If you are working on a SCOM 2012 deployment where you need to monitor and communicate with servers that live in an untrusted domain you will need to setup gateway servers to accomplish this. The gateway acts as a proxy to the unfriendly domain and will provide communication with those agents. There are quite a few requirements to get a gateway server to communicate with your management group.
Host File:
It is very important that all servers are able to resolve the FQDN of each other. Typically this is done through DNS, but if DNS is down you should have all the servers setup in a host file. If you don't update the host file you will lose monitoring on all the gateway agents if DNS goes down. To edit the host file navigate to
C:\Windows\System32\drivers\etc
Double Click on
Hosts and open with Notepad
On all of the Management group servers enter the IP address and FQDN of all Gateway servers
On all of the Gateway servers enter all the Management group servers
So for the Gateway servers for example:
100.200.100.200 managementserver1.domain1.com
100.200.100.201 managementserver2.domain1.com
On the Management servers:
99.100.99.100 gatewayserver1.domain2.com
99.100.99.101 gatewayserver2.domain2.com
Save the file and close.
Firewall:
Before you begin you need to make sure that if there are any firewalls between the two domains that port 5723 is open. You can validate this by running telnet from the management server.
telnet <FQDN of Gateway server> 5723
Telnet may need to be installed on the gateway server first.
Certificates:
Deploying gateway servers requires certificates on all servers in the management group and all gateway servers. These can be internal via a CA or external from a third party vendor like VeriSign.
If you are using a CA follow the instructions below:
Open the MMC console. Start > run
> MMC > Enter
When the MMC console opens
Click on file, add/remove snap-in
In the
Add or Remove Snap-ins window opens, Add Certificate Templates and Certification Authority
Click OK
Expand
Certificate Templates
In the Certificate Templates Console
Right Click IPSec (Offline request) and then select
duplicate template
On the
General Tab type a name like SCOM Template
On the Request Handling:
Select
Allow private key to be exported
For 2000 & 2003 Domains:
Click CSPs
For Windows 2003
Check Microsoft RSA SChannel Cryptographic provider
For Windows 2000
Check Microsoft Enhanced Cryptographic provider 1.0
On the Extensions Tab:
Select the
Applications Policies and
Click Edit
Remove IP security IKE intermediate
Add
Client Authentication and
Server Authentication
On the Security Tab:
Verify that Users should have read rights and enroll rights (this will be needed later).
Now we need to add the Template to the Certificate Authority
Expand Certification Authority
Right Click on
Certificate Templates then
New then
Certificate Template to Issue
Select the template you just created and
Click OK
The template you just created should now show up in the Templates list
Now install this template on the SCOM management server using the local mmc snap-in and request it from personal certificates.
Install the Certificate on the Gateway Server:
Now that we have our certificate template we need to install it on the Gateway server. Create a .inf file called NewRequest containing the following information and save it to C:\
Subject=”CN=<FQDN of the gateway server>”
Exportable=TRUEKeyLength=2048KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
From an elevated command prompt run the following command in the location of your .inf file:
certreq –new –f NewRequest.inf GatewayRequest.req
Open the req file and copy the key to the clipboard
Log into the CA server again and do an advanced certificate request
For 2000 & 2003 use http://<servername>/certsrv
For 2008 & 2008R2 use https://<servername>/certsrv
Follow the onscreen instructions for a advanced certificate
Paste in the key in the saved request and select the template created previously. Export the certificate from the CA and import it on the gateway server, again using the mmc on the local server and place it in
Personal Certificates.
This needs to be done for all management servers and all gateway servers.
For additional information regarding Certs there is a
Microsoft Technet article you can refer to.
Gateway Approval Tool:
Now that we have our certs in place we need to run the gateway approval tool on the RMS box. In the installation media in
SUPPORTTOOLS under your respective processor folder you will find two files:
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.config
Copy both of these files to the SCOM install directory under \System Center 2012\Operations Manager\Setup and run the following command in that folder from an elevated command prompt.
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<FQDN of RMS box> /GatewayName=<FQDN of Gateway Server> /Action=Create
You will need to do this for every Gateway server you are installing.
Install Gateway Service:
Now that you have all of the prerequisites done you need to install the Gateway service.
Right Click on
Setup.exe and
Run as administrator. As always you are greeted with the System Center 2012 screen. Under Optional Installations
Click Gateway management server
You will be see the Gateway Server Setup wizard.
Click Next
Unless you want to change the install location
Click Next
On the Management Group Configuration page, enter the name of the Management Group and the FQDN of the RMS box.
For the Gateway Action Account, you should use a domain account with local administration privilege in the untrusted domain.
Click Next
Review the installation and
Click Install
Success!
Click Finish
One final step for the gateway server is to configure it as a Proxy. In the Operations Console on your RMS box go to the
Administration space, then click on
Management Servers then find the gateway box you just added,
Double Click on it. In the
Management Server Properties Click the
Security tab.
Check the box
Allow this server to act as a proxy
Click OK
Insert the Cert into SCOM:
The next bit of configuration is to run the MOMCERTIMPORT.exe tool. In the installation media in
SUPPORTTOOLS under your respective processor folder run the MOMCERTIMPORT.exe tool from an elevated command prompt. You should see the cert that you installed previously. Select it and
Click OK
You will see the cert was successfully installed.
Run-As Accounts:
One final step is to make sure that the management server and the
gateway server can properly communicate through the use of a run-as
account. In the
Administration space click under
Run As Configuration, Click on
Accounts. In the
Actions pane click
Create Run As Account.
Click Next
On the General Properties page make sure that the Run As account type is Windows. Give the account a display name and
Click Next
You will need to provide account credentials for this run-as account. This should be the action account in the untrusted domain where the gateway server resides. This account needs to be a local administrator on all of the gateway servers in this domain and needs local logon rights.
Click Next
On the Select a distribution security option window choose
More secure and
Click Next
Success!
Click Close
The final step is to go into the account and assign the gateway servers. You should see your newly created account in the Accounts window.
Right Click and select
Properties. On the Distribution tab Click Add. Locate the servers you want to push out to and add them to selected objects and
Click OK
You should be all set at this point. You can validate this by pulling up the Management server list in Administration. I have seen this take up to an hour for the gateway server to properly check in but depending on the size and speed of your network it should take less time for the gateway server to go green.
More to come!
If you like this blog give it a g+1
Contributing Documentation:
Microsoft Technet
System Center 2012 OpsMgr Deployment Guide
M. Vanrheenen with BPMI