Deploy SCOM 2012 R2 Agents to Domain Servers on Perimeter Network using SCOM Gateway on different Domain (Network Steve Forum)

Deploy SCOM 2012 R2 Agents to Domain Servers on Perimeter Network using SCOM Gateway on different Domain

Hi, I have a bit odd situation on a SCOM 2012R2 deployment.

I have a MS on the internal network, and a Gateway Server on the perimeter network. Each server is connected to different Active Directory Forests and there are no trust relationships between them. I configured the communication between the two using certificates.

I have already connected some servers through the Gateway using certificates because there are on Workgroups, they are already approved on the MS and reporting their status.

However, I have some servers that are member servers of the internal AD domain but are located on the perimeter network.

So I've tried to configure one of them for testing to connect to the Gateway Server using a certificate using manual agent installation. Initially it didn't report on the SCOM, but then I ran the get-scompendingmanagement and saw that it showed there, so I ended up approving the agent using Powershell and then it was reported on the Console as "Not Monitored"

First the agent was running as local system and then tried using a local admin account on the server, neither options have worked.

I get the following errors:

The OpsMgr Connector connected to scomgateway.externaldomain.com, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

OpsMgr was unable to set up a communications channel to scomgateway.externaldomain.com and there are no failover hosts. Communication will resume when scomgateway.externaldomain.com is available and communication from this computer is allowed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Is this configuration possible? Or do I need to open communication ports from the agents to the MS inside the corporate network and not use the Gateway?

Any ideas if someone else has done this are appreciated.

Thank you.

Regards.

March 27th, 2015 1:27pm

The SCOM agent uses TCP Ports 5723 and 5724 (both ways) to communicate with root
manageme

Free Windows Admin Tool Kit Click here and download it now

March 28th, 2015 6:47pm

1) MS on internal network (forest A)
2) Gateway Server on perimeter network (forest B)
3) No tust relationship between forest A an forest B
4) some forest A machine in perimeter need to report to MS on internal network through gateway server
two possible solution
a) install a certificate on each client machine on periemter network such that it can communicate with Gateway server OR
b) deploy another gateway server on periemeter network which connect to froest A and all forest A client on periemeter network report to this gateway server

Roger

March 30th, 2015 2:11am

More info:

Step-by-step walkthrough: Installing an Operations Manager 2012 Gateway

http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx

Using a Firewall

https://technet.microsoft.com/en-us/library/hh467904.aspx

Free Windows Admin Tool Kit Click here and download it now

March 30th, 2015 3:46am

I'm sorry, maybe I didn't explained myself correctly, I already have the gateway up and running with some Workgroup machines connected to it using certificates, so the Gateway is indeed working. These Workgroup machines are in fact reporting back to the Management Server on the internal network through the Gateway.

My problem is with Domain Member machines that are on the perimeter network. This machines are joined to the Active Directory inside the corporate firewall, not the Active directory from the perimeter network (where the Gateway is joined). So my question is, can I connect these machines through the Gateway (even if the Gateway is on a different domain) or do I need to open ports and connect them directly to the management server (which is on the same active directory domain)?

Let me know if I made myself clear.

Thank you.

Regards.

March 30th, 2015 11:12am

5723 port should be exclusively opened if the agent and MS are separated by a firewall, if not, the agent should be able to communicate to MS directly

In your case, 5723 is not required, the error shown clearly indicates an authentication issue, plz ensure you authenticate using certificates. Also, you need to maintain certificates for all of the agents which are communicating to the MS which is why Gateway is introduced to reduce this overhead, you may need to have GW which will authenticate the agents data to MS using only 1 certificate

Hope this helps...

Free Windows Admin Tool Kit Click here and download it now

March 30th, 2015 12:37pm

Hi Eduardo,

Check the certificates on your Domain Member machines that are on the perimeter network:

- should have both "Client Authentication" and "Server Authentication" in "EnhancedKeyUsageextension" under "Details"

- look if the Root CA and Issuing CA (if different than Root CA) are added into Trusted Root Certificate Authorities (check the "Certification Path")

- check in "General" that "You have a private key that corresponds to this certificate" exists

March 30th, 2015 11:15pm

This topic is archived. No further replies will be accepted.