OpsMgr Gateway Server Installation Notes:
I have a client that has 10-15 servers in a workgroup in a DMZ that they need to manage using OpsMgr 2007. We chose to install the role on a virtual server that resides in the DMZ. They did not have a certificate authority to issue certificates, which are required in this setup, so we installed certification services on the same virtual server as the gateway role.
Here are my notes:
- Using the document from systemcenterforum as a guide/bible, follow it step by step. http://systemcenterforum.org/wp-content/uploads/OpsMgr2007_Gateway_Config.zip
- Also, read this document Operations Manager 2007 Security Guide
- Every server managed in the DMZ, the gateway server, and the RMS will all need their own certificate which will have to be imported into their local opsmgr agent (or to opsmgr in the case of the GW and RMS)
- Install a certificate authority that can be accessed by all the agents, the GW, and the RMS.
- I chose to install the CA on the same server as the GW role. If you install the CA on the same server as the GW: during the CA installation, you will need to name the CA anything besides the netbios name of the server. This is so the CA can issue a cert to the GW server (which happens to be on the same box). It took me about 4 days to figure out that a CA will not issue a cert to itself if the CA shares the same name as the server on which it resides.
- Download the CA Certificate Chain on the RMS. Import the cert into the computers Trusted Root Certificate store.
- Download the CA Certificate Chain on the future GW. Import the cert into the computers Trusted Root Certificate store.
- Request an advanced certificate using the FQDN of the RMS (follow guide)
- Issue/Approve the cert on the CA
- Download the cert on the RMS
- Request an advanced certificate using the FQDN of the future GW server
- Issue/Approve the cert on the CA
- Download the cert on the future GW
- On the RMS, make sure you have access to the installation media for SP1. You can extract the SP1 download to a known directory. SP1 has the advantage of a GUI for the MomCertImport.exe tool. Double click momcertimport.exe which is located in <installation media directory>\UpdateCDImage\SupportTools\amd64 for 64 bit machines and <installation media directory>\UpdateCDImage\SupportTools\i386 for 32 bit servers. Make sure you use the correct version.
- After double-clicking MomCertImport.exe, choose the cert that you just issued from the window that appears.
- Restart the health service on the RMS
- Run the gateway approval tool as specified in the article.
- Make sure the GW server shows up in the RMS console under Administration>Management Servers. It will show as status "Not Managed" until you complete all of the remaining steps. This is normal.
- On the future GW server, install the OpsMgr Gateway Service, use the FQDN of the RMS when it asks for the mgmt server name.
- On the GW, run MomCertImport just like you did on the RMS
- Restart the health service on the GW
- In about 2-5 minutes, verify that the GW server shows as Healthy in the opsmgr console on the RMS before installing client agents.
Now, on to the clients…. The following steps need to be performed on ALL the clients that you would like to manage with the GW server
- I temporarily turned on automatic approval of manually installed agents on the RMS at Administration>Settings>Security so I would not have to manually approve all of the agent installs
- I set up a share on the GW server that had all of the software needed for the agent install in one place, for easy access:
- \Agent\ directory from SP1 media, including MSXML 6.0
- \Support Tools\ directory from the SP1 media (you will need MomCertImport)
- An MMC console with the following SnapIns:
- Certificates (local computer)
- Event Viewer (Local Computer)
- Services (Local Computer)
- Certification Authority (directed at my CA)