SCOM - GATEWAY Session
-
Upload
samee-chougule -
Category
Documents
-
view
230 -
download
4
Transcript of SCOM - GATEWAY Session
![Page 1: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/1.jpg)
![Page 2: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/2.jpg)
Pete Zerger MVP – Operations ManagerAKOS Technology Services
Ian JirkaPrincipal Software Design EngineerMicrosoft Corporation
![Page 3: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/3.jpg)
Session Overview
ConceptsGateway Server Role
Key Use Scenarios
Mutual Authentication & PKI
ImplementationConfiguration Walkthrough
High Availability
Troubleshooting Gateway Scenarios
Q & A
![Page 4: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/4.jpg)
Key Takeaways
Function of the Gateway Server Role
When, where and why and how to use the Gateway
Quick intro to mutual authentication and PKI
High availability Gateway configuration
How to ID and troubleshoot the configuration of the Gateway scenario
![Page 5: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/5.jpg)
Concepts
![Page 6: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/6.jpg)
New Server Role in Operations Manager 2007
Designed for three (3) key scenarios:
Consolidate points of egress from DMZ
Reduce need for certificates across trust
boundaries
Reduce bandwidth utilization across WAN links
![Page 7: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/7.jpg)
Minimize points of egress
Domain A Perimeter Network
(Workgroup)
TCP 5723
Cert Auth Certificate
AuthenticationKerberos
Auth
Firewall Rules Security
![Page 8: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/8.jpg)
Minimize use of certificates
Domain A Domain B
TCP 5723
Certificate
Auth
XNo
Trust
Kerberos
Auth
Kerberos
Auth
TCOKerberos
![Page 9: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/9.jpg)
Domain A Domain B
Kerberos Auth
WAN
Connection
Kerberos
Auth
Kerberos
Auth
Bandwidth optimization
50% reduction in bandwidth utilization in
internal Microsoft testing
2-Way
Trust
![Page 10: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/10.jpg)
Scalability and Performance
Factors in Gateway Server scalability and performance:
Rate of operations data collection
Number of agents reporting
200 in RTM – increased to 800 in SP1
Dedicated upstream Management Server
Follow hardware sizing guidelines
![Page 11: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/11.jpg)
Gateway Functionality Summary
Essentially a specialized agent proxy
Reports to upstream management server
Can function as an ACS Collector
Should not function as AEM Server
Licensed as a management server
Don’t exceed 800-to-1 ratio
High Availability
Can be configured to failover to secondary MS
Redundant Gateways can be deployed
![Page 12: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/12.jpg)
Required in Operations Manager 2007
Two methods: Kerberos - Requires Active Directory
Certificate Authentication
X
Ok
Request to
Join
Update Topology
Update Topology
![Page 13: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/13.jpg)
Certificates and PKI
Microsoft Public Key Infrastructure (PKI)Stand-alone or enterprise CA
Enterprise CA will require certificate template
3rd Party PKI – Requires certificate template
Certificate Requirements FQDN of host in Friendly Name field
Host FQDN must match FQDN on certificateType: Other
OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
Certificates registered on hosts with MOMCertImport
![Page 14: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/14.jpg)
Certificate AuthenticationProvide mutual authentication and encryption for environments where:
Agents and server in separate forests / domains with no 2-way trustAgents in workgroups
Managed by MomCertImport.exe tool
Mixed environment: A management server can service a subset of agents with Certificate Authentication and the rest of the agents with Kerberos Authentication
![Page 15: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/15.jpg)
Implementation
![Page 16: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/16.jpg)
Implementation Outline
Implementation Outline
1. Install certificate services
2. Request, approve and install digital certificates
3. Approve the Gateway
4. Install the Gateway server role
5. Configure the Gateway for high availability (optional)
6. Install and configure agents
![Page 17: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/17.jpg)
Install a Certification Authority
![Page 18: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/18.jpg)
On Management Server and Gateway
![Page 19: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/19.jpg)
Prepare Management Server for Gateway installation and communication
![Page 20: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/20.jpg)
Run the Gateway installation and verify success
![Page 21: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/21.jpg)
Configuring High Availability
Configure Agent and Gateway Failover
#Get Primary Management Server $primaryMS = Get-ManagementServer | where {$_.Name –eq ’mgmtsvr01.contoso.com’ }
#Get Failover Management Server$failoverMS = Get-ManagementServer | where {$_.Name –eq ’mgmtsvr02.contoso.com’ }
#Get Gateway Management Server $gatewayMS = Get-ManagementServer | where {$_.Name –eq ’gwsv.remote.com’ }
#Set the primary and failover MS for the gatewaySet-ManagementServer -GatewayManagementServer: $gatewayMS-PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS
![Page 22: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/22.jpg)
Agent installation will vary based on the situation
Agent and GW in same domain Use the wizard
AD integration
Agent and GW located across trust boundariesInstall certificate (and run MOMCertImport)
Remember, a Gateway is never required
![Page 23: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/23.jpg)
Troubleshooting
![Page 24: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/24.jpg)
Events
Look for events in OpsMgr Event Log
Common Events:
• 20050 – Enhanced key usage error (wrong OID)
• 21005 – DNS resolution failed
• 21006 – TCP Connection failed (at TCP level)
• 21007 – Not in a trusted domain. (Means remote domain doesn’t have full trust with this domain)
• 21008 – Untrusted target (usually means untrusted domain or failure to reach DC)
• 21035 – SPN registration failed; kerb auth will not work
![Page 25: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/25.jpg)
Events– New in SP1
New events for SP1 in OpsMgr Event Log
Common Events:
• 20068 – Certificates has unusable / no private key
• 20069 – Wrong type of certificate (KEY_SPEC)
• 20072 – Remote certificate not trusted
• 20075 – Unable to obtain subject or issuer from certificate
• 20076 – Unable to obtain subject or issuer from remote certificate
• 20077 - Certificates cannot be queried for property info
![Page 26: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/26.jpg)
Name Resolution and Connectivity
Name ResolutionDownstream node must resolve upstream node by FQDN
Gateway must resolve FQDN of MS
Agent must resolve FQDN of Gateway
Agent must resolve FQDN of MS (if no GW)
Network Connectivity Verify Gateway Server can telnet to management server on port 5723
Verify Agents can connect to Gateway Server on port 5723
NOTE: If not using a Gateway Server, perform same steps for agent and management server
![Page 27: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/27.jpg)
Namespace Issues
If using non-routable namespaces across the Internet
Establish site-to-site VPN tunnel ORUse HOSTS file on Gateway to resolve Management Server
Internet
gtw.contoso.localms.contoso.local
![Page 28: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/28.jpg)
Certificates
Verify certificates are present on the Gateway, MS and Agent
Perform these steps on MS, Gateway and Agent
Verify certificate exists in the follow stores
Local Computer/Personal/Certificates
Local Computer/Personal/Trusted Root
Certification Authorities/Certificate
![Page 29: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/29.jpg)
Certificates (cont)
Verify MOMCertImport successfully wrote certificate serial # to the registry
Stored in:
HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber
Compare to certificate serial number on certificate in Certificate Store
How to remove certificates imported with MOMCertImport Tool
![Page 30: SCOM - GATEWAY Session](https://reader035.fdocuments.us/reader035/viewer/2022081716/54eaceb54a7959b1798b4679/html5/thumbnails/30.jpg)
Q & A