SCOM 2007 R2 Gateway now with SSL

Need to extend your SCOM environment to another domain, into a DMZ or anywhere else where the typical protocols are not available? Then you need a gateway. Actually this process is reasonably simple but you will need an SSL certificate.

Step 1 :  Certificates

 Don’t have an Certificate Authority? Well then you have 2 options, you could build one, but unless you have more needs than this I would suggest you just go and buy a cheap one.  Use the fully qualified DNS name of the server for the subject and the friendly name. Other than that not much to worry about. If you do have a CA then you may want to publish a new template, despite many other blogs talking about exactly what you need I have found that this very simple template works for me.

G1

Either way all you need to do is install the certificate into the machine store personal folder. If  you are using your own CA you will also need to install the root certificate and any intermediate certificates as trusted root certification authorities or intermediate certification authorities on both this new gateway and on your root management server.

Now you are ready to start the gateway install so you need some files from your download or CD. May as well copy the “gateway” and “support tools” directories from the root of your install media to the new gateway server. Even with all that added security isn’t it nice to be able to copy file via RDP now?

Step 2: Installing the Gateway

Within the gateway folder you copied from the install media you will find directories for i386 and AMD64 go into the right folder based on if your OS is X32 or X64. Run MomGateway.msi (Funny how MOM keeps hanging on)

 g2

Fairly quickly you are provided with the following dialog, and if you are like me you are thinking hmmmmm what exactly was my management group name? If you remember your exact management group name then bully for you the rest of us need to go to back to our root management server and enter the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Server Management Groups\  under this is another key that is your management group name. Be careful not to change anything but I like to hit F2 and copy this key name and past it into the installer.  Then enter the name of your root management server and if you are truly offended by TCP port 5723 then here is your big change to change it.  When prompted for a Gateway Action Account, well Local System works well for me but it’s your environment you can use whatever you want.  Me I will stick to the principal of least access and go with Local System.

Step 3: Linking the Certificate

Once the install is complete you need to link the certificate to the service and Herein lines perhaps the only real gotcha, in the support tools folder that you copied over earlier you will find folders for i386 and amd64  and ia64, make sure to run the one that goes with your OS. Remember that the ia64 refers to itanium that nobody uses and be aware that the x32 version will run on x64 and appears to work. The registry keys will look right and all the troubleshooting in the world won’t tell you why your shiny new gateway doesn’t work. So skip all that grief and get this right the first time.  There are lots of instructions showing you the full command line and detailing how to get the cert name etc etc but I am lazy with the command line so just run MOMCertImport.exe by double clicking on it. TADA you are prompted to pick the certificate you want to use and all you need to do is click OK, just like a nice windows program.  If you run into problems or just want to make sure this worked have a look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings the ChannelCertificateSerialNumber should contain the cert details.

Step 4: Approving the server on your RMS

This step is run from the command line on your Room Management Server. I know we are windows people we don’t DO command line….. well as our HR department would say “SUCK IT UP”.  I think we all need to get used to the idea that now there is Core Server and powershell we are all going to get much more familiar with doing everything from the command line. Thats enough resistance to change for one day so on to the command line.  From your RMS you need to run the following, have a look on your install media again in the “Support Tools” folder again being careful to get the correct version for your OS find Microsoft.EnterpriseManagement.GatewayApprovalTool.exe, and copy it to “C:\Program Files\System Center Operations Manager 2007” or wherever you installed SCOM in the first place.  Now open a command line in that location.

As as aside here is a little trick I like, save the following to a reg file and import it. This will give you a new right click context menu on folders that will allow you to quickly open a command prompt right to a folder.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Folder\shell\Open_Command_Prompt]
@=”Open Command Prompt”

[HKEY_CLASSES_ROOT\Folder\shell\Open_Command_Prompt\command]
@=”cmd.exe /k \”cd %1\””

Now back to the command line

 See that’s not so bad, of course if you don’t have name resolution between your gateway and your RMS then you will likely wan to put in toms hosts entries in c:\WINDOWS\system32\drivers\etc\hosts.microsoft

 

=YOUR-GATEWAY-FQDN-HERE /action=creategatewayname=YOUR-RMS-FQDN_HERE /managementservername /exe.gatewayapprovaltool.enterprisemanagement.

 

Also if your gateway is not a member of a domain it’s likely that it’s FQDN of your gateway is just the servername and that’s just fine. Just make sure that if you ping from each side you get name resolution. Of course your security guys probably block ICMP but as Arthur Schopenhauer said “Life without pain has no meaning.” and as technical people this just adds meaning to our lives.

Now that you have created the new gateway you get to do what you like best about SCOM as a reward, take a short vacation. Did you enjoy it? Now back to work (BlackAdder)

Several minutes later you will see your new server appear in your SCOM console, on the Administration tab, under Management Servers. For a while it will appear as “Not Monitored” for a while and then move into a healthy state if everything is OK. If not probably time to crack out wireshark and look at the traffic and have a look at the event log to see if you can see any errors on either side.

 Troubleshooting: Getting an error in the logs?

The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication. The error is The credentials supplied to the package were not recognized (0x8009030D).

The fix:

1)    Once you have a certificate imported into the certificate store:

i)     From the MMC “Certificates (Local Computer)” snap-in, locate the certificate (server FQDN name) in the Personal-Certificates folder, right click it, and select “Export”.

ii)    When prompted to “Export Private Key”, select “Yes, export the private key”.

iii)   Under “Export File Format”, select “Personal Information Exchange – PKCS #12 (.pfx)” and sub-option “Export all extended properties”.

iv)   Take note of the location and file name of the pfx file you saved and password if you entered one.

2)    From an Administrator mode command prompt, enter:

MOMCertimport.exe filename.pfx

– enter password if you entered one for the pfx file

            (where filename.pfx is the exported certificate from above)

 

Getting something like “The OpsMgr Connector connected to sceserver, but the connection was closed immediately after authentication occured” for me I just needed to wait a little longer then look for the gateway server listed in the SCOM Console, Administration, Device Management, Pending Management. I approved it there and a few minutes later everything was working.

One thought on “SCOM 2007 R2 Gateway now with SSL

Leave a Reply

Your email address will not be published. Required fields are marked *