Skip to content

SCOM 2012 – Connecting a gateway server using certificates

March 28, 2012

In this article i will describe how to setup a gateway server in SCOM 2012 RC and use certificates for authentication. I have set up a lab on a Hyper-V host with two subnets. One is a domain called rheenen.local. In this domain a SCOM 2012 RC server is installed and functional. Now i like to install and connect a gateway server in the other network that also has a domain in place: customer.local

The steps i need to take are:

  1. I have to make sure that both the new gateway server and the SCOM 2012 server can resolve each others FQDN.
  2. I need to make sure port 5723 is not blocked by any firewall and that the SCOM management server is listening on this port. This can be tested with setting up a telnet connection from the gateway server to the SCOM server: telnet <FQDN scom server> 5723 (you might need to install the telnet client feature first).
  3. In the domain rheenen i have setup a Certificate Authority (CA). Install the root certificate on the gateway server and make sure it exists Trusted Root Certification Authorities. Check this certificate is also present on the SCOM 2012 management server.
  4. Create a custom template on the CA for SCOM:
    1. Open run and type MMC
    2. Click on file, add/remove snap-in
    3. Click on Add and select Certificate Templates and Certification Authority, and click on add again. And finish
      1. Select Certificate Templates
      2. In the Certificate Templates Console right click IPSec (Offline request) and then select duplicate template
    4. On the General Tab type a name like SCOM Template
    5. On the Request Handling:
      1. select Allow private key to be exported
      2. Click on CSPs…
      3. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000
    6. On the Extensions Tab:
      1. select the Applications Policies and click on edit:
        1. remove IP security IKE intermediate
        2. Add Client Authentication and Server Authentication
    7. On the Security Tab:
      1. Verify that Users should have read rights
      2. Add the server where the CA resides and give it the read and eroll rights. (this is needed for step 7 in this procedure)
  5. Add the new template to the CA. Right click Cetificate Templates – New – certificate template to issue and choose the template you just created.
  6. Install the template on the SCOM management server. Because this is a server in the domain where the CA resides and this is about a computer certificate use the mmc snap for the local computer and request it from the personal certificates. (enrollment rights are needed on the template for the computer account).
  7. Install the gateway role on the new gateway server. At this point you will get many events: 20057; 21016 and 21001. These are all because there is no proper authentication and we need to install the certificates first.
  8. Install the template on the gateway server:
      1. Create an .inf file:
        [NewRequest]
        Subject="CN=<FQDN of the gateway server>"
        Exportable=TRUE
        KeyLength=1024
        KeySpec=1
        KeyUsage=0xf0
        MachineKeySet=TRUE
        
        [EnhancedKeyUsageExtension]
        OID=1.3.6.1.5.5.7.3.1
        OID=1.3.6.1.5.5.7.3.2
        
      2. Open a command prompt with elevated rights and execute a certificate request from the inf file you just created:certreq –new –f <filename>.inf GatewayRequest.req The name for the req file can be whatever you want.
      3. Open the req file with notepad and copy the key to the clipboard.
      4. Log on the the server where the CA resides and do an advanced certificate request.
      5. Paste in the key in the saved request and select the custom template you created in step 4
      6. Export the certificate and import it on the gateway server using the mmc for the local computer. Put it in the Personal certificates.
  9. Now on the gateway server run the MOMcertimport tool as an administrator. (right click, run as) and it wil find the imported certificate. For a shot while a cmd box will open and will close afterwards. Now SCOM knows it needs to use the certificate for authentication.
  10. Do the same thing on the SCOM management server.
  11. The gateway server will now probably show up under pending management on the management server. Delete it form here. (so that means do NOT approve it!)
  12. Now you need to run the gateway approval tool to inform the SCOM management server about his new friend:
    1. First you need to copy two files: Microsoft.EnterpriseManagement.GatewayApprovalTool.exe AND Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.config to C:\program files\System Center Operations Manager 2012\server
    2. Then run the approval tool from a CMD (elevated): Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
      /managementservername=<FQDN for the MS> /gatewayname=<FQDN for the gateway>/action=create
  13. The last thing you should do is to let this server act as a proxy. So other servers on that network can connect through this gateway.

If you have any questions about this blog feel free to ask them!

If you find this post helpfull and/or saved your day please leave a comment 😉

Thanks!

UPDATE 23-12-2012

After having spend hours on troubleshooting a gateway connection that just wouldn’t work i found that there was no private key configured in the certificate. Kevin Holman wrote a nice blog on how to fix this:

http://blogs.technet.com/b/kevinholman/archive/2011/02/06/rare-gateway-certificate-issue-event-20077-the-certificate-cannot-be-queried-for-property-information.aspx

Thank you Kevin!

Advertisements

From → System Center

6 Comments
  1. If I have a standalone server and not a gateway, can I approve the installation in step 11 and skip step 12 and 13?

    • Hi Roel,

      Correct.
      When the server shows up in the management server as manually installed agent the certificates are configured correctly and you can approve the server.

      regards,

  2. david permalink

    Hi Marthijn,

    Could you please explain bit more and how to do this from CA console (we dont have web )

    Log on the the server where the CA resides and do an advanced certificate request.
    Paste in the key in the saved request and select the custom template you created in step 4
    Export the certificate and import it on the gateway server using the mmc for the local computer. Put it in the Personal certificates.

    Thanks
    David

  3. david permalink

    Thanks. But again for generating the certificate , they used WEB. So can you tell me how to generate the certificate using MMC console or CA console

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: