Gateway Server and PKI Scenarios in Operations Manager 2007
| FYI - Updated document hyperlink for RTM, as only .pfx format is accepted by momcertimport tool. on 5/1/2007 The Gateway Server role in Ops Mgr 2007 brings a new flexibility in monitoring distrubuted and untrusted environments. At the same time, I see that the certificated-based mutual authentication requirements that are an inherent in untrusted scenarios are confusing to many people. Neale and I put an informal document together in the course of our testing. Topics in this document include -Function of the Gateway Server role in Operations Manager 2007 -The role of Public Key Infrastructure (PKI) in mutual authentication of Ops Mgr components -Common deployment scenarios for the Gateway Server and certificate-based authorization -How to utilize certificate-based authorization when Gateway Server deployment is not feasible -Configuring the Gateway Server for High Availability (failover) Kind of a big doc, so I put a couple of download locations out there. Updated for RTM: http://www.systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/7885/Default.aspxp Feedback on your experience is appreciated! |
posted by Pete Zerger at 10:12 PM
Comments on "Gateway Server and PKI Scenarios in Operations Manager 2007"
-
Kraftwerx said ... (8:33 AM) :
-
Pete Zerger said ... (4:25 PM) :
-
Anonymous said ... (6:28 AM) :
-
Christof Wegh said ... (7:12 AM) :
-
Pete Zerger said ... (7:19 AM) :
-
Anonymous said ... (8:14 AM) :
-
Anonymous said ... (7:17 AM) :
-
Pete Zerger said ... (8:12 AM) :
-
Anonymous said ... (9:13 AM) :
post a comment links to this postThanks for publishing this.
One clarification between this doc and Ondrej's similar article is about cert auth when a GW server is not feasible.
I want to confirm that I can use cert based auth between an agent and a Mgmt Server, not only the RMS as Ondrej mentioned.
I am working on a solution that will potentially require this to support NT4 domains. Lots of domains, very few legacy servers (Win2k) per domain.
Thanks, Erik
Certificate-based auth between an agent and an MS is very much possible, and was tested in the creation of this guide. Remember, mutual authentication is required whether agent-to-MS, MS-to-RMS, etc. Either Kerberos or certificate authentication are your options.
Hi,
I have a two domains located in different places and no connection between the two. I am planning to install mom2007 server in one domain and want to monitor computers in the other domain where I will install Gateway server. The connection between the MOM server and the Gateway server should be through Internet. Is it possible? or any other way in this scenario? Can any one explain the process step by step?
Thanks
Very usefull document, however somehow I cannot request an "Other ..." certificate using OIDs on our CA server (Server 2003 R2 Enterprise Edition).
Can anyone point me out here?
Are you selecting "Advanced Certificate Request" on the opening screen at http://yourcaname/certsrv ?
Having got the two machines authenticating to each other, why does the agent constantly say "not monitored" now in the operations manager console? Any ideas?
Thanks!
nice document. steps provided machine in untrusted domain to be added, but is listed as not-monitored.
one difference is during cert import where *.cer files were not allowed. importing cert as type *.pfx was only allowed.
how did you get *.cer imported? by importing cert as *.pfx, is it causing machine to be un-monitored?
Note that you are working off the RC2 version of the document. See the updated guide at the URL below, or just go systemcenterforum.org and search on "gateway".
http://systemcenterforum.org/wp-content/uploads/OpsMgr2007_Gateway_Config_v1.01.zip
What happens if the connection between the gateway and the management server fails? Will the data from agents become lost or will the gateway or agents store the data till the connection is retored?