to a server in Moscow, it shows up on the RMS as needing approval. Again, YAY!
I also get two critical events that state “Cannot communicate with RMS on port 5723″ and another one that states the RMS is unreachable. Health service fails on all managed servers from Moscow.
I’ll let you know how it goes and if I ever get it working
Thanks
Ron Hagerman
Just wondering what you would need to open Port 5724 for?
I’ve deployed SCOM in various configurations (Gateways, individually certed agents, connected mgmt-groups, multiple MS-servers) and never needed to open more than port 5723 to get it working.
Good catch! You don’t need port 5724. I had included that the first time I went through the process thinking it was needed. I have since then removed that step and did not realize I missed it in this document. I better do some house cleaning now.
But would you look at that!
You were right too.
According to the post on http://social.technet.microsoft.com/Forums/en-US/systemcenterrom/thread/11e3bd77-f04d-41cc-a5c5-a18cd617baae
You do need 5724 on some occasions. I’ve just been lucky then i guess.
Just want to say thank you!
Looked all over (2 days)on how to create the template on windows 2008 CA. All other manuals i’ve seen assume you already created the template and don’t mention how to.
Thanks again
Trying out this “walkthrough” and got to point 3. “Add new custom cert to…..”. I cannot see the Certificate templates anywhere under Certification Authority. Maybe I’m blind so I think I need some help with this.
The gateway server is installed on a 2008 Standard Server
SorryThai I have not had the time to run through the process on a 2008 Cert server. This process is based on 2003. When i get the time I do plan to create a process for 2008.
Thai, to be able to see the certificate templates thecertificate authority has to be a windows enteprise version as it support v2 certificate.
Am confused on one thing, do we need to create custom certificate for each servers and have to register same on respective servers using momcertimport?
Hi Jacob,
You will need a personalized cert for each server that you will monitor without a gateway. Or a cert for each Gateway. This is partly because each cert needs to be named accordingly to the server name. Also, you will need to run the certimport utility on each server. This tool is used to copy the certificate serial number from the cert into the following registry location HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber
A bit of a pain i know. But also a motivator to use a gateway server to minimize the work where possible.
Thanks for the reply and do we need custom certificate for RMS and MS?
Jacob,
You will need both the custom certificate and root certificate for all your management servers. This includes your RMS, all MS servers and any gateways that you have. And remember that after you have imported these certs on each server using the MMC certificate tool, you will then need to use the SCOM certimport utility on each server to update the registry with the certificate serial number.
Brad
Hello Brad,
Thank you for this Artilce
We are planning to Monitor our servers in DMZ throught Scom, will IPSec (Offline Request) custom certicate can be used for this as well ?
Currently I have CA installed on Windows 2003 Standard edition which is also a DC and we are planning to migrate to Windows 2008 enterprise or Windows 2008 R2 Standard as this supports V1, V2, V3 certificate templates.
Currently we are running on SCOM 2007 SP1 and all servers are windows 2003.
Kindly Advice if i need to make sure for any other prerequistes. Will windows 2008 R2 CA will suites our requirement
Regards,
Krishna
http://smtpport25.wordpress.com
Hi Krishna,
If I understand your question to be “Can you use the IPSEc offline cert instead of a custom OpsMgr cert?”
I would say no. There are OID’s that need to be part of the certificate. So in this case you will need to create it.
I have not used 2008 R2 CA yet for Opsmgr. But yes, you can use this. I have seen many blogs as well that discuss this.
Hope this helps,
Brad