1. Put a change request into the Network group to open TCP ports 5723 and 5724 both ways from the Gateway server to the MS server 2. Certificates need to be deployed (2 types of certificates) 3. The root CA needs to be installed on all management servers 4. A custom cert template needs to be created on the issuing CA for OpsMGR 5. The Custom OpsMgr cert needs to be installed on all management servers 6. Run the momcertimport on all management server after the certs have been installed. This makes some specific registry changes for scom to help pick the correct cert. 7. Approve gateway server on RMS using a approval tool. 8. Manual install of agents on servers to be monitored 9. Approve agents in SCOM console
Open and test ports
Put a change request into the Network group to open TCP ports 5723 and 5724 both ways from the Gateway server to the MS server. To test if the ports are open. Log on to gateway server. From a command prompt type Telnet SRVNAME261 5723 If you get a cursor at the top left corner then the port is open. Any other errors indicate that the port is still closed. Do the same from the management server back to the gateway server.
Certificates need to be deployed (2 types of certificates) 1. Root certificate a. Import the root certificate for the management servers on the same domain as the CA server Brad Hearn https:\bradstechblog.com 11/12/2008
Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/ ii. Click on Download a CA certificate, certificate chain, or CRL iii. Click on Download CA Certificate chain iv. Click on save. And save to a location of your choice. The default file name is certnew.p7b. This is fine. (You can use this cert for all your management servers and gateway server to skip the initial download on this servers if you like. b. To import the downloaded cert open the certificate MMC i. Open run and type MMC ii. Click on file, add/remove snap-in iii. Click on Add and select Certificates, and click on add again. iv. Select computer account and say finish v. Close the window and say ok to the add remove window. vi. Expand certificates and right click on “Trusted Root Certification Authorities”
When the wizard opens navigate to the downloaded cert is certnew.p7b . You will need to change the file type to PKCS #7
viii. Accept the defaults and finish ix. Do this on all management servers inside the domain c. Import the root certificate for the Gateway server that is not attached to the domain as the CA server. i. Perform step one above to save certnew.p7b. Or use the same cert that was downloaded above. And copy to the gateway server. Then perform step 2 above.
2. Create the Custom OpsMgr Certificate
a. To create the cert. We will use two consoles to do this. Certification Authority mmc and certificate templates mmc i. Open run and type MMC ii. Click on file, add/remove snap-in iii. Click on Add and select Certificate Templates and Certification Authority, and click on add again. And finish b. Select Certificate Templates c. In the Certificate Templates Console right click IPSec (Offline request) and then select duplicate template i. General Tab ii. Type a name
Request Handling 1. select Allow private key to be exported
2. Click on CSPs… 3. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000
Extensions Tab 1. select the Applications Policies and click on edit 2. remove IP security IKE intermediate 3. Click on add..
4. Select Client Authentication and Server Authentication, and
clink on ok twice....