Pete Zerger
MVP Operations Manager AKOS Technology Services
Ian Jirka
Principal Software Design Engineer Microsoft Corporation
�Session Overview Concepts
Gateway Server Role Key Use Scenarios Mutual Authentication & PKI
Implementation
Configuration Walkthrough High Availability
Troubleshooting Gateway Scenarios Q&A
�Key Takeaways
Function of the Gateway Server Role When, where and why and how to use the Gateway Quick intro to mutual authentication and PKI High availability Gateway configuration How to ID and troubleshoot the configuration of the Gateway scenario
�Concepts
�New Server Role in Operations Manager 2007 Designed for three (3) key scenarios:
Consolidate points of egress from DMZ Reduce need for certificates across trust boundaries Reduce bandwidth utilization across WAN links
�Minimize points of egress
Firewall Rules
Domain A
Security
Perimeter Network (Workgroup)
Kerberos Auth
TCP 5723 Cert Auth
Certificate Authentication
�Minimize use of certificates
Kerberos
Domain A
TCO
X
No Trust
Domain B
Kerberos Auth
TCP 5723 Certificate Auth
Kerberos Auth
�Bandwidth optimization
50% reduction in bandwidth utilization in internal Microsoft testing
Domain A
2-Way Trust
WAN Connection
Domain B
Kerberos Auth Kerberos Auth Kerberos Auth
�Scalability and Performance Factors in Gateway Server scalability and performance:
Rate of operations data collection Number of agents reporting
200 in RTM increased to 800 in SP1
Dedicated upstream Management Server Follow hardware sizing guidelines
�Gateway Functionality Summary
Essentially a specialized agent proxy Reports to upstream management server Can function as an ACS Collector Should not function as AEM Server Licensed as a management server Dont exceed 800-to-1 ratio High Availability
Can be configured to failover to secondary MS Redundant Gateways can be deployed
�Required in Operations Manager 2007 Two methods:
Kerberos - Requires Active Directory Certificate Authentication
Update Topology Request to Join X
Ok
Update Topology
�Certificates and PKI
Microsoft Public Key Infrastructure (PKI)
Stand-alone or enterprise CA Enterprise CA will require certificate template
3rd Party PKI Requires certificate template
Certificate Requirements
FQDN of host in Friendly Name field Host FQDN must match FQDN on certificate
Type: Other OID: [Link].[Link].1,[Link].[Link].2
Certificates registered on hosts with MOMCertImport
�Certificate Authentication
Provide mutual authentication and encryption for environments where:
Agents and server in separate forests / domains with no 2way trust Agents in workgroups
Managed by [Link] tool
Mixed environment:
A management server can service a subset of agents with Certificate Authentication and the rest of the agents with Kerberos Authentication
�Implementation
�Implementation Outline
Implementation Outline 1. Install certificate services 2. Request, approve and install digital certificates 3. Approve the Gateway 4. Install the Gateway server role 5. Configure the Gateway for high availability (optional) 6. Install and configure agents
�Install a Certification Authority
�On Management Server and Gateway
�Prepare Management Server for Gateway installation and communication
�Run the Gateway installation and verify success
�Configuring High Availability
Configure Agent and Gateway Failover
#Get Primary Management Server
$primaryMS = Get-ManagementServer | where {$_.Name eq [Link] }
#Get Failover Management Server
$failoverMS = Get-ManagementServer | where {$_.Name eq [Link] }
#Get Gateway Management Server
$gatewayMS = Get-ManagementServer | where {$_.Name eq [Link] }
#Set the primary and failover MS for the gateway
Set-ManagementServer -GatewayManagementServer: $gatewayMS -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS
�Agent installation will vary based on the situation
Agent and GW in same domain
Use the wizard AD integration
Agent and GW located across trust boundaries
Install certificate (and run MOMCertImport)
Remember, a Gateway is never required
�Troubleshooting
�Events
Look for events in OpsMgr Event Log
Common Events: 20050 Enhanced key usage error (wrong OID) 21005 DNS resolution failed 21006 TCP Connection failed (at TCP level) 21007 Not in a trusted domain. (Means remote domain doesnt have full trust with this domain) 21008 Untrusted target (usually means untrusted domain or failure to reach DC) 21035 SPN registration failed; kerb auth will not work
�Events New in SP1
New events for SP1 in OpsMgr Event Log
Common Events: 20068 Certificates has unusable / no private key 20069 Wrong type of certificate (KEY_SPEC) 20072 Remote certificate not trusted 20075 Unable to obtain subject or issuer from certificate 20076 Unable to obtain subject or issuer from remote certificate 20077 - Certificates cannot be queried for property info
�Name Resolution and Connectivity
Name Resolution
Downstream node must resolve upstream node by FQDN Gateway must resolve FQDN of MS Agent must resolve FQDN of Gateway Agent must resolve FQDN of MS (if no GW)
Network Connectivity
Verify Gateway Server can telnet to management server on port 5723 Verify Agents can connect to Gateway Server on port 5723
NOTE: If not using a Gateway Server, perform same steps for agent and management server
�Namespace Issues
If using non-routable namespaces across the Internet Establish site-to-site VPN tunnel OR
Use HOSTS file on Gateway to resolve Management Server
[Link]
[Link]
Internet
�Certificates
Verify certificates are present on the Gateway, MS and Agent
Perform these steps on MS, Gateway and Agent
Verify certificate exists in the follow stores Local Computer/Personal/Certificates Local Computer/Personal/Trusted Root Certification Authorities/Certificate
�Certificates (cont)
Verify MOMCertImport successfully wrote certificate serial # to the registry
Stored in:
HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber
Compare to certificate serial number on certificate in Certificate Store How to remove certificates imported with MOMCertImport Tool
�Q&A
