I am sure you checked these, but I’ll list these off as items that I have seen missed in the past.

1. Make sure the cert chain is installed on the GW under local computer\>Certificates>Trusted Root Certification>Certificates and not under Current User. This can cause the problem right away.
2. Is the GW in a domain or workgroup?
3. Make sure the FQDN of the GW is the servername.gwdomain.com. If this is a workgroup, then a GW really wont help you here. However the FQDN would only be the server name with no FQDN
4. What OS is the Gateway? And what CSP are you using in your Cert template?
If this is 2003 and up you should be using MS RSA SChannel Cryptographic Provider.
5. make sure the cert is in the reg on the gw at HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber

Let me know if this helps or not
Brad

Thanks for the detailed info. It has been really useful. However I couldn’t get it to work and would appreciate your help.

I created two certificates with FQDN for gateway and RMS. I imported both of them to both gateway and RMS by cert import GUI and MomCertImport. I ran the gw approval tool as well and can now see the gw in SCOM console under management servers.

However, the gw still cannot connect to the RMS and there are 20057, 21001 and 21016 errors in the event log. I requested and checked the ports and they are open. Any suggestions?

PS: One thing I am not sure about is that do I need to import both RMS and gw certs to the gw? Or only the gw certificate?

Thanks for your help..

If I understand your question to be “Can you use the IPSEc offline cert instead of a custom OpsMgr cert?”

I would say no. There are OID’s that need to be part of the certificate. So in this case you will need to create it.

I have not used 2008 R2 CA yet for Opsmgr. But yes, you can use this. I have seen many blogs as well that discuss this.

Hope this helps,
Brad

Thank you for this Artilce

We are planning to Monitor our servers in DMZ throught Scom, will IPSec (Offline Request) custom certicate can be used for this as well ?

Currently I have CA installed on Windows 2003 Standard edition which is also a DC and we are planning to migrate to Windows 2008 enterprise or Windows 2008 R2 Standard as this supports V1, V2, V3 certificate templates.

Currently we are running on SCOM 2007 SP1 and all servers are windows 2003.

Kindly Advice if i need to make sure for any other prerequistes. Will windows 2008 R2 CA will suites our requirement

Regards,
Krishna
http://smtpport25.wordpress.com

You will need both the custom certificate and root certificate for all your management servers. This includes your RMS, all MS servers and any gateways that you have. And remember that after you have imported these certs on each server using the MMC certificate tool, you will then need to use the SCOM certimport utility on each server to update the registry with the certificate serial number.

Brad

You will need a personalized cert for each server that you will monitor without a gateway. Or a cert for each Gateway. This is partly because each cert needs to be named accordingly to the server name. Also, you will need to run the certimport utility on each server. This tool is used to copy the certificate serial number from the cert into the following registry location HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber

A bit of a pain i know. But also a motivator to use a gateway server to minimize the work where possible.