SCOM Agent install on DMZ workgroup Server

Question

We are running SCOM 2019 UR2. We have a Gateway Server setup in our DMZ. Currently we are monitoring 2 other servers just fine. I'm trying to add new servers to monitor and keep hitting a road block. Unfortunately the person that set this up before me never documented the process so I'm trying my best to piece things together.

Here are the steps that I'm doing. I'm hoping someone can figure out what I'm doing wrong.

1. First I generate the request file by Logging into the Management server that is domain joined. Going to MMC > Certificates > Local Computer > Personal.
2. Going to all tasks > advanced > Create new Request
3. Proceed without enrollment policy
4. Use defaults on the next page
5. Details > Properties
6. Under General tab I change the friendly name to servername
7. Under Subject tab I fill out subject name and alternative name (image 1 is what it looks like)
8. Under Extensions tab I keep everything default
9. Under Private Key tab I go to the key options section and change the key size to 2048 and make private key exportable
10. Once done I give the .req file to our security team, they burn the certs using a template that was used for the 2 previous DMZ server setups that work fine. Which means this template should work fine
11. Security team provides .cer which I import into the management server.
12. Once imported, I export the file as a PFX (image 2 is the options I select)
13. I transfer this PFX file along with all ROOT and CA certs, and the MOMCertImport.exe to the new DMZ server that I want to monitor
14. I install the PFX using MMC, and confirm all ROOT and CA certs are listed in the Trusted Root Certification Authorities
15. Then I run the MOMCertImport on the pfx file that I generated. (image 3 is out)

After doing all this I get a few errors in the event log. They are listed below.

Event ID 20069 - The specified certificate could not be loaded because the KeySpec must be AT_KEYEXCHANGE
Event ID 21007 - The OpsMgr Connector cannot create a mutually authenticated connection to gatewayservername because it is not in a trusted domain.
Event ID 21016 - OpsMgr was unable to set up a communications channel to gatewayservername and there are no failover hosts. Communication will resume when gatewayservername is available and communication from this computer is allowed.

If you need any other info let me know!
Image 1

Image 2

Image 3

Answer 1

UPDATE.

I ended up opening a ticket with Microsoft. Turns out the PFX I was exporting was missing the KeySpec Value of 1. You can check this by running 'certutil –v –store my’. Find your certificate and look for "KeySpec"

Mine was showing as: KeySpec = 0 -- XCN_AT_NONE

To fix this I ran the following using openssl

openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes

openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem

I then ran the MOMCertImport tool using this new PFX and all worked as expected.

Answer 2

Hi,

You can have a look at the following guides:

How to install a monitor agent on a server in workgroup/domain in DMZ

Monitoring non-domain members with OM 2012

Monitoring untrusted servers using SCOM, a step-by-step guide

The steps are the same with newer SCOM versions.

Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.