SCOM Gateway Server

Larry_Grant

Greetings all,

I am having an issue setting up a gateway server in our DMZ domain to monitor servers in this domain. Does anyone have experience with this? I have the gateway server in and approved, certs are in place. Machine can communicate over the network, but not in scom. Thank you.

Larry Grant

Murad_Akram

You are missing the "Exportable=TRUE" value in your inf, the cert key has to be exportable. You need to make sure that's how the SCOM template is setup in your PKI.

Here is the working example of the .inf file I always use.

[NewRequest]

Subject="CN=YOUR SERVER NAME"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

Larry_Grant

I am also getting this error on the gateway server:

Murad_Akram

Hi Larry, could you please answer the following questions for me to help you resolve this issue:

Is your SCOM MS and GW in the same AD Domain?

Did you deploy the certs on both the MS and GW and confirmed they were loaded successfully into the cert store as well as in SCOM (using Certimportutility)?

Did you deploy the Trusted Root Certificates on both MS and GW?

When requesting the SSL cert, what did you use for the CN?

Since your GW is in the DMZ, did you edited the host file to include FQDN host name of each MS?

Are you able to resolve the host name of GW from MS and MS from GW

Can you connect to MS from GW over port TCP 5723 using telnet or Test-NetConnection

Larry_Grant

Is your SCOM MS and GW in the same AD Domain? No 2 different domains in a 2 way trust

Did you deploy the certs on both the MS and GW and confirmed they were loaded successfully into the cert store as well as in SCOM (using Certimportutility)? I believe I did this correctly

Did you deploy the Trusted Root Certificates on both MS and GW? Yes

When requesting the SSL cert, what did you use for the CN? FQDN

Since your GW is in the DMZ, did you edited the host file to include FQDN host name of each MS? no there is a 2 way trust

Are you able to resolve the host name of GW from MS and MS from GW yes

Can you connect to MS from GW over port TCP 5723 using telnet or Test-NetConnection Telnet appears to connect...

Larry_Grant

I found the cert checking tool https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-OpsMgr-27be19d3?fbclid=IwAR1-DrmCtV4A3psL2NeUjJUZbVe8_9W0XOKOqrOQCdkf8a33EHftqvzzaOI and based on the output I would guess my issue is the certs. Would you have any recommendations on redoing the certs properly?

Murad_Akram

• What SCOM version are you running?
• Are you using the same PKI infrastructure in both domains or you have two separate PKIs one in each domain?
• How many MS you have and are you getting any errors related to "authentication failed", "Failed to initialize security context", "Kerberos or the SChannel package", on any of the MS or GW OpeMgr Logs? If yes, can you post the event IDs here.
• The cert you are using is based on the following "Enhanced Key Usage" correct?

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

• When you open the cert, you can see that it has the corresponding private key?

• Based on the information you provided thus far, it sounds like your SCOM GW/MS are trying to use Kerberos authentication for connection and not using the certs. I would focus around the certs and make sure they are properly generated using the correct template and installed correctly.
• When using the "MomCertImport.exe" utility, I always make sure to use the command where I can specify the certfile and not rely on just the "/Subject Name" switch because I've seen many times, when using the /Subject name switch, MomCertImport picks the wrong cert from the store, especially when/if you have multiple hostname certs (SCCM, SCOM etc.) in the local computer store.

Murad_Akram

Here is a pretty good blog post written by Microsoft MVP (Kevin Green) regarding what you need to generate certificate to be used in SCOM.

https://kevingreeneitblog.blogspot.com/2011/08/using-internal-certificates-with-scom.html

Larry_Grant

• What SCOM version are you running? 2019
• Are you using the same PKI infrastructure in both domains or you have two separate PKIs one in each domain? Both certs were generated by the primary domaisn PKI. The second domain does not have a pki installed.
• How many MS you have and are you getting any errors related to "authentication failed", "Failed to initialize security context", "Kerberos or the SChannel package", on any of the MS or GW OpeMgr Logs? If yes, can you post the event IDs here. 1 management server and 1 gateway server
• The cert you are using is based on the following "Enhanced Key Usage" correct?

Server Authentication (1.3.6.1.5.5.7.3.1) correct

Client Authentication (1.3.6.1.5.5.7.3.2) correct

• When you open the cert, you can see that it has the corresponding private key? yes

• Based on the information you provided thus far, it sounds like your SCOM GW/MS are trying to use Kerberos authentication for connection and not using the certs. I would focus around the certs and make sure they are properly generated using the correct template and installed correctly.
• When using the "MomCertImport.exe" utility, I always make sure to use the command where I can specify the certfile and not rely on just he "Subject Name" because I've seen when using the /Subject name switch, MomCertImport picks the wrong cert from the store, especially when/if you have multiple hostname certs (SCCM, SCOM etc.) in the local computer store.

Larry_Grant

Do I need a PKI in the DMZ domain?

Murad_Akram

No you don't need PKI infra in the DMZ, you just need to make sure when you deploy the certificate you also deploy the certificate chain with it to the SCOM GW server in the DMZ so it can validate this certificate all the way up to the root of your internal PKI. The blog post I mentioned above is a step by step guide to create the SCOM certificate template and generate a GW cert off of this template. Creating a template would help in the long run when the time comes to renew these certs.

By the way how many DMZ servers are you planning to monitor with this GW server? I am not sure how big is your environment, just trying to make sure we are not boiling the ocean here because if you only have couple of DMZ servers, you can monitor them directly using the same process you are following to setup the GW server.

Larry_Grant

Currently there are 12 with the possibility of more.

I did an offline cert request. Using this template.

I am using this as the body of my .ini file for the request..

[NewRequest]

Subject="CN=jsccmz1.jconet.com"

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

Updating the subject with the FQDN for the appropriate server.. The CA is trusted per GPO in the DMZ.

Am I missing something? I truly appreciate all your help

Murad_Akram

You are missing the "Exportable=TRUE" value in your inf, the cert key has to be exportable. You need to make sure that's how the SCOM template is setup in your PKI.

Here is the working example of the .inf file I always use.

[NewRequest]

Subject="CN=YOUR SERVER NAME"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

Larry_Grant

You sir are my hero!!! Is there anything special I need to do to get the other agents in that domain to report via that gateway besides point the agent at them?

Murad_Akram

I am glad I could help. Now you just need to configure every agent in the DMZ to report to this GW. In the future, to deploy new agents in the DMZ, all you have to do is run the discovery using the GW from the SCOM console and it should find the new servers and push/install the SCOM agent.