Certificate Template - SCOM Gateway Server

Similar Messages

• SNMP Monitoring behind SCOM Gateway Server

  Hi All
  Is it possible to monitor Network devices / SNMP that sit behind a SCOM Gateway server? If so, how do these get discovered?
  I have a need to monitor devices like HP printers, WAP, JetDirect cards, EPOS equipment etc. on a site that doesn't have SCOM on-premise.
  Are there any limitations to this?
  Thanks

  Hi,
  Yes, it is possible. when you create discovery, you may specify that it should run from gateway server.
  On the device you want to monitor, set your SNMP public community string to point to the IP address of the SCOM Gateway server. In the SCOM Administration console, choose Network Devices in the Discovery Managment Wizard choose network device and click next.
  In the next screen enter the IP address of the network device you want to monitor and under the mangment server drop down choose the gateway server who’s IP you entered in the SNMP string earlier.
  Here is a similar thread for you reference:
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/475cf4f5-c724-4c7c-808e-7265b304b0ba/snmp-monitoring-over-gatewayserver?forum=operationsmanagergeneral
  In addition, you may check is there any management pack for your devices and import them into your management group.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SCOM gateway server configuration steps

  Can anybody share the SCOM gateway server configuration steps?

  In addition, I would like to share the following with you for your reference:
  Deploying Gateway Server in the Multiple Server, Single Management Group Scenario
  http://technet.microsoft.com/en-us/library/bb432149.aspx
  Deploying Gateway Server on Windows Server 2008
  http://technet.microsoft.com/en-us/library/dd789059.aspx
  Managing Gateway Servers in Operations Manager 2007
  http://technet.microsoft.com/en-us/library/cc540382.aspx
  Two items regarding the Gateway Server
  http://blogs.technet.com/b/momteam/archive/2007/08/09/two-items-regarding-the-gateway-server.aspx
  Powershell Commands to configure Gateway Server / Agent Failover
  http://blogs.technet.com/b/jimmyharper/archive/2010/07/23/powershell-commands-to-configure-gateway-server-agent-failover.aspx
  Hope this helps.
  Thanks.
  Nicholas Li - MSFT
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• SCOM Gateway Server Upgrade from 2012 SP1 to R2

  Hi,
  I am upgrading our SCOM environment from 2012 SP1 to R2. But unable to upgrade the Gateway Server. The installation of R2 setup stops with error message: "The operation manager gateway can't be installed on a computer on which the Operation Manager
  management server, Operations Console, operational database, web console, agent, System Center Essentials, or System Center Service Manager is already installed."
  I checked none of the above component is installed on the gateway server. Please suggest what is the issue?
  Regards,
  Daya Ram

  Hi,
  Have you followed the steps below to upgrade a gateway server:
  Log on to a computer that hosts the gateway server with an Operations Manager Administrators role account for your Operations Manager management group.
  On the Operations Manager media, run Setup.exe.
  In the Optional Installations area, click Gateway management server.
  On the Welcome to the System Center 2012 R2 Operations Manager Gateway Upgrade Wizard page, click
  Next.
  On the The wizard is ready to begin gateway upgrade page, click
  Upgrade.
  On the Completing the System Center 2012 - Operations Manager Gateway Setup wizard page, click
  Finish.
  You may check below directory:
  C:\Program Files\System Center 2012\Operations Manager
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Certificate template based on Server Authentication not showing in Web Enrollment

  Hi,
  I have a test lab with a certificate authority and web enrollment on the same servers. I have made a certificate template with all permissions (read, enroll, etc etc) set to "authenticated users".
  However, when I go certificate enrollment and choose advanced deployment, I do not see this cert template (which is set to be publish in AD).
  I've given the CA machine account full access to the cert template (read/enroll/auto-enroll, etc)
  I've started IE with "run as administrator" even though my logged on user is a domain admin and thus local admin on the server
  Selected Supply in the request in the certificate.
  Please advise

  After you created the template, did you add it to the CA? (right click Templates folder/New/Template to issue)
  You mentioned the template was "set to be publish in AD". Hopefully you dont mean the checkbox on the template itself that says "Publish to Active Directory". This means the public key will be published to AD when a certificate based
  on this template is issued. This will bloat your AD database overtime. All templates you create are automatically stored in AD. Be careful when using this checkbox.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• SCOM Gateway Server Issue

  Hi All
  I am having an issue related with my LAB Gateway server with SCOM 2012 SP1
  I am having 2 Management server and 3 gateway server in my LAB. Now I am trying to install a new Gateway server. But its not showing in Management server list. Its showing as a SCOM Client. have any one faced this issue or any idea.
  Your earlier response is appreciated.

  Hi,
  Whether the gateway server is listed under pending management, if it is, try to remove it from here before running the approval.
  Please also go through the below similar thread for more details:
  SCOM 2012 R2 Gateway installation error and no System Center Management server after install
  http://social.technet.microsoft.com/Forums/en-US/ce6d0a73-c31d-4c26-85d4-d3cce35d48c3/scom-2012-r2-gateway-installation-error-and-no-system-center-management-server-after-install?forum=operationsmanagerdeployment
  Please follow the below steps:
  1) Validate that the gateway server can ping the Management Server that it will need to communicate with and can telnet to port 5723. Also validate that the OpsMgr Management Server can ping the Gateway server. If traffic doesn’t route between these systems,
  or they cannot resolve each others names, or they cannot communicate on port 5723 the Gateway will not function.
  2) Install the gateway server from the OpsMgr media (Gateway management server).
  When installing, choose the Management Server that we have determined will be the primary Management Server for gateway servers in the environment and configure the gateway to run as local system.
  3) Next if required in the OpsMgr console we delete the agent from pending management if it appears in that view.
  4) Perform the approval of the gateway by transferring the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the appropriate path to run it from (c:\program files\System Center Operations Manager 2012\Server is the default
  location)
  Regards,
  Yan Li
  Regards, Yan Li

• SCOM Agents in DMZ via Gateway Server

  I need to monitor all the web servers in our DMZ by placing a Gateway Server between them and SCOM RMS.
  Jus a  simple Question I have ................do I need to install certificates on all my web servers in DMZ to talk to SCOM Gateway Server or not????
  If I need certificates on all my DMZ webservers then what is the purpose of a gateway server?
  thanx

  Hi There,
  The certificate installation depends on the scenario.
  Scenario 1# If the Gateway server is in domain but, the servers in DMZ are not part of domain. We need certificate for each server to create Trust with Gateway server. Otherwise Gateway may not authenticate agent servers due to domain mismatch. And AD authentication
  is must while installing Agents.
  Scenario 2# If the Gateway Server and Agent Servers are in same domain in DMZ. In this scenario we need to have certificate only for Agent Servers not for Agent Servers, as the agents will be authenticated using AD (due to same domain).
  Scenario 3# If none of the Gateway server or Agent Server are in Domain. This case we need to issue certificate for each Server, including Gateway Server. This scenario the Gateway server will work as a mediator for communication only(in a Manner of speaking).
  Be sure that Gateway server concept can be avoided with servers DMZ and not in domain, but this will increase the security risk by authorizing multiple endpoint rules in firewall.
  Below link will give you more info about Gateway servers and its uses.
  http://technet.microsoft.com/en-us/library/hh212823.aspx
  http://technet.microsoft.com/en-us/library/hh230684.aspx
  Thanks,
  Goutam Nepak

• Gateway Server in SCOM

  Hi experts,
  I need your advice on the below point
  * It is recommended to keep Management server in the same datacenter. But in case if we got another datacenter with less network bandwidth, can we place GATEWAY server there though its a trusted zone. Please clarify.
  Regards, Pratap

  Hello Pratap,
  If you need a gateway server, then it has to be in the another DataCenter and the agents in that same datacenter will point to the Gateway Server. The best part about this will be you do not need to install certificates on each server in that second data
  center. All you need to do is configure certificates on the Gateway Server and the Management Server, where the Gateway Server will be pointing to.
  And Since Bandwidth is an issue, if the agents from different datacenter point to the MS (in another DC) directly, then it will take up a lot of bandwidth for each agent however, if the communication is only between the Gateway Server and MS then that should
  utilize less bandwidth.
  Hope this helps!
  Regards,
  Abdul Karim. (http://sites.google.com/site/scomblogs Twitter:@Abdul_SCOM)

• Gateway server NICs question

  Hi,
  I want to deploy a SCOM gateway server, but I am not sure, would this server have multi homed NICs? IE a NIC in the LAN and a NIC in the DMZ/WAN.
  Thanks

  SCOM doesn't need 2 NIC, It work with 1 NIC. Scom Gateway used to allow monitoring in another forest.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• "No certificate templates could be found..." error using web enrollment on Win2k8 R2 Enterprise SubCA

  Hi Folks,
  I have installed an online issuing CA running on Win2k8 R2 Enterprise, and installed the web enrollment role service on it.
  I have duplicated two computer certificate templates (computer & web server) on our DC's, modified them as Win2k3 templates, made some changes and saved them, then published them on the CA by selecting New -> Certificate Tempate
  to issue. The templates have read and enroll permissions set for domain admins and domain computers (my account is a domain admin). I can successfully enroll for them using the certificates MMC.
  When connecting to https://myca.mydomain.com/certsrv however, the page loads. I click on 'Request a certificate', then 'Create and submit a request to this CA'. I see a warning indicating that this website
  is attempting to perform a digital certificate operation on my behalf, so I click yes. Immediately after doing so, I get the error:
  "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."
  I have spent about 2 hours searching on this error and found at least 50 people complaining of this, but no real solutions. Here is what I have tried with no success:
  1) http://support.microsoft.com/kb/811418. Everyone references this solution, but it hasn't worked for anyone. The string values and cases are the same for me.
  2) Enabled SSL on the certsrv website.
  3) Set the authentication on the certsrv site to enable integrated authentication and disabled anonymous authentication.
  4) Created a separate application pool running under the Network Service then set the Certsrv application to run under it.
  I should note that this exact same condition occurred in my lab install, but rather than waste time trying to fix it in the lab, I just went ahead with the production install, only to experience the same problem, so apparently web enrollment is just
  broken out of the box on 2k8 R2 Enterprise.
  Does anyone have any idea how to get this working as advertised? Thanks for any help,
  Ian

  It appears to be an issue in Server 2012R2 as well.
  In our case, is a new two tier PKI setting is implemented on two Windows Servers 2012R2. After the installations and configurations are completed, I was unable to load certificate templates when requesting a certificate on the Web interface.
  The issue was that the pass-through authentication did not work in IIS with the standard Application Pool Identity.
  The solution was as followed:
  1. Changed the NTFS permissions on the certsrv virtual directory in IIS (C:\Windows\System32\CertSrv\en-US), by adding a (domain) user account with read and list permissions.
  2. In IIS CertSrv > Basic Settings > Connect as - select "Specific user:" and set the newly created user with the username and password.
  3. Tested in Basic Settings with - "Test Settings" button and both Authentication and Authorization were successful.
  4. Request certificate from Web interface and the templates are available.
  Note: You must have a certificate in the Templates store which you have duplicated from the Templates available.

• Gateway server and Management server in SCOM 2012

  What are the main Different between Gateway server and Management server in SCOM 2012?
  I have referred this , is there anything ?
  http://blogs.technet.com/b/momteam/archive/2008/02/19/10-reasons-to-use-a-gateway-server.aspx

  1) Management server can write data , gathered from agent, directly into operations manager database. Gateway server should forward data, collected from managed agent to management server.
  2) In a unturst environment for example workgroup or untrust domain, and you do not want to deploy a certificate to every monitored agent, you should deploy gateway server rather than managment server.
  Roger

• Difference between Scom 2007 and Scom 2012 Gateway server setup.

  Hi All,
  Greetings!!
  I would like to know the differences for gateway server setup in Scom 2007 and 2012 versions..
  Are there any changes in the data collection or in the configuration? and also the prerequisites for it.
  Please let me know these info..
  Regards,
  Gokul

  There is no great different in settng up gateway server in SCOM 2007 R2 and SCOM 2012. As summary, it requires
  1.Request certificates.
  2. Import those certificates into the target computers by using the MOMCertImport.exe tool.
  3. Distribute the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to the management server.
  4. Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway
  5. Install the gateway server.
  However, the prerequisites has different between SCOM 2007 R2 and SCOM 2012
  SCOM 2007 R2 gateway server support folloiwng OS
  Windows Server 2003 Standard Edition with Service Pack 1 (SP1)
  Windows Server 2003 Standard Edition with Service Pack 2 (SP2)
  Windows Server 2003 Standard x64 Edition with SP1 or SP2
  Windows Server 2003 Enterprise Edition with SP1
  Windows Server 2003 Enterprise Edition with SP2
  Windows Server 2003 Enterprise x64 Edition with SP1 or SP2
  Windows Server 2003 R2 Standard Edition with SP1 or SP2
  Windows Server 2003 R2 Standard x64 Edition with SP1 or SP2
  Windows Server 2003 R2 Enterprise Edition with SP1 or SP2
  Windows Server 2003 R2 Enterprise x64 Edition with SP1 or SP2
  Windows Server 2008 Standard 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Standard with SP1 or SP2
  Windows Server 2008 Enterprise 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Enterprise with SP1 or SP2
  Windows Server 2008 Datacenter 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Datacenter with SP1 or SP2
  Windows Server 2008 R2
  Windows Server 2008 R2 with SP1
  SCOM 2007 R2 gateway server
  CPU :2.8 GHz or faster
  Memory: 2 GB of RAM or more
  available Space: 20 GB of available hard disk space
  NET Framework 2.0
  Microsoft Core XML Services (MSXML) 6.0
  SCOM 2012 Gateway server
  Disk space: %SYSTEMDRIVE% requires at least 1024 MB free hard disk space.
  Server Operating System: must be Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 Core Installation or Windows Server® 2012 R2.
  Processor Architecture: must be x64.
  Windows PowerShell version: Windows PowerShell version 2.0, or Windows PowerShell version 3.0.
  Microsoft Core XML Services (MSXML) version: Microsoft Core XML Services 6.0 is required for the management server.
  .NET Framework 4 is required if the Gateway server manages UNIX/Linux agents or network devices.
  Roger

• PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

  Hello everyone,
  I’m having issues with workgroup computers, not domain systems when I request a certificate.
  It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
  on windows 7 and it can’t see the certificate template.
  I have the following configuration:
  CA Enterprise
  I have created the SCCM Client Certificate
  I have created the SCCM Web Server Certificate
  I have created the SCCM Distribution Point Certificate
  GPO is configured
  SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
  Installed SCCM Client Certificate
  Installed SCCM Web Server Certificate
  Installed Distribution Point Certificate
  Deployed to a domain computer good on PKI
  Workgroup Computers:
  I’m having issues with deploying certificates
  Windows 7 –
  (ERROR) not successful
  Windows Server 2008 R2 –
  (ERROR) not successful
  Windows Server 2003 - successful
  Windows XP – successful
  How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
  http://www.ithierarchy.com/ITH/node/48
  I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
  Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
  Error --- Template not found.
  SCCMClientCertificate (this is my template)

  Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
  Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support
  working with me to resolve this issue since it was written by MSFT.
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
  http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

• PKI Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

  Hello everyone,
  I’m having issues with workgroup computers, not domain systems when I request a certificate.
  It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
  on windows 7 and it can’t see the certificate template.
  I have the following configuration:
  CA Enterprise
  I have created the SCCM Client Certificate
  I have created the SCCM Web Server Certificate
  I have created the SCCM Distribution Point Certificate
  GPO is configured
  SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
  Installed SCCM Client Certificate
  Installed SCCM Web Server Certificate
  Installed Distribution Point Certificate
  Deployed to a domain computer good on PKI
  Workgroup Computers:
  I’m having issues with deploying certificates
  Windows 7 –
  (ERROR) not successful
  Windows Server 2008 R2 –
  (ERROR) not successful
  Windows Server 2003 - successful
  Windows XP – successful
  How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
  http://www.ithierarchy.com/ITH/node/48
  I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
  Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
  Error --- Template not found.
  SCCMClientCertificate (this is my template)

  Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
  Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS
  Support working with me to resolve this issue since it was written by MSFT.
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
  http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

• Gateway Server address and Certificate subject name do not match error on Vista client

  RD Gateway server is 2012, RD Server is 2008 R2. Client is (currently) Vista Gold (surprised me too).
  User was able to connect through the Gateway in the past, but seems to have broken around the time that we switched to a real wildcard SSL certificate. Prior to this, it was using a self issued cert.
  I'm stalling for time (and hoping this fixes it) by having the user install the Vista Service Packs. Can anyone verify if this is what's causing the issue, or if I need to look at something else?

  Hi,
  Yes, updating should fix the issue--the old client versions didn't work properly with wildcard.  I recommend you have them install the latest version of the Remote Desktop Client for Vista which is RDP 7.0 capable:
  Description of the Remote Desktop Connection 7.0 client update for Remote Desktop Services (RDS) for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2
  http://support.microsoft.com/kb/969084
  -TP