I know there is a lot of information on this subject out there, and I spended a lot of time reading blogs and KBs, but still I was left with unanswered questions.
So – taking some bits here and there, putting them together, done some trying, and trying - this is the steps I will have to take next time I have a server in DMZ, that should be monitored by SCOM.
At my company, we have a lot of servers in DMZ, we wanted to monitor in our SCOM (still on SCOM 2007 R2, cu5).
We have a functioning CA-server and I have a SCOM Gateway server.
First – we need a Trusted Root Certificate.
This certificate has to be imported on all involved servers (RMS, GTW, DMZ servers).
- Browse to http://CA/certsrv
- Download a CA certificate, certificate chain, or CRL
- Download CA certificate chain
- Save certnew.p7b in a folder for your certs (ie. c:\certs)
This certificate needs to be copied to the servers, and imported.
- Open MMC with Certificates (Local Computer) snap-in
- Import the certificate under “Trusted Root Certification Authorities”
Second – we need a certificate for every server.
- Browse to http://CA/certsrv
- Request a certificate
- “Or, submit an advanced certificate request”
- Create and submit a request to this CA
- Name: FQDN of server
- Type of Certificate Needed: Other…
- OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
- Create new key set
- CSP: Microsoft Enhanced Cryptographic Provider v1.0
- Select: “Mark keys as exportable”
- Store certificate in the local computers certificate store.
- Friendly Name: FQDN of server
- Submit
Now, the certificate request have to be issued.
- On CA server, open Certification Authority console
- In “Pending Requests”, right-click the certificate > All-Tasks > “Issue”
Save the certificate
- Browse to http://CA/certsrv
- View the status of a pending certificate request
- Select your sertificate
- Install this certificate
- Open MMC with Certificate (Local Computer) snap-in
- Personal > Certificates
- right-click your certificate > All Tasks > Export
- Yes, export the private key
- Personal Information Exchange > Enable strong protection
- Type a password (remember.. remember.. you will need it later)
- Save it in your cert-folder as FQDN.pfx
Do this for all servers, and copy the file to the servers.
On the server in DMZ
Hosts – file
Can your DMZ server resolve the Gateway or RMS ?
Else – put these into the hosts file (C:\Windows\System32\Drivers\etc)
Manually install scom agent
Copy the installation files to your server (also copy MOMCertImport.exe, we will need it) and launch MOMAgent.msi
You will need to supply the name of your Management Group and the FQDN of your GTW.
MOMCertImport
Ok, you copied MOMCertImport, and the certificate file is here too, then:
MOMCertImport <path>\<certificate file>
- and here you will need your password for the certificate.
Now you need to bounch the “System Center Management”-service
and go to Pending Management in your OpsMgr console and approve.
Install CU
Go back to your DMZ server and install current cu.
Manageable
Your agent is now manually installed, which means that it won’t get updated automatically.
Fortunately, using an query on your OpsMgrDB, you can alter a bit, and in this way make the agent manageable.
