Comments on: Deploying SCOM Gateway server

By: Brad Hearn

Brad Hearn — Tue, 19 Jan 2010 17:58:09 +0000

Hi Krishna,

If I understand your question to be “Can you use the IPSEc offline cert instead of a custom OpsMgr cert?”

I would say no. There are OID’s that need to be part of the certificate. So in this case you will need to create it.

I have not used 2008 R2 CA yet for Opsmgr. But yes, you can use this. I have seen many blogs as well that discuss this.

Hope this helps,
Brad

By: Krishna

Krishna — Mon, 18 Jan 2010 10:25:21 +0000

Hello Brad,

Thank you for this Artilce

We are planning to Monitor our servers in DMZ throught Scom, will IPSec (Offline Request) custom certicate can be used for this as well ?

Currently I have CA installed on Windows 2003 Standard edition which is also a DC and we are planning to migrate to Windows 2008 enterprise or Windows 2008 R2 Standard as this supports V1, V2, V3 certificate templates.

Currently we are running on SCOM 2007 SP1 and all servers are windows 2003.

Kindly Advice if i need to make sure for any other prerequistes. Will windows 2008 R2 CA will suites our requirement

Regards,
Krishna
http://smtpport25.wordpress.com

By: Brad Hearn

Brad Hearn — Fri, 18 Dec 2009 13:48:42 +0000

Jacob,

You will need both the custom certificate and root certificate for all your management servers. This includes your RMS, all MS servers and any gateways that you have. And remember that after you have imported these certs on each server using the MMC certificate tool, you will then need to use the SCOM certimport utility on each server to update the registry with the certificate serial number.

Brad

By: Jacob

Jacob — Wed, 16 Dec 2009 23:51:42 +0000

Thanks for the reply and do we need custom certificate for RMS and MS?

By: Brad Hearn

Brad Hearn — Tue, 15 Dec 2009 13:45:47 +0000

Hi Jacob,

You will need a personalized cert for each server that you will monitor without a gateway. Or a cert for each Gateway. This is partly because each cert needs to be named accordingly to the server name. Also, you will need to run the certimport utility on each server. This tool is used to copy the certificate serial number from the cert into the following registry location HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber

A bit of a pain i know. But also a motivator to use a gateway server to minimize the work where possible.

By: Jacob

Jacob — Mon, 14 Dec 2009 23:39:00 +0000

Am confused on one thing, do we need to create custom certificate for each servers and have to register same on respective servers using momcertimport?

By: Steeve Theriault

Steeve Theriault — Tue, 08 Dec 2009 00:10:58 +0000

Thai, to be able to see the certificate templates thecertificate authority has to be a windows enteprise version as it support v2 certificate.

By: Brad Hearn

Brad Hearn — Wed, 14 Oct 2009 12:20:56 +0000

SorryThai I have not had the time to run through the process on a 2008 Cert server. This process is based on 2003. When i get the time I do plan to create a process for 2008.

By: Thais

Thais — Tue, 06 Oct 2009 09:26:15 +0000

Trying out this “walkthrough” and got to point 3. “Add new custom cert to…..”. I cannot see the Certificate templates anywhere under Certification Authority. Maybe I’m blind so I think I need some help with this.
The gateway server is installed on a 2008 Standard Server

By: Fredrik

Fredrik — Fri, 26 Jun 2009 08:35:01 +0000

Just want to say thank you!
Looked all over (2 days)on how to create the template on windows 2008 CA. All other manuals i’ve seen assume you already created the template and don’t mention how to.
Thanks again