Step-by-step walkthrough: Installing an Operations Manager 2012 Gateway

 

Step-by-step walkthrough: installing an Operations Manager 2012 Gateway Server

clip_image002

To make this document, I installed 3 test servers; the evaluation image of Windows Server 2008 R2 can be downloaded from the Microsoft site here: https://technet.microsoft.com/en-us/evalcenter/dd459137.aspx

This installation was done on a generation 1 Core i7 portable with 1 SSD drive and 8GB of memory. The ISO image and the 3 Hyper-V VMs are on that 1 SSD drive. All at the same time installing, while opening Microsoft OneNote and Microsoft Word and creating this document – it’s not slow at all!

Windows 8 is great!!! Smile

And so is OneNote – Windows+S gives you a really nice integrated screenshotting tool!

 

The setup will be as follows:

- OM12DC: Active Directory, including AD CS (Certificate Services) to generate the certificates for the gateway server. AD CS will be installed as an online enterprise root CA.

- OM12MS: management server, including Operations Manager Reporting, the Operational database and the Data Warehouse database

- OM12GW: a separate server in a workgroup. This one is the reason we need to have AD CS.

This document is meant to further clarify the TechNet article https://technet.microsoft.com/en-us/library/hh456447.aspx Deploying a gateway server which links to a further explanation https://technet.microsoft.com/en-us/library/hh212810.aspx Authentication and Data Encryption for Windows Computers

More about certificates can also be found here:

Win2008 Enterprise CA: https://technet.microsoft.com/en-us/library/dd362553.aspx

Win2008 Standalone CA: https://technet.microsoft.com/en-us/library/dd362655.aspx

 

After the Windows Update process is finished, you can start installing Active Directory on the DC.

When you have installed and configured AD DS, add the AD CS role + the web site to request certificates.

image

image

image

image

image

And the rest is NNF (Next-Next-Finish).

image

image

image

image

 

image

Remove PKI and add Client / Server Authentication to Application Policies

image

image

image

From the GW server, the one that is not in the domain, you don’t trust the Enterprise CA by default.

That’s why you first have to get and install the Root CA certificate from the AD CS.

image

image

Add both My user account and Computer account – you’ll need both anyway

image

image

The certificate from the Root CA needs to be added in this list.

Open a web browser on the gateway server, and go to the CA Web service: https://OM12DC1/certsrv

Add the certsrv website to the Trusted Sites by going to internet options and under security choose Trusted Sites, and click on Sites to add this site.

image

image

Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.

clip_image074

Here we need to request the CA chain

image

image

If you don’t see these 2 popups, you need to enable ActiveX first.

image

image

image

image

image

image

The certificate is in the list now, meaning our workgroup gateway server will trust certificates issued by the Enterprise Root CA.

Now we need to request a certificate for our gateway server

image

Advanced request

image

Create and submit

image

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.

Since mine is in a workgroup, the NetBIOS name is sufficient.

image

image

And now the certificate is generated and we can install it

image

Done Smile

clip_image121

But wait a minute… Installed, where???

We need to authenticate computers, and the certificate is imported in the personal certificate store.

So we need to open the Certificates MMC and copy the certificate from the personal store to the local computer store.

image

image

The certificate is now installed and you can verify everything is installed correctly by opening the certificate and checking if the certification path is ok.

image

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our MS who is a domain member.

image

We can also request certificates in another way: we can request a new certificate from our CA directly from the MMC.

image

image

Click next

Select the certificate that we’ve created earlier

image

The extra information needed is the Common Name in the first box (OM12MS) and the FQDN in the bottom box with DNS.

image

image

And click Enroll to finish this

NOW we’re done Smile

image

image

Now we have to approve the gateway to be able to communicate with the management server.

Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and the corresponding Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG file from the support tools directory on your installation media to the installation path of your OpsMgr installation, in my case that’s C:\Program Files\System Center 2012\Operations Manager\Setup

image

1. Approve the gateway server: At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

image

If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.

Now you can install the gateway software by clicking the Gateway Management Server link in the setup splash screen

image

clip_image174

We did this, so we can continue the setup

Give the management group name - this can be found in the title bar of the console on the management server - and the management server name

image

The port number can be changed if desired. Only this 1 port needs to be open on the firewall, that’s the big advantage of using a gateway server!

Copy the MOMCertImport.exe tool to the gateway server, into the gateway installation path.

In my case, this is C:\Program Files\System Center Operations Manager\Gateway

image

Export

image

image

image

image

You’ll get a message that the action succeeded, and you can check progress in the Operations Manager event log.

Do the same for the gateway server:

image

Troubleshooting:

If you get event 21006, make sure the firewalls on the gateway and/or on the management server are not blocking communication

image

Don‘t forget to enable Agent Proxy for the gateway, as this one will act as a proxy for other systems connecting through the gateway server!

image

To check if it’s working, go to the Operations Manager Console – you should see something similar to this!! Smile

image

HTH and a big thank you to my colleague Ingo for double-checking the certificate part!

/Danny

Comments

  • Anonymous
    January 01, 2003
    Hi Sonia, Have you tried this? social.technet.microsoft.com/.../microsoftenterprisemanagementgatewayapprovaltool-want-work

  • Anonymous
    January 01, 2003
    Hi Pete, Thanks for using my article :-) I asked for help from my colleagues, and I will get back to you as soon as I have an answer. /Danny

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    @Filip: In OM12 there is no RMS anymore :-) All OM12 Management Servers are equals now, they are all running the SDK+config service. The only difference is that one of the servers has a RMS emulator role, for backwards compatibility.

  • Anonymous
    January 01, 2003
    Thanks! :-)

  • Anonymous
    January 01, 2003
    thank you

  • Anonymous
    January 01, 2003
    Hi Danny, I resolved my issue - it was pretty simple, but odd.  I went into Control Panel -> System on the server and saw the CPU type was Intel so I grabbed the i386 version of the ApprovalTool and that worked.  So based on that I grabbed the i386 version of the MOMCertImport tool but that didn't work.  So just for grins and giggles I tried the AMD version of the MOMCertImport tool and that worked. Like I said - odd, but it is now working.  Great blog!

  • Anonymous
    January 01, 2003
    @Pete: That configuration is not supported. We support installing OM in Azure to monitor VMs in Azure or OM on premise monitoring VMs in Azure but not OM in Azure monitoring resources outside of Azure.

  • Anonymous
    January 01, 2003
    thank you

  • Anonymous
    January 01, 2003
    Thanks Geert - or should I say bedankt ;-)

  • Anonymous
    March 31, 2013
    I used your walkthrough to deploy my Gateway, but I am having some issues.  Here is a link to my thread in the Technet forums: social.technet.microsoft.com/.../f6d5ab3f-558a-451c-81db-c2f789129cee If you have a moment, would you mind taking a loook and offering some advice? Thanks.  

  • Anonymous
    April 22, 2013
    Hi Danny, Thank you for this article. Shouldn't I however also import a certificate on my RMS as well to allow the GW to communicate with my RMS? In 2007 this was the case if I'm not mistaken.. Many thanks Filip

  • Anonymous
    May 16, 2013
    Can you clarify the following: After the "In my case, this is C:Program FilesSystem Center Operations ManagerGateway" You document the Certificate Export Wizard:  What servers are you exporting the certificate from? You do this twice it seems. Thanks, Clark

  • Anonymous
    May 28, 2013
    Hi Danny, I followed your guide and all went well until I got to the MOMCertImport.  No matter what I try I just cannot get the command to work.  I just keep getting the Help output.

  • Anonymous
    July 08, 2013
    Thanks for this tutorial. When trying to add some new Windows 2012 machines to SCOM 2012 SP1 however I came across a particularly strange error with eventids 20070, 20071, 21016 and 36888. Got it sorted out though and I made the following article about it: geertbaeten.wordpress.com/.../scom-agent-or-gateway-certificate-issue

  • Anonymous
    August 18, 2013
    Hi all I am running with Management server does not exit error, while running the gateway approval tool.. any comment or suggestion. Environment : 1 DC, 1 MS  1 GW (Workgroup) Ruing approval tool on MS server .

  • Anonymous
    September 03, 2013
    It is Really great post. we just looking RSS FEEd.

  • Anonymous
    November 07, 2013
    Thank you for this article. one additional step was needed for me for the gateway to run properly, that to Import the certificate into the Management Server too using the MOMCertImport.exe tool.

  • Anonymous
    December 18, 2013
    Awesome post Danny....

  • Anonymous
    March 10, 2014
    Perfect thanks

  • Anonymous
    February 12, 2015
    This is a post I wrote in 2012, and since it has been helpful for a lot of people this is the link:

  • Anonymous
    October 26, 2016
    The comment has been removed