Monday, November 19, 2012

SCOM 2012 - Install and Configure Gateway Servers

If you are working on a SCOM 2012 deployment where you need to monitor and communicate with servers that live in an untrusted domain you will need to setup gateway servers to accomplish this. The gateway acts as a proxy to the unfriendly domain and will provide communication with those agents. There are quite a few requirements to get a gateway server to communicate with your management group.

Host File:
It is very important that all servers are able to resolve the FQDN of each other. Typically this is done through DNS, but if DNS is down you should have all the servers setup in a host file. If you don't update the host file you will lose monitoring on all the gateway agents if DNS goes down. To edit the host file navigate to C:\Windows\System32\drivers\etc

Double Click on Hosts and open with Notepad
On all of the Management group servers enter the IP address and  FQDN of all Gateway servers
On all of the Gateway servers enter all the Management group servers

So for the Gateway servers for example:
100.200.100.200     managementserver1.domain1.com
100.200.100.201     managementserver2.domain1.com

On the Management servers:
99.100.99.100     gatewayserver1.domain2.com
99.100.99.101     gatewayserver2.domain2.com

Save the file and close.

Firewall:
Before you begin you need to make sure that if there are any firewalls between the two domains that port 5723 is open. You can validate this by running telnet from the management server.
     telnet <FQDN of Gateway server> 5723
Telnet may need to be installed on the gateway server first.

Certificates:
Deploying gateway servers requires certificates on all servers in the management group and all gateway servers. These can be internal via a CA or external from a third party vendor like VeriSign.

If you are using a CA follow the instructions below:
Open the MMC console. Start >  run > MMC > Enter
When the MMC console opens Click on file, add/remove snap-in
In the Add or Remove Snap-ins window opens, Add Certificate Templates and Certification Authority Click OK
        Expand Certificate Templates
        In the Certificate Templates Console Right Click IPSec (Offline request) and then select duplicate template
On the General Tab type a name like SCOM Template
On the Request Handling:
        Select Allow private key to be exported
        For 2000 & 2003 Domains:
             Click CSPs
             For Windows 2003 Check Microsoft RSA SChannel Cryptographic provider
             For Windows 2000 Check Microsoft Enhanced Cryptographic provider 1.0
On the Extensions Tab:
        Select the Applications Policies and Click Edit
            Remove IP security IKE intermediate
            Add Client Authentication and Server Authentication
On the Security Tab:
        Verify that Users should have read rights and enroll rights (this will be needed later).

Now we need to add the Template to the Certificate Authority
        Expand Certification Authority
        Right Click on Certificate Templates then New then Certificate Template to Issue
        Select the template you just created and Click OK
        The template you just created should now show up in the Templates list

Now install this template on the SCOM management server using the local mmc snap-in and request it from personal certificates.

Install the Certificate on the Gateway Server:
Now that we have our certificate template we need to install it on the Gateway server. Create a .inf file called NewRequest containing the following information and save it to C:\
Subject=”CN=<FQDN of the gateway server>”
Exportable=TRUEKeyLength=2048KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
From an elevated command prompt run the following command in the location of your .inf file:
certreq –new –f NewRequest.inf GatewayRequest.req
Open the req file and copy the key to the clipboard
Log into the CA server again and do an advanced certificate request
     For 2000 & 2003 use http://<servername>/certsrv
     For 2008 & 2008R2 use https://<servername>/certsrv
     Follow the onscreen instructions for a advanced certificate
Paste in the key in the saved request and select the template created previously. Export the certificate from the CA and import it on the gateway server, again using the mmc on the local server and place it in Personal Certificates.

This needs to be done for all management servers and all gateway servers.

For additional information regarding Certs there is a Microsoft Technet article you can refer to.

Gateway Approval Tool:
Now that we have our certs in place we need to run the gateway approval tool on the RMS box. In the installation media in SUPPORTTOOLS under your respective processor folder you will find two files:

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.config

Copy both of these files to the SCOM install directory under \System Center 2012\Operations Manager\Setup and run the following command in that folder from an elevated command prompt.
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<FQDN of RMS box> /GatewayName=<FQDN of Gateway Server> /Action=Create

You will need to do this for every Gateway server you are installing.

Install Gateway Service:
Now that you have all of the prerequisites done you need to install the Gateway service. Right Click on Setup.exe and Run as administrator. As always you are greeted with the System Center 2012 screen. Under Optional Installations Click Gateway management server

You will be see the Gateway Server Setup wizard. Click Next

Unless you want to change the install location Click Next

On the Management Group Configuration page, enter the name of the Management Group and the FQDN of the RMS box.

For the Gateway Action Account, you should use a domain account with local administration privilege in the untrusted domain. Click Next

Review the installation and Click Install

Success! Click Finish

One final step for the gateway server is to configure it as a Proxy. In the Operations Console on your RMS box go to the Administration space, then click on Management Servers then find the gateway box you just added, Double Click on it. In the Management Server Properties Click the Security tab. Check the box Allow this server to act as a proxy
Click OK

Insert the Cert into SCOM:
The next bit of configuration is to run the MOMCERTIMPORT.exe tool. In the installation media in SUPPORTTOOLS under your respective processor folder run the MOMCERTIMPORT.exe tool from an elevated command prompt. You should see the cert that you installed previously. Select it and Click OK

You will see the cert was successfully installed.

Run-As Accounts:
One final step is to make sure that the management server and the gateway server can properly communicate through the use of a run-as account. In the Administration space click under Run As Configuration, Click on Accounts. In the Actions pane click Create Run As Account. Click Next

On the General Properties page make sure that the Run As account type is Windows. Give the account a display name and Click Next

You will need to provide account credentials for this run-as account. This should be the action account in the untrusted domain where the gateway server resides. This account needs to be a local administrator on all of the gateway servers in this domain and needs local logon rights. Click Next

 On the Select a distribution security option window choose More secure and Click Next

Success! Click Close

The final step is to go into the account and assign the gateway servers. You should see your newly created account in the Accounts window.  Right Click and select Properties. On the Distribution tab Click Add. Locate the servers you want to push out to and add them to selected objects and Click OK


You should be all set at this point. You can validate this by pulling up the Management server list in Administration. I have seen this take up to an hour for the gateway server to properly check in but depending on the size and speed of your network it should take less time for the gateway server to go green.


More to come!

If you like this blog give it a g+1

Contributing Documentation:
Microsoft Technet
System Center 2012 OpsMgr Deployment Guide
M. Vanrheenen with BPMI

No comments:

Post a Comment