Scom Gateway Server

Only available on StudyMode
  • Topic: Certificate authority, Public-key cryptography, Public key infrastructure
  • Pages : 7 (1626 words )
  • Download(s) : 364
  • Published : June 9, 2012
Open Document
Text Preview
Deploying SCOM Gateway server
Brad Hearn

Steps taken
1. Put a change request into the Network group to open TCP ports 5723 and 5724 both ways from the Gateway server to the MS server 2. Certificates need to be deployed (2 types of certificates) 3. The root CA needs to be installed on all management servers 4. A custom cert template needs to be created on the issuing CA for OpsMGR 5. The Custom OpsMgr cert needs to be installed on all management servers 6. Run the momcertimport on all management server after the certs have been installed. This makes some specific registry changes for scom to help pick the correct cert. 7. Approve gateway server on RMS using a approval tool. 8. Manual install of agents on servers to be monitored 9. Approve agents in SCOM console

Open and test ports
Put a change request into the Network group to open TCP ports 5723 and 5724 both ways from the Gateway server to the MS server. To test if the ports are open. Log on to gateway server. From a command prompt type Telnet SRVNAME261 5723 If you get a cursor at the top left corner then the port is open. Any other errors indicate that the port is still closed. Do the same from the management server back to the gateway server.

Certificates need to be deployed (2 types of certificates) 1. Root certificate a. Import the root certificate for the management servers on the same domain as the CA server Brad Hearn https:\bradstechblog.com 11/12/2008

1

Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/ ii. Click on Download a CA certificate, certificate chain, or CRL iii. Click on Download CA Certificate chain iv. Click on save. And save to a location of your choice. The default file name is certnew.p7b. This is fine. (You can use this cert for all your management servers and gateway server to skip the initial download on this servers if you like. b. To import the downloaded cert open the certificate MMC i. Open run and type MMC ii. Click on file, add/remove snap-in iii. Click on Add and select Certificates, and click on add again. iv. Select computer account and say finish v. Close the window and say ok to the add remove window. vi. Expand certificates and right click on “Trusted Root Certification Authorities”

i.

vii.

When the wizard opens navigate to the downloaded cert is certnew.p7b . You will need to change the file type to PKCS #7

Brad Hearn

https:\bradstechblog.com

11/12/2008

2

viii. Accept the defaults and finish ix. Do this on all management servers inside the domain c. Import the root certificate for the Gateway server that is not attached to the domain as the CA server. i. Perform step one above to save certnew.p7b. Or use the same cert that was downloaded above. And copy to the gateway server. Then perform step 2 above.

Brad Hearn

https:\bradstechblog.com

11/12/2008

3

2. Create the Custom OpsMgr Certificate
a. To create the cert. We will use two consoles to do this. Certification Authority mmc and certificate templates mmc i. Open run and type MMC ii. Click on file, add/remove snap-in iii. Click on Add and select Certificate Templates and Certification Authority, and click on add again. And finish b. Select Certificate Templates c. In the Certificate Templates Console right click IPSec (Offline request) and then select duplicate template i. General Tab ii. Type a name

iii.

Request Handling 1. select Allow private key to be exported

Brad Hearn

https:\bradstechblog.com

11/12/2008

4

2. Click on CSPs… 3. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000

iv.

Extensions Tab 1. select the Applications Policies and click on edit 2. remove IP security IKE intermediate 3. Click on add..

Brad Hearn

https:\bradstechblog.com

11/12/2008

5

4. Select Client Authentication and Server Authentication, and

v.

clink on ok twice....
tracking img