Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • SCOM - GATEWAY Session

    Enviado por

    Samee Chougule
    380 visualizações30 páginas
    This document provides an overview and implementation guidance for the gateway server role in Operations Manager 2007. It discusses key concepts such as using the gateway to consolidate firewall rules, reduce the need for certificates across trust boundaries, and optimize bandwidth utilization. The implementation outline covers installing certificates, approving and configuring the gateway, and installing agents. Troubleshooting tips include checking for common events in the Operations Manager log and verifying name resolution, connectivity, certificates, and registry settings.

    Descrição original:

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    This document provides an overview and implementation guidance for the gateway server role in Operations Manager 2007. It discusses key concepts such as using the gateway to consolidate firewall rules, reduce the need for certificates across trust boundaries, and optimize bandwidth utilization. The implementation outline covers installing certificates, approving and configuring the gateway, and installing agents. Troubleshooting tips include checking for common events in the Operations Manager log and verifying name resolution, connectivity, certificates, and registry settings.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    380 visualizações30 páginas

    SCOM - GATEWAY Session

    Enviado por

    Samee Chougule
    This document provides an overview and implementation guidance for the gateway server role in Operations Manager 2007. It discusses key concepts such as using the gateway to consolidate firewall rules, reduce the need for certificates across trust boundaries, and optimize bandwidth utilization. The implementation outline covers installing certificates, approving and configuring the gateway, and installing agents. Troubleshooting tips include checking for common events in the Operations Manager log and verifying name resolution, connectivity, certificates, and registry settings.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 30

    Pete Zerger

    MVP Operations Manager AKOS Technology Services

    Ian Jirka
    Principal Software Design Engineer Microsoft Corporation

    Session Overview Concepts


    Gateway Server Role Key Use Scenarios Mutual Authentication & PKI

    Implementation
    Configuration Walkthrough High Availability

    Troubleshooting Gateway Scenarios Q&A

    Key Takeaways
    Function of the Gateway Server Role When, where and why and how to use the Gateway Quick intro to mutual authentication and PKI High availability Gateway configuration How to ID and troubleshoot the configuration of the Gateway scenario

    Concepts

    New Server Role in Operations Manager 2007 Designed for three (3) key scenarios:
    Consolidate points of egress from DMZ Reduce need for certificates across trust boundaries Reduce bandwidth utilization across WAN links

    Minimize points of egress


    Firewall Rules
    Domain A

    Security
    Perimeter Network (Workgroup)

    Kerberos Auth

    TCP 5723 Cert Auth

    Certificate Authentication

    Minimize use of certificates


    Kerberos
    Domain A

    TCO

    X
    No Trust

    Domain B

    Kerberos Auth

    TCP 5723 Certificate Auth

    Kerberos Auth

    Bandwidth optimization
    50% reduction in bandwidth utilization in internal Microsoft testing
    Domain A

    2-Way Trust
    WAN Connection

    Domain B

    Kerberos Auth Kerberos Auth Kerberos Auth

    Scalability and Performance Factors in Gateway Server scalability and performance:


    Rate of operations data collection Number of agents reporting
    200 in RTM increased to 800 in SP1

    Dedicated upstream Management Server Follow hardware sizing guidelines

    Gateway Functionality Summary


    Essentially a specialized agent proxy Reports to upstream management server Can function as an ACS Collector Should not function as AEM Server Licensed as a management server Dont exceed 800-to-1 ratio High Availability
    Can be configured to failover to secondary MS Redundant Gateways can be deployed

    Required in Operations Manager 2007 Two methods:


    Kerberos - Requires Active Directory Certificate Authentication

    Update Topology Request to Join X

    Ok

    Update Topology

    Certificates and PKI


    Microsoft Public Key Infrastructure (PKI)
    Stand-alone or enterprise CA Enterprise CA will require certificate template

    3rd Party PKI Requires certificate template


    Certificate Requirements
    FQDN of host in Friendly Name field Host FQDN must match FQDN on certificate
    Type: Other OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

    Certificates registered on hosts with MOMCertImport

    Certificate Authentication
    Provide mutual authentication and encryption for environments where:
    Agents and server in separate forests / domains with no 2way trust Agents in workgroups

    Managed by MomCertImport.exe tool


    Mixed environment:
    A management server can service a subset of agents with Certificate Authentication and the rest of the agents with Kerberos Authentication

    Implementation

    Implementation Outline
    Implementation Outline 1. Install certificate services 2. Request, approve and install digital certificates 3. Approve the Gateway 4. Install the Gateway server role 5. Configure the Gateway for high availability (optional) 6. Install and configure agents

    Install a Certification Authority

    On Management Server and Gateway

    Prepare Management Server for Gateway installation and communication

    Run the Gateway installation and verify success

    Configuring High Availability


    Configure Agent and Gateway Failover
    #Get Primary Management Server
    $primaryMS = Get-ManagementServer | where {$_.Name eq mgmtsvr01.contoso.com }

    #Get Failover Management Server


    $failoverMS = Get-ManagementServer | where {$_.Name eq mgmtsvr02.contoso.com }

    #Get Gateway Management Server


    $gatewayMS = Get-ManagementServer | where {$_.Name eq gwsv.remote.com }

    #Set the primary and failover MS for the gateway


    Set-ManagementServer -GatewayManagementServer: $gatewayMS -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS

    Agent installation will vary based on the situation


    Agent and GW in same domain
    Use the wizard AD integration

    Agent and GW located across trust boundaries


    Install certificate (and run MOMCertImport)

    Remember, a Gateway is never required

    Troubleshooting

    Events
    Look for events in OpsMgr Event Log
    Common Events: 20050 Enhanced key usage error (wrong OID) 21005 DNS resolution failed 21006 TCP Connection failed (at TCP level) 21007 Not in a trusted domain. (Means remote domain doesnt have full trust with this domain) 21008 Untrusted target (usually means untrusted domain or failure to reach DC) 21035 SPN registration failed; kerb auth will not work

    Events New in SP1


    New events for SP1 in OpsMgr Event Log
    Common Events: 20068 Certificates has unusable / no private key 20069 Wrong type of certificate (KEY_SPEC) 20072 Remote certificate not trusted 20075 Unable to obtain subject or issuer from certificate 20076 Unable to obtain subject or issuer from remote certificate 20077 - Certificates cannot be queried for property info

    Name Resolution and Connectivity


    Name Resolution
    Downstream node must resolve upstream node by FQDN Gateway must resolve FQDN of MS Agent must resolve FQDN of Gateway Agent must resolve FQDN of MS (if no GW)

    Network Connectivity
    Verify Gateway Server can telnet to management server on port 5723 Verify Agents can connect to Gateway Server on port 5723

    NOTE: If not using a Gateway Server, perform same steps for agent and management server

    Namespace Issues
    If using non-routable namespaces across the Internet Establish site-to-site VPN tunnel OR
    Use HOSTS file on Gateway to resolve Management Server

    ms.contoso.local

    gtw.contoso.local

    Internet

    Certificates
    Verify certificates are present on the Gateway, MS and Agent
    Perform these steps on MS, Gateway and Agent
    Verify certificate exists in the follow stores Local Computer/Personal/Certificates Local Computer/Personal/Trusted Root Certification Authorities/Certificate

    Certificates (cont)
    Verify MOMCertImport successfully wrote certificate serial # to the registry
    Stored in:
    HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber

    Compare to certificate serial number on certificate in Certificate Store How to remove certificates imported with MOMCertImport Tool

    Q&A

    Você também pode gostar