Installing the Gateway Role in an Existing System Center Operations Manager 2007 R2 Environment

Contents
Introduction .................................................................................................................................................. 1 1. Create an OpsMgr Gateway Authentication certificate template and add it to the available templates. ..................................................................................................................................................... 1 2. Obtain the Issuing CA's Certificate Chain .............................................................................................. 5

3. Obtain an OpsMgr Gateway Authentication certificate (from the template created in step 1) for the RMS, each Management server and Gateway server (one unique certificate for eachalthough the only difference will be the Subject Name and Friendly Name) ............................................................................ 6 4. All certificates issued in step 3 were imported into the user's personal certificate store. All of these must be exported to files. Steps a - f will open the users personal certificate store. Follow steps g - m for each certificate that was created. ......................................................................................................... 10 5. 6. 7. 8. 9. 10. Import the CA certificate chain and the OpsMgr Gateway Authentication certificate: ..................... 15 Ensure TCP 5723 is open from the GW server to the Management server(s) ................................... 20 Install OpsMgr Gateway ...................................................................................................................... 20 Run the MOMCertImport utility on the RMS, all Management servers, and all Gateway servers. ... 22 Approve the Gateway(s) ..................................................................................................................... 23 Set the primary and failover management servers for the new Gateway. .................................... 24

Introduction
This document describes the process of incorporating the OpsMgr Gateway role into your existing OpsMgr infrastructure. This process assumes the Gateway will be consolidating health reporting for the systems in a perimeter network. All servers in the infrastructure where this process was tested were Windows 2008 R2, with the exception of the certificate authority, which was Windows 2003 R2 64-bit SP2 Enterprise Edition. This document assumes: The domain/forest in which the OpsMgr infrastructure, and Certificate Authority resides is Windows 2003 functional mode. Opsmgr R2 is installed and functional. The certificate authority must be able to support version 2 certificates. The issuing CA must be an Enterprise CA installed on an Enterprise version of the Windows 2003/2008 operating system. The system to be installed as a Gateway has been installed with Windows 2008, is fully patched and is a member server in the same domain as the perimeter network servers it will serve. TCP port 5723 is allowed from the Gateway server to all Management servers it will report to (assume a primary and failover Management server, neither of which should be the RMS).

1. Create an OpsMgr Gateway Authentication certificate template and add it to the available templates.
Note to carry out these steps you must be a Domain Admin and an Enterprise Admin in the domain. A. Log onto your issuing CA B. Open the Certification Authority MMC C. Expand out the Server node so that you see the folders underneath. D. Right-click on Certificate Templates and select Manage. This opens the Certificate Templates snap-in. E. In the Certificate Templates Console right click IPSec (Offline request) and then select Duplicate template. On a Win2008 CA it will ask you which version of template (Win2003 or Win2008... Choose Win2003). Enter the following information: 1. General Tab i. Template display name: OpsMgr Gateway Authentication ii. Template name: OpsMgr Gateway Authentication iii. Validity period: 5 years1

The maximum valid duration a CA can issue certificates for equates to the validity duration of its own Certification Authority certificate (i.e. it cannot issue a cert that has a longer validity than its own cert). Also note that by default Windows 2000 and 2003 CAs issue certs with a 2 year validity regardless of the template validity. This can be adjusted in the registry. See http://support.microsoft.com/kb/254632.

1|Page

2. Request Handling Tab i. Check the box beside Allow private key to be exported ii. Enter the Minimum key size as 1024. ii. Click on CSPs button

2|Page

a. Select Microsoft RSA SChannel Cryptographic provider and Microsoft Enhanced Cryptographic provider 1.0.

C. Extensions Tab2 i. Select Application Policies and click Edit a. Remove IP security IKE intermediate b. Click Add i. Select Client Authentication and Server Authentication. Click OK twice.

Some documentation states that you must enter an OID for the cert. This is not necessary when these instructions are followed.

3|Page

D. Security Tab i. Authenticated Users should have Read and Enroll. Click OK

E. This step should be carried out on the issuing CA (assuming there is a root CA in the hierarchy). In the Certification Authority snap-in right-click on Certificate Templates. G. Select New > Certificate template to issue. 4|Page

H. Find the template just created, select it and click OK. I. It should now show up in the right pane.

2. Obtain the Issuing CA's Certificate Chain

A. Logon on a management server. Open a web Brower and navigate to https://2k3CAENT01/certsrv/ B. On the Welcome screen click Download a CA certificate, certificate chain, or CRL.

A. If you receive a warning click Yes. D. On the Download a CA certificate, certificate chain, or CRL screen click Download CA certificate chain.

5|Page

E. The File Download dialog pops up. Click Yes to download the file. Specify an appropriate name and path such as C:\ to store the file in and click Save. F. Copy this certificate file to your RMS, all of your Management servers and to the Gateway(s).

3. Obtain an OpsMgr Gateway Authentication certificate (from the template created in step 1) for the RMS, each Management server and Gateway server (one unique certificate for eachalthough the only difference will be the Subject Name and Friendly Name)
Note walk through these steps to create a certificate for the RMS, each Management server , and each Gateway server. As each is created, ensure in step "F" and "H" that the FQDN is used for the server for which the certificate is being created. Note disable IE Enhanced Security before attempting to request a cert with the below process. If you do not disable this then the request will probably fail. A. Open IE (run as administrator) and navigate to https://<certserver>/certsrv

B. Click Request a certificate

6|Page

C. Click advanced certificate request3

If you do not see this option then you do not have sufficient rights to request the cert.

7|Page

D. Click Create and submit a request to this CA. Note to use the cert request form IE must be configured to allow Allow or Prompt for ActiveX controls and plugins. You may receive a warning like the below. If so, click Yes.

E. Drop down the Certificate Template dialog and choose the template created for OpsMgr Gateway Authentication.

F. In the Identifying Information For Offline Template section enter the FQDN of the Gateway in the Name field. No other information is needed.

G. In the Key Options section choose Microsoft RSA SChannel Cryptographic Provider and ensure the Mark keys as exportable box is checked.

8|Page

H. In the Additional Options section enter the FQDN of the gateway server in the Friendly Name section and click Submit.

I.

If you receive another warning click Yes.

J.

On the Certificate Issued screen click Install this certificate.

9|Page

K. The next screen should show a confirmation that the certificate was issued.

Note if you do not get a success message here then check to see whether the Root CA cert is in the Trusted Root folder for the system you are working on.

4. All certificates issued in step 3 were imported into the user's personal certificate store. All of these must be exported to files. Steps a - f will open the users personal certificate store. Follow steps g - m for each certificate that was created.
A. Open an MMC (Start > Run and type in MMC then click OK). If prompted by User Account Control click Yes. B. Click File then Add/Remove Snap-in

10 | P a g e

C. In the Add or Remove Snap-ins dialog click Certificates then click Add.

D. In the Certificates snap-in dialog leave the selection set to My user account and click Finish.

11 | P a g e

E. In the Add or Remove Snap-ins dialog click OK. F. Expand Certificates - Current User > Personal > Certificates. G. Right-click the certificate that was installed above and select Export.

H. On the Welcome screen click Next. I. On the Export Private Key screen select Yes, export the private key and click Next.

12 | P a g e

J.

In the Export File Format dialog Personal Information Exchange - PKCS # 12 (.PFX) is selected. Check the boxes Include all certificates in the certification path if possible and Export all extended properties. Click Next.

K. In the Password dialog enter a strong password, confirm it, then click Next.

13 | P a g e

L. In the File to Export dialog enter a path and name such as the FQDN of the server for example, then click Next.

M. In the Completing dialog click Finish. You should receive a dialog stating the export was successful. 14 | P a g e

N. Copy each certificate file to its respective server.

Before beginning Step 5 be sure that the RMS, each Management server, and all Gateway servers have the CA certificate chain exported certificate (one common certificate file from step 2 above) and their unique OpsMgr Gateway Authentication certificate (from step 3) located on their local hard drive.

5. Import the CA certificate chain and the OpsMgr Gateway Authentication certificate:
A. Log onto the each server with administrator credentials. B. Click Start > Run and type in MMC then click OK. If prompted by User Account Control click Yes. C. Click File then Add/Remove Snap-in

D. In the Add or Remove Snap-ins dialog click Certificates then click Add. 15 | P a g e

E. In the Certificates snap-in dialog select Computer account and click Next.

F. In the Select Computer dialog leave the setting at Local Computer and click Finish. Then click OK to close the Add/Remove snap-in dialog.

16 | P a g e

G. Expand Certificates > Trusted Root Certification > Certificates. H. Right click on Certificates and click All Tasks > Import

I. J.

On the Welcome dialog click Next. On the File to Import dialog change the file type to PKCS #7 Certificates (*.spc, *.p7b). Browse to the CA certificate chain file you copied over and select it. Then click Open. Click Next.

17 | P a g e

K. On the Certificates Store dialog leave the default selection (Trusted Root Certification Authorities) and click Next. L. On the Completing dialog click Finish. A dialog should pop up stating that the import was successful. M. In the Certificates MMC right-click Personal > All Tasks > Import.

N. On the Welcome dialog click Next. O. On the File to Import dialog change the file type to Personal Information Exchange. Browse to the OpsMgr Gateway Authentication certificate file you copied over and select it. Then click Open. Click Next.

18 | P a g e

P. On the Password dialog enter the password you gave the certificate when you exported it (Step 2, z.). Place a check beside Mark this key as exportable and Include all extended attributes and click Next.

Q. On the Certificate Store dialog leave the default setting for the certificate store (Personal) and click Next.

19 | P a g e

R. On the Completing screen click Finish. You should see a popup dialog indicating the import was successful.

6. Ensure TCP 5723 is open from the GW server to the Management server(s)
A. Telnet from the Gateway server to the management server(s) over port 5723 telnet ms.local 5723 If the screen blanks with a cursor blinking in the upper left corner of the command prompt then the port is open.

7. Install OpsMgr Gateway

A. Log onto the server you will be installing the OpsMgr Gateway software on. B. Insert the OpsMgr media in the CD drive. When the splash screen comes up select Install Operations Manager 2007 R2 Gateway.

C. At the Welcome dialog click Next. D. On the Destination Folder screen accept the default location and click Next. E. On the Management Group Configuration dialog enter the Management Group Name, the Management Server (the server this Gateway will report health status to), and leave the Management Server Port at the default (5723). Click Next.

20 | P a g e

F. On the Gateway Action Account dialog select Local System and click Next.

G. On the Microsoft Update dialog select whatever is desired and click Next. H. On the Ready to Install dialog click Install. When complete you should see a dialog indicating a successful install.

21 | P a g e

I.

An additional install (Active Directory Management Pack Helper Object) will also occur automatically. When successful you must click Close to complete the install.

J.

Exit the OpsMgr install splash screen.

8. Run the MOMCertImport utility on the RMS, all Management servers, and all Gateway servers.
A. Copy the MOMCertImport.exe utility from the OpsMgr installation media under SupportTools\<YourProcessorArchitecture> to a local folder on the Gateway server. B. Open a command prompt (Run as administrator) and run the following command: C:\MOMCertImport.exe /SubjectName <CertsubjectName> Where "CertSubjectName" equals the subjectname given to the cert when it was created (Step 2, f). Note this will be unique for each server.

C. Ensure the results indicate a successful installation. D. Check the following registry path: HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Ensure the REG_BINARY value ChannelCertificateSerialNumber is present. If not then be sure you are running the correct version of MomCertImport for your platform type (x86 or x64).

22 | P a g e

9. Approve the Gateway(s)

A. Log onto the Management server to which the Gateway(s) will report. B. Open the OpsMgr Console. C. Navigate to the Administration node and select Pending Management. Ensure that there is not an agent pending action for the Gateway you installed earlier. If one exists, click to select it and in the Actions pane on the right click Reject.

D. Open a command prompt (Run as administrator) and navigate to the installation directory of OpsMgr (<InstallationDrive>\Program Files\System Center Operations Manager 2007). E. Run the following command Microsoft.EnterpriseManagement.GatewayApprovalTool.exe /managementservername=<ManagementServer.FQDN> /gatewayname=<GatewayServer.FQDN> /action=create

F. Ensure a successful approval is indicated.

23 | P a g e

10. Set the primary and failover management servers for the new Gateway.
A. While still logged onto the management server which the new Gateway(s) will report to, open the Operations Manager Shell (click Start > Programs > System Center Operations Manager 2007 R2 > Operations Manager Shell).

B. Within the shell run the following command: $GW = Get-ManagementServer | where {$_.DisplayName -eq "<GW FQDN>"} C. Within the same shell window run the following command: $primaryMS = Get-ManagementServer | where {$_.DisplayName -eq "<MS1 FQDN>"}

D. Within the same shell window run the following command: $failoverMS = Get-ManagementServer | where {$_.DisplayName -eq "<MS2 FQDN>"}

24 | P a g e

E. Finally, within the same shell window run the following command: Set-ManagementServer -PrimaryManagementServer $primaryMS FailoverServer $failoverMS -GatewayManagementServer $GW

F. Ensure there are no errors after the final command is run.

25 | P a g e