Scribd
Upload
456 views

SCOM - GATEWAY Session

This document provides an overview and implementation guidance for the gateway server role in Operations Manager 2007. It discusses key concepts such as using the gateway to consolidate firewall rules, reduce the need for certificates across trust boundaries, and optimize bandwidth utilization. The implementation outline covers installing certificates, approving and configuring the gateway, and installing agents. Troubleshooting tips include checking for common events in the Operations Manager log and verifying name resolution, connectivity, certificates, and registry settings.

Uploaded by

Samee Chougule
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
456 views

SCOM - GATEWAY Session

This document provides an overview and implementation guidance for the gateway server role in Operations Manager 2007. It discusses key concepts such as using the gateway to consolidate firewall rules, reduce the need for certificates across trust boundaries, and optimize bandwidth utilization. The implementation outline covers installing certificates, approving and configuring the gateway, and installing agents. Troubleshooting tips include checking for common events in the Operations Manager log and verifying name resolution, connectivity, certificates, and registry settings.

Uploaded by

Samee Chougule
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Pete Zerger

MVP Operations Manager AKOS Technology Services

Ian Jirka
Principal Software Design Engineer Microsoft Corporation

Session Overview Concepts


Gateway Server Role Key Use Scenarios Mutual Authentication & PKI

Implementation
Configuration Walkthrough High Availability

Troubleshooting Gateway Scenarios Q&A

Key Takeaways
Function of the Gateway Server Role When, where and why and how to use the Gateway Quick intro to mutual authentication and PKI High availability Gateway configuration How to ID and troubleshoot the configuration of the Gateway scenario

Concepts

New Server Role in Operations Manager 2007 Designed for three (3) key scenarios:
Consolidate points of egress from DMZ Reduce need for certificates across trust boundaries Reduce bandwidth utilization across WAN links

Minimize points of egress


Firewall Rules
Domain A

Security
Perimeter Network (Workgroup)

Kerberos Auth

TCP 5723 Cert Auth

Certificate Authentication

Minimize use of certificates


Kerberos
Domain A

TCO

X
No Trust

Domain B

Kerberos Auth

TCP 5723 Certificate Auth

Kerberos Auth

Bandwidth optimization
50% reduction in bandwidth utilization in internal Microsoft testing
Domain A

2-Way Trust
WAN Connection

Domain B

Kerberos Auth Kerberos Auth Kerberos Auth

Scalability and Performance Factors in Gateway Server scalability and performance:


Rate of operations data collection Number of agents reporting
200 in RTM increased to 800 in SP1

Dedicated upstream Management Server Follow hardware sizing guidelines

Gateway Functionality Summary


Essentially a specialized agent proxy Reports to upstream management server Can function as an ACS Collector Should not function as AEM Server Licensed as a management server Dont exceed 800-to-1 ratio High Availability
Can be configured to failover to secondary MS Redundant Gateways can be deployed

Required in Operations Manager 2007 Two methods:


Kerberos - Requires Active Directory Certificate Authentication

Update Topology Request to Join X

Ok

Update Topology

Certificates and PKI


Microsoft Public Key Infrastructure (PKI)
Stand-alone or enterprise CA Enterprise CA will require certificate template

3rd Party PKI Requires certificate template


Certificate Requirements
FQDN of host in Friendly Name field Host FQDN must match FQDN on certificate
Type: Other OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

Certificates registered on hosts with MOMCertImport

Certificate Authentication
Provide mutual authentication and encryption for environments where:
Agents and server in separate forests / domains with no 2way trust Agents in workgroups

Managed by MomCertImport.exe tool


Mixed environment:
A management server can service a subset of agents with Certificate Authentication and the rest of the agents with Kerberos Authentication

Implementation

Implementation Outline
Implementation Outline 1. Install certificate services 2. Request, approve and install digital certificates 3. Approve the Gateway 4. Install the Gateway server role 5. Configure the Gateway for high availability (optional) 6. Install and configure agents

Install a Certification Authority

On Management Server and Gateway

Prepare Management Server for Gateway installation and communication

Run the Gateway installation and verify success

Configuring High Availability


Configure Agent and Gateway Failover
#Get Primary Management Server
$primaryMS = Get-ManagementServer | where {$_.Name eq mgmtsvr01.contoso.com }

#Get Failover Management Server


$failoverMS = Get-ManagementServer | where {$_.Name eq mgmtsvr02.contoso.com }

#Get Gateway Management Server


$gatewayMS = Get-ManagementServer | where {$_.Name eq gwsv.remote.com }

#Set the primary and failover MS for the gateway


Set-ManagementServer -GatewayManagementServer: $gatewayMS -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS

Agent installation will vary based on the situation


Agent and GW in same domain
Use the wizard AD integration

Agent and GW located across trust boundaries


Install certificate (and run MOMCertImport)

Remember, a Gateway is never required

Troubleshooting

Events
Look for events in OpsMgr Event Log
Common Events: 20050 Enhanced key usage error (wrong OID) 21005 DNS resolution failed 21006 TCP Connection failed (at TCP level) 21007 Not in a trusted domain. (Means remote domain doesnt have full trust with this domain) 21008 Untrusted target (usually means untrusted domain or failure to reach DC) 21035 SPN registration failed; kerb auth will not work

Events New in SP1


New events for SP1 in OpsMgr Event Log
Common Events: 20068 Certificates has unusable / no private key 20069 Wrong type of certificate (KEY_SPEC) 20072 Remote certificate not trusted 20075 Unable to obtain subject or issuer from certificate 20076 Unable to obtain subject or issuer from remote certificate 20077 - Certificates cannot be queried for property info

Name Resolution and Connectivity


Name Resolution
Downstream node must resolve upstream node by FQDN Gateway must resolve FQDN of MS Agent must resolve FQDN of Gateway Agent must resolve FQDN of MS (if no GW)

Network Connectivity
Verify Gateway Server can telnet to management server on port 5723 Verify Agents can connect to Gateway Server on port 5723

NOTE: If not using a Gateway Server, perform same steps for agent and management server

Namespace Issues
If using non-routable namespaces across the Internet Establish site-to-site VPN tunnel OR
Use HOSTS file on Gateway to resolve Management Server

ms.contoso.local

gtw.contoso.local

Internet

Certificates
Verify certificates are present on the Gateway, MS and Agent
Perform these steps on MS, Gateway and Agent
Verify certificate exists in the follow stores Local Computer/Personal/Certificates Local Computer/Personal/Trusted Root Certification Authorities/Certificate

Certificates (cont)
Verify MOMCertImport successfully wrote certificate serial # to the registry
Stored in:
HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber

Compare to certificate serial number on certificate in Certificate Store How to remove certificates imported with MOMCertImport Tool

Q&A

You might also like