Host File:
It is very important that all servers are able to resolve the FQDN of each other. Typically this is done through DNS, but if DNS is down you should have all the servers setup in a host file. If you don't update the host file you will lose monitoring on all the gateway agents if DNS goes down. To edit the host file navigate to C:\Windows\System32\drivers\etc
Double Click on Hosts and open with Notepad
On all of the Management group servers enter the IP address and FQDN of all Gateway servers
On all of the Gateway servers enter all the Management group servers
So for the Gateway servers for example:
100.200.100.200 managementserver1.domain1.com
100.200.100.201 managementserver2.domain1.com
On the Management servers:
99.100.99.100 gatewayserver1.domain2.com
99.100.99.101 gatewayserver2.domain2.com
Save the file and close.
Firewall:
Before you begin you need to make sure that if there are any firewalls between the two domains that port 5723 is open. You can validate this by running telnet from the management server.
telnet <FQDN of Gateway server> 5723
Telnet may need to be installed on the gateway server first.
Certificates:
Deploying gateway servers requires certificates on all servers in the management group and all gateway servers. These can be internal via a CA or external from a third party vendor like VeriSign.
If you are using a CA follow the instructions below:
Open the MMC console. Start > run > MMC > Enter
When the MMC console opens Click on file, add/remove snap-in
In the Add or Remove Snap-ins window opens, Add Certificate Templates and Certification Authority Click OK
Expand Certificate Templates
In the Certificate Templates Console Right Click IPSec (Offline request) and then select duplicate template
On the General Tab type a name like SCOM Template
On the Request Handling:
Select Allow private key to be exported
For 2000 & 2003 Domains:
Click CSPs
For Windows 2003 Check Microsoft RSA SChannel Cryptographic provider
For Windows 2000 Check Microsoft Enhanced Cryptographic provider 1.0
On the Extensions Tab:
Select the Applications Policies and Click Edit
Remove IP security IKE intermediate
Add Client Authentication and Server Authentication
On the Security Tab:
Verify that Users should have read rights and enroll rights (this will be needed later).
Now we need to add the Template to the Certificate Authority
Expand Certification Authority
Right Click on Certificate Templates then New then Certificate Template to Issue
Select the template you just created and Click OK
The template you just created should now show up in the Templates list
Now install this template on the SCOM management server using the local mmc snap-in and request it from personal certificates.
Install the Certificate on the Gateway Server:
Now that we have our certificate template we need to install it on the Gateway server. Create a .inf file called NewRequest containing the following information and save it to C:\
Subject=”CN=<FQDN of the gateway server>” Exportable=TRUEKeyLength=2048KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2From an elevated command prompt run the following command in the location of your .inf file:
certreq –new –f NewRequest.inf GatewayRequest.req
Open the req file and copy the key to the clipboard
Log into the CA server again and do an advanced certificate request
For 2000 & 2003 use http://<servername>/certsrv
For 2008 & 2008R2 use https://<servername>/certsrv
Follow the onscreen instructions for a advanced certificate
Paste in the key in the saved request and select the template created previously. Export the certificate from the CA and import it on the gateway server, again using the mmc on the local server and place it in Personal Certificates.
This needs to be done for all management servers and all gateway servers.
For additional information regarding Certs there is a Microsoft Technet article you can refer to.
Gateway Approval Tool:
Now that we have our certs in place we need to run the gateway approval tool on the RMS box. In the installation media in SUPPORTTOOLS under your respective processor folder you will find two files:
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.config
Copy both of these files to the SCOM install directory under \System Center 2012\Operations Manager\Setup and run the following command in that folder from an elevated command prompt.
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<FQDN of RMS box> /GatewayName=<FQDN of Gateway Server> /Action=Create
You will need to do this for every Gateway server you are installing.
Install Gateway Service:
Now that you have all of the prerequisites done you need to install the Gateway service. Right Click on Setup.exe and Run as administrator. As always you are greeted with the System Center 2012 screen. Under Optional Installations Click Gateway management server
You will be see the Gateway Server Setup wizard. Click Next
Unless you want to change the install location Click Next
On the Management Group Configuration page, enter the name of the Management Group and the FQDN of the RMS box.
For the Gateway Action Account, you should use a domain account with local administration privilege in the untrusted domain. Click Next
Review the installation and Click Install
Success! Click Finish
One final step for the gateway server is to configure it as a Proxy. In the Operations Console on your RMS box go to the Administration space, then click on Management Servers then find the gateway box you just added, Double Click on it. In the Management Server Properties Click the Security tab. Check the box Allow this server to act as a proxy
Insert the Cert into SCOM:
The next bit of configuration is to run the MOMCERTIMPORT.exe tool. In the installation media in SUPPORTTOOLS under your respective processor folder run the MOMCERTIMPORT.exe tool from an elevated command prompt. You should see the cert that you installed previously. Select it and Click OK
You will see the cert was successfully installed.
Run-As Accounts:
One final step is to make sure that the management server and the gateway server can properly communicate through the use of a run-as account. In the Administration space click under Run As Configuration, Click on Accounts. In the Actions pane click Create Run As Account. Click Next
On the General Properties page make sure that the Run As account type is Windows. Give the account a display name and Click Next
You will need to provide account credentials for this run-as account. This should be the action account in the untrusted domain where the gateway server resides. This account needs to be a local administrator on all of the gateway servers in this domain and needs local logon rights. Click Next
On the Select a distribution security option window choose More secure and Click Next
Success! Click Close
The final step is to go into the account and assign the gateway servers. You should see your newly created account in the Accounts window. Right Click and select Properties. On the Distribution tab Click Add. Locate the servers you want to push out to and add them to selected objects and Click OK
You should be all set at this point. You can validate this by pulling up the Management server list in Administration. I have seen this take up to an hour for the gateway server to properly check in but depending on the size and speed of your network it should take less time for the gateway server to go green.
More to come!
If you like this blog give it a g+1
Contributing Documentation:
Microsoft Technet
System Center 2012 OpsMgr Deployment Guide
M. Vanrheenen with BPMI
No comments:
Post a Comment