Post on 23-Feb-2015
Pete Zerger MVP – Operations ManagerAKOS Technology Services
Ian JirkaPrincipal Software Design EngineerMicrosoft Corporation
Session Overview
ConceptsGateway Server Role
Key Use Scenarios
Mutual Authentication & PKI
ImplementationConfiguration Walkthrough
High Availability
Troubleshooting Gateway Scenarios
Q & A
Key Takeaways
Function of the Gateway Server Role
When, where and why and how to use the Gateway
Quick intro to mutual authentication and PKI
High availability Gateway configuration
How to ID and troubleshoot the configuration of the Gateway scenario
Concepts
New Server Role in Operations Manager 2007
Designed for three (3) key scenarios:
Consolidate points of egress from DMZ
Reduce need for certificates across trust
boundaries
Reduce bandwidth utilization across WAN links
Minimize points of egress
Domain A Perimeter Network
(Workgroup)
TCP 5723
Cert Auth Certificate
AuthenticationKerberos
Auth
Firewall Rules Security
Minimize use of certificates
Domain A Domain B
TCP 5723
Certificate
Auth
XNo
Trust
Kerberos
Auth
Kerberos
Auth
TCOKerberos
Domain A Domain B
Kerberos Auth
WAN
Connection
Kerberos
Auth
Kerberos
Auth
Bandwidth optimization
50% reduction in bandwidth utilization in
internal Microsoft testing
2-Way
Trust
Scalability and Performance
Factors in Gateway Server scalability and performance:
Rate of operations data collection
Number of agents reporting
200 in RTM – increased to 800 in SP1
Dedicated upstream Management Server
Follow hardware sizing guidelines
Gateway Functionality Summary
Essentially a specialized agent proxy
Reports to upstream management server
Can function as an ACS Collector
Should not function as AEM Server
Licensed as a management server
Don’t exceed 800-to-1 ratio
High Availability
Can be configured to failover to secondary MS
Redundant Gateways can be deployed
Required in Operations Manager 2007
Two methods: Kerberos - Requires Active Directory
Certificate Authentication
X
Ok
Request to
Join
Update Topology
Update Topology
Certificates and PKI
Microsoft Public Key Infrastructure (PKI)Stand-alone or enterprise CA
Enterprise CA will require certificate template
3rd Party PKI – Requires certificate template
Certificate Requirements FQDN of host in Friendly Name field
Host FQDN must match FQDN on certificateType: Other
OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
Certificates registered on hosts with MOMCertImport
Certificate AuthenticationProvide mutual authentication and encryption for environments where:
Agents and server in separate forests / domains with no 2-way trustAgents in workgroups
Managed by MomCertImport.exe tool
Mixed environment: A management server can service a subset of agents with Certificate Authentication and the rest of the agents with Kerberos Authentication
Implementation
Implementation Outline
Implementation Outline
1. Install certificate services
2. Request, approve and install digital certificates
3. Approve the Gateway
4. Install the Gateway server role
5. Configure the Gateway for high availability (optional)
6. Install and configure agents
Install a Certification Authority
On Management Server and Gateway
Prepare Management Server for Gateway installation and communication
Run the Gateway installation and verify success
Configuring High Availability
Configure Agent and Gateway Failover
#Get Primary Management Server $primaryMS = Get-ManagementServer | where {$_.Name –eq ’mgmtsvr01.contoso.com’ }
#Get Failover Management Server$failoverMS = Get-ManagementServer | where {$_.Name –eq ’mgmtsvr02.contoso.com’ }
#Get Gateway Management Server $gatewayMS = Get-ManagementServer | where {$_.Name –eq ’gwsv.remote.com’ }
#Set the primary and failover MS for the gatewaySet-ManagementServer -GatewayManagementServer: $gatewayMS-PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS
Agent installation will vary based on the situation
Agent and GW in same domain Use the wizard
AD integration
Agent and GW located across trust boundariesInstall certificate (and run MOMCertImport)
Remember, a Gateway is never required
Troubleshooting
Events
Look for events in OpsMgr Event Log
Common Events:
• 20050 – Enhanced key usage error (wrong OID)
• 21005 – DNS resolution failed
• 21006 – TCP Connection failed (at TCP level)
• 21007 – Not in a trusted domain. (Means remote domain doesn’t have full trust with this domain)
• 21008 – Untrusted target (usually means untrusted domain or failure to reach DC)
• 21035 – SPN registration failed; kerb auth will not work
Events– New in SP1
New events for SP1 in OpsMgr Event Log
Common Events:
• 20068 – Certificates has unusable / no private key
• 20069 – Wrong type of certificate (KEY_SPEC)
• 20072 – Remote certificate not trusted
• 20075 – Unable to obtain subject or issuer from certificate
• 20076 – Unable to obtain subject or issuer from remote certificate
• 20077 - Certificates cannot be queried for property info
Name Resolution and Connectivity
Name ResolutionDownstream node must resolve upstream node by FQDN
Gateway must resolve FQDN of MS
Agent must resolve FQDN of Gateway
Agent must resolve FQDN of MS (if no GW)
Network Connectivity Verify Gateway Server can telnet to management server on port 5723
Verify Agents can connect to Gateway Server on port 5723
NOTE: If not using a Gateway Server, perform same steps for agent and management server
Namespace Issues
If using non-routable namespaces across the Internet
Establish site-to-site VPN tunnel ORUse HOSTS file on Gateway to resolve Management Server
Internet
gtw.contoso.localms.contoso.local
Certificates
Verify certificates are present on the Gateway, MS and Agent
Perform these steps on MS, Gateway and Agent
Verify certificate exists in the follow stores
Local Computer/Personal/Certificates
Local Computer/Personal/Trusted Root
Certification Authorities/Certificate
Certificates (cont)
Verify MOMCertImport successfully wrote certificate serial # to the registry
Stored in:
HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber
Compare to certificate serial number on certificate in Certificate Store
How to remove certificates imported with MOMCertImport Tool
Q & A