Step-by-step walkthrough: Installing an Operations Manager 2012 Gateway

 

Step-by-step walkthrough: installing an Operations Manager 2012 Gateway Server

To make this document, I installed 3 test servers; the evaluation image of Windows Server 2008 R2 can be downloaded from the Microsoft site here: https://technet.microsoft.com/en-us/evalcenter/dd459137.aspx

This installation was done on a generation 1 Core i7 portable with 1 SSD drive and 8GB of memory. The ISO image and the 3 Hyper-V VMs are on that 1 SSD drive. All at the same time installing, while opening Microsoft OneNote and Microsoft Word and creating this document – it’s not slow at all!

Windows 8 is great!!!

And so is OneNote – Windows+S gives you a really nice integrated screenshotting tool!

 

The setup will be as follows:

- OM12DC: Active Directory, including AD CS (Certificate Services) to generate the certificates for the gateway server. AD CS will be installed as an online enterprise root CA.

- OM12MS: management server, including Operations Manager Reporting, the Operational database and the Data Warehouse database

- OM12GW: a separate server in a workgroup. This one is the reason we need to have AD CS.

This document is meant to further clarify the TechNet article https://technet.microsoft.com/en-us/library/hh456447.aspx Deploying a gateway server which links to a further explanation https://technet.microsoft.com/en-us/library/hh212810.aspx Authentication and Data Encryption for Windows Computers

More about certificates can also be found here:

Win2008 Enterprise CA: https://technet.microsoft.com/en-us/library/dd362553.aspx

Win2008 Standalone CA: https://technet.microsoft.com/en-us/library/dd362655.aspx

 

After the Windows Update process is finished, you can start installing Active Directory on the DC.

When you have installed and configured AD DS, add the AD CS role + the web site to request certificates.

And the rest is NNF (Next-Next-Finish).

 

Remove PKI and add Client / Server Authentication to Application Policies

From the GW server, the one that is not in the domain, you don’t trust the Enterprise CA by default.

That’s why you first have to get and install the Root CA certificate from the AD CS.

Add both My user account and Computer account – you’ll need both anyway

The certificate from the Root CA needs to be added in this list.

Open a web browser on the gateway server, and go to the CA Web service: https://OM12DC1/certsrv

Add the certsrv website to the Trusted Sites by going to internet options and under security choose Trusted Sites, and click on Sites to add this site.

Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.

Here we need to request the CA chain

If you don’t see these 2 popups, you need to enable ActiveX first.

The certificate is in the list now, meaning our workgroup gateway server will trust certificates issued by the Enterprise Root CA.

Now we need to request a certificate for our gateway server

Advanced request

Create and submit

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.

Since mine is in a workgroup, the NetBIOS name is sufficient.

And now the certificate is generated and we can install it

Done

But wait a minute… Installed, where???

We need to authenticate computers, and the certificate is imported in the personal certificate store.

So we need to open the Certificates MMC and copy the certificate from the personal store to the local computer store.

The certificate is now installed and you can verify everything is installed correctly by opening the certificate and checking if the certification path is ok.

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our MS who is a domain member.

We can also request certificates in another way: we can request a new certificate from our CA directly from the MMC.

Click next

Select the certificate that we’ve created earlier

The extra information needed is the Common Name in the first box (OM12MS) and the FQDN in the bottom box with DNS.

And click Enroll to finish this

NOW we’re done

Now we have to approve the gateway to be able to communicate with the management server.

Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and the corresponding Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG file from the support tools directory on your installation media to the installation path of your OpsMgr installation, in my case that’s C:\Program Files\System Center 2012\Operations Manager\Setup

1. Approve the gateway server: At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.

Now you can install the gateway software by clicking the Gateway Management Server link in the setup splash screen

We did this, so we can continue the setup

Give the management group name - this can be found in the title bar of the console on the management server - and the management server name

The port number can be changed if desired. Only this 1 port needs to be open on the firewall, that’s the big advantage of using a gateway server!

Copy the MOMCertImport.exe tool to the gateway server, into the gateway installation path.

In my case, this is C:\Program Files\System Center Operations Manager\Gateway

Export

You’ll get a message that the action succeeded, and you can check progress in the Operations Manager event log.

Do the same for the gateway server:

Troubleshooting:

If you get event 21006, make sure the firewalls on the gateway and/or on the management server are not blocking communication

Don‘t forget to enable Agent Proxy for the gateway, as this one will act as a proxy for other systems connecting through the gateway server!

To check if it’s working, go to the Operations Manager Console – you should see something similar to this!!

HTH and a big thank you to my colleague Ingo for double-checking the certificate part!

/Danny

Comments

• Anonymous
  January 01, 2003
  Hi Sonia, Have you tried this? social.technet.microsoft.com/.../microsoftenterprisemanagementgatewayapprovaltool-want-work

• Anonymous
  January 01, 2003
  Hi Pete, Thanks for using my article :-) I asked for help from my colleagues, and I will get back to you as soon as I have an answer. /Danny

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  @Filip: In OM12 there is no RMS anymore :-) All OM12 Management Servers are equals now, they are all running the SDK+config service. The only difference is that one of the servers has a RMS emulator role, for backwards compatibility.

• Anonymous
  January 01, 2003
  Thanks! :-)

• Anonymous
  January 01, 2003
  thank you

• Anonymous
  January 01, 2003
  Hi Danny, I resolved my issue - it was pretty simple, but odd.  I went into Control Panel -> System on the server and saw the CPU type was Intel so I grabbed the i386 version of the ApprovalTool and that worked.  So based on that I grabbed the i386 version of the MOMCertImport tool but that didn't work.  So just for grins and giggles I tried the AMD version of the MOMCertImport tool and that worked. Like I said - odd, but it is now working.  Great blog!

• Anonymous
  January 01, 2003
  @Pete: That configuration is not supported. We support installing OM in Azure to monitor VMs in Azure or OM on premise monitoring VMs in Azure but not OM in Azure monitoring resources outside of Azure.

• Anonymous
  January 01, 2003
  thank you

• Anonymous
  January 01, 2003
  Thanks Geert - or should I say bedankt ;-)

• Anonymous
  March 31, 2013
  I used your walkthrough to deploy my Gateway, but I am having some issues.  Here is a link to my thread in the Technet forums: social.technet.microsoft.com/.../f6d5ab3f-558a-451c-81db-c2f789129cee If you have a moment, would you mind taking a loook and offering some advice? Thanks.  

• Anonymous
  April 22, 2013
  Hi Danny, Thank you for this article. Shouldn't I however also import a certificate on my RMS as well to allow the GW to communicate with my RMS? In 2007 this was the case if I'm not mistaken.. Many thanks Filip

• Anonymous
  May 16, 2013
  Can you clarify the following: After the "In my case, this is C:Program FilesSystem Center Operations ManagerGateway" You document the Certificate Export Wizard:  What servers are you exporting the certificate from? You do this twice it seems. Thanks, Clark

• Anonymous
  May 28, 2013
  Hi Danny, I followed your guide and all went well until I got to the MOMCertImport.  No matter what I try I just cannot get the command to work.  I just keep getting the Help output.

• Anonymous
  July 08, 2013
  Thanks for this tutorial. When trying to add some new Windows 2012 machines to SCOM 2012 SP1 however I came across a particularly strange error with eventids 20070, 20071, 21016 and 36888. Got it sorted out though and I made the following article about it: geertbaeten.wordpress.com/.../scom-agent-or-gateway-certificate-issue

• Anonymous
  August 18, 2013
  Hi all I am running with Management server does not exit error, while running the gateway approval tool.. any comment or suggestion. Environment : 1 DC, 1 MS  1 GW (Workgroup) Ruing approval tool on MS server .

• Anonymous
  September 03, 2013
  It is Really great post. we just looking RSS FEEd.

• Anonymous
  November 07, 2013
  Thank you for this article. one additional step was needed for me for the gateway to run properly, that to Import the certificate into the Management Server too using the MOMCertImport.exe tool.

• Anonymous
  December 18, 2013
  Awesome post Danny....

• Anonymous
  March 10, 2014
  Perfect thanks

• Anonymous
  February 12, 2015
  This is a post I wrote in 2012, and since it has been helpful for a lot of people this is the link:

• Anonymous
  October 26, 2016
  The comment has been removed