Gateway Server Issue

Similar Messages

• SCOM Gateway Server Issue

  Hi All
  I am having an issue related with my LAB Gateway server with SCOM 2012 SP1
  I am having 2 Management server and 3 gateway server in my LAB. Now I am trying to install a new Gateway server. But its not showing in Management server list. Its showing as a SCOM Client. have any one faced this issue or any idea.
  Your earlier response is appreciated.

  Hi,
  Whether the gateway server is listed under pending management, if it is, try to remove it from here before running the approval.
  Please also go through the below similar thread for more details:
  SCOM 2012 R2 Gateway installation error and no System Center Management server after install
  http://social.technet.microsoft.com/Forums/en-US/ce6d0a73-c31d-4c26-85d4-d3cce35d48c3/scom-2012-r2-gateway-installation-error-and-no-system-center-management-server-after-install?forum=operationsmanagerdeployment
  Please follow the below steps:
  1) Validate that the gateway server can ping the Management Server that it will need to communicate with and can telnet to port 5723. Also validate that the OpsMgr Management Server can ping the Gateway server. If traffic doesn’t route between these systems,
  or they cannot resolve each others names, or they cannot communicate on port 5723 the Gateway will not function.
  2) Install the gateway server from the OpsMgr media (Gateway management server).
  When installing, choose the Management Server that we have determined will be the primary Management Server for gateway servers in the environment and configure the gateway to run as local system.
  3) Next if required in the OpsMgr console we delete the agent from pending management if it appears in that view.
  4) Perform the approval of the gateway by transferring the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the appropriate path to run it from (c:\program files\System Center Operations Manager 2012\Server is the default
  location)
  Regards,
  Yan Li
  Regards, Yan Li

• How to issue a self-signed certificate to match Remote Desktop Gateway server address requested

  I have an RDG server named gw.domain.local with port 3389/tcp forwarded from
  gw.example.com.
  Using RDGM snap-in I created a self-signed SSL certigicate with FQDN gw.example.com.
  But when I connect over RDP from outside the local network I'm getting an error:
  Your computer can't connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match
  Because certificate subject name is gw.domain.local indeed.
  So there question is: how to issue a certificate properly, or how to assign an existing one the name to match?

  Hi,
  Thanks for your post in Windows Server Forum.
  The certificate error which you are facing seems like certificate mismatch error, something like the security certificate name presented by the TS Gateway server does not match the TS Gateway name. You can try reconnecting using the FQDN name of the TS Gateway
  server. You can refer below article for more troubleshooting.
  TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates
  And for creating a SSL certificate for RD gateway, you can refer beneath articles.
  1.  Create a Self-Signed Certificate for the Remote Desktop Gateway Server
  2.  Obtain a Certificate for the Remote Desktop Gateway Server
  Hope it helps!
  Thanks,
  Dharmesh

• SCOM Gateway Server Upgrade from 2012 SP1 to R2

  Hi,
  I am upgrading our SCOM environment from 2012 SP1 to R2. But unable to upgrade the Gateway Server. The installation of R2 setup stops with error message: "The operation manager gateway can't be installed on a computer on which the Operation Manager
  management server, Operations Console, operational database, web console, agent, System Center Essentials, or System Center Service Manager is already installed."
  I checked none of the above component is installed on the gateway server. Please suggest what is the issue?
  Regards,
  Daya Ram

  Hi,
  Have you followed the steps below to upgrade a gateway server:
  Log on to a computer that hosts the gateway server with an Operations Manager Administrators role account for your Operations Manager management group.
  On the Operations Manager media, run Setup.exe.
  In the Optional Installations area, click Gateway management server.
  On the Welcome to the System Center 2012 R2 Operations Manager Gateway Upgrade Wizard page, click
  Next.
  On the The wizard is ready to begin gateway upgrade page, click
  Upgrade.
  On the Completing the System Center 2012 - Operations Manager Gateway Setup wizard page, click
  Finish.
  You may check below directory:
  C:\Program Files\System Center 2012\Operations Manager
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Remote Desktop "Bypass RD gateway server for local addresses" no longer working in Windows 8

  Hi,
  After installing windows 8, it seems like the "Bypass RD gateway server for local addresses" is no longer working.
  In Windows 7, when the option is checked, I could have the server name set always and the client will automatically detect whether to use the RD gateway or not. For example, from my house, if I am connecting to a computer at my work, which requires
  the RD gateway, it will automatically pops up the dialog for authentication method. However, if I connect to a computer in my home network, it will just automatically connects without asking authentication for the RD gateway.
  However, after installing windows 8, this does not seem to work as expected anymore. The option is checked but the Windows Security dialog pops up in both situations and so i have to either save the rdp file locally and pin it to the taskbar or switch between
  disabling and enabling the RD gateway whenever I need to connect to different machines.
  Is this a regression in Windows 8? Is anyone else experiencing the same issue?
  Thanks

  Another way to resolve this issue for me, beside of configuring RDP to connect directly to server also on unmanaged network, will be to turn the "wifi" subnet in a managed network, as the "wired" subnet is.
  The differences between thoses to subnets, dynamically assigned by the same DHCP server, are:
  The "wifi" is in a private IP range, the "wired" is in a public IP range
  There's an ACL on the "wifi" subnet, not on the "wired"
  The next step is to compare frames send/received when on the two networks. Something will likely tell for the network to be managed.
  Beside, I'm still searching informations about NLA, which is responsible for setting a nework as managed or not.
  Here are some clues:
  http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx
  http://social.technet.microsoft.com/Forums/windows/en-US/49ea0a6b-9c03-407d-8e26-24a92849a282/network-location-awareness-signature?forum=w7itpronetworking
  If anybody has official MS informations about NLA (A for Awareness and not Authentication), please share!

• Gateway server is going to grey stage:

  Hi All,
  In my company one of the management server goes down,the gateway server reporting to that management server becomes grey,unfortunately there was no fail over server.
  i tried the below step its working for a while but with in minutes the gatewayserver again enter in to grey stage
  1)Stop Health
  Service on Gateway server
  2. Rename directory “C:\Program Files\System Center Operations Manager 2007\Health Service State\” to C:\Program Files\System Center Operations Manager 2007\Health Service State.old”
  3. In registry modify the following 2 keys. AuthenticationName and NetworkName. These are located in
  HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\MGName.
  4. Restarted Health Service on Gateway server 
  But after some time the gateway server again change its state to grey,anybody can give answer for this
  Regards,
  angs

  Hi,
  i will explain myscenario:
  Hi All,
  Thanks in advance.
  In my scenario we are having 3 management servers aa.com,  bb.com and cc.com for Texas location we are using gateway server(xyz.com ).
  gateway server is reporting to aa.com and there was no failover management server.due to some issues we shutdown the bb.com Management server and the gateway server goes to grey stage .
  so i want to make the cc.com as primary management server for the gateway server(xyz.com),how can i make it possible,with out using the power shell.for this i followed the above step.
  Below are the list of events in operations manager from first event
  21017
  OpsMgr has successfully failed over to cc.com
  EventId:103
  HealthService (12492) Health Service Store: The database engine stopped the instance (0).
  102
  HealthService (12492) Health Service Store: The database engine (6.01.7601.0000) started a new instance (0).
  2011
  The Health Service did not find any policy in Active Directory
  20063
  Active Directory Integration has been disabled for management group BGMCON
  202
  Management Group "BGMCON"
  was started
  21023
  OpsMgr has no configuration for management group BGMCON and is requesting new configuration from the Configuration Service.
  7006
  The Health Service has published the public key [1C 7D A0 5D 6F E2 C5 BC 4E 2B 45 BE 6F 7D F1 E5 ] used to send it secure messages to management group BGMCON.  
  This message only indicates that the key is scheduled for delivery, not that delivery has been confirmed.
  7019
  The Health Service has validated all RunAs accounts for management group
  BGMCON.
  21006
  The OpsMgr Connector could not connect to bb.com:5723.  The error code is 10061L(No connection could be made because the target machine actively refused it.). 
  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.
  21016
  OpsMgr was unable to set up a communications channel to bb.com and there are no failover hosts.  Communication will resume when bb.com is available and communication
  from this computer is allowed.
  21023
  OpsMgr has no configuration for management group
   BGMCON and is requesting new configuration from the Configuration Service.
  21023
  OpsMgr has no configuration for management group
   BGMCON and is requesting new configuration from the Configuration Service.

• Gateway server not able to authenticate

  Hello SCOMMers :)
  I have a issue with my SCOM 2012 R2 system that i just can't get my head around.
  We just purchased a brand new SCOM server that I have migrated our environment to, moved the databases, reporting server and finally i got things up and running after some issues with the DB move.
  So i now have 2 SCOM management servers in my environment and four gateway servers, the gateway servers are communicating to the old SCOM server and i want to move them over to the new SCOM server. 
  I ran the powershell commands from this technet article and thought everything was under
  control. But none of the GW servers started communicating with the new SCOM server. 
  I have of course checked the certificates, hosts file, DNS and firewalls, and i reran the MOMCertImport.exe utility. Also checked that the certificate serial number was correctly inserted to the registry after the MOMCertImport.exe was run. (HKLM\Software\Microsoft\Microsoft
  OperationsManager\3.0\Machine Settings, binary value named ChannelCertificateSerialNumber contains the serial number of the certificate in a reverse order)
  Still i was unable to get the GW server to communicate to the correct management server so i decided i to reinstall the GW server so I could set the name of the new SCOM management server during the GW setup. Before i did the reinstall i ran the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
  with the /Delete parameter, the command ran successfully.
  When i do the install i still cannot get the communication up and running, the GW server gives me the following errors in the eventlog.
  The GW server appears in my Management Servers list but stays in the Not monitored state.
  Event ID: 20057
  Failed to initialize security context for target MSOMHSvc/<ServerFQDN> The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.
  Event ID: 20071
  The OpsMgr Connector connected to tmg-app92.mg.local, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.
  Event ID: 21001
  The OpsMgr Connector could not connect to MSOMHSvc/<ServerFQDN> because mutual authentication failed. Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
  Event ID: 21016
  OpsMgr was unable to set up a communications channel to <ServerFQDN> and there are no failover hosts. Communication will resume when <ServerFQDN> is available and communication from this computer is allowed.
  I have installed new certificated on both GW and management server, and i did the SCOM GW installation multiple times, but the issue is the same and the eventlog error also are the same.
  Does anyone have any clue to what might be wrong?
  Thanks!
  Bjørn

  Hi,
  After you deleting the gateway with Microsoft.EnterpriseManagement.GatewayApprovalTool.exe, the gateway object is only marked as deleted in databases. Therefore, try to use different name for the new installed gateway, so the old parameters will not
  be associated with the new gateway.
  For the communication\certificates problems check these links:
  http://blog.coretech.dk/msk/common-issues-when-working-with-certificates-in-opsmgr/
  http://www.assemblein.info/system-center/steps-to-resolve-scom-2012-gateway-server-error-unmonitored-state/
  http://www.eventid.net/display-eventid-21016-source-OpsMgr%20Connector-eventno-8983-phase-1.htm
  Natalya

• RD Gateway Manager - Unable to read RD Gateway Server Settings

  I'm trying to install a Remote Desktop Gateway into my domain, but I am running into a serious road-block... when I load RD Gateway Manager to configure the service, there is nothing to configure because it won't load my server into the console. When I try
  to connect to it manually, it returns the following error:
  "Unable to read RD Gateway Server Settings"
  There are no errors or warnings in Event Viewer. I can verify that C:\Windows\System32\tsgateway\rap.xml exists and is readable. I can verify that Network Policy does have a TS_CAP_01 policy and it is enabled. A valid certificate was applied during setup
  (and I've also tried choosing ask me later).
  I have already tried uninstalling and reinstalling the role service (including manually verifying that the policies are removed). I also have this working on another domain server, so I'm at a loss for what to look for... How can I resolve this so that I
  can finish configuring the service?

  Hello,
  Thanks for your post.
  From your description, I understand that you’re trying to install the RD Gateway role on a Windows Server 2008 R2-based domain computer. However, after the role
  is install, the RD Gateway Manager cannot be loaded into the RD Gateway Manager. The error prompts “Unable to read RD Gateway Server Settings”.
  Based on my experience, the issue may be caused by problematic installation or startup of the RD Gateway role. Before we troubleshoot the issue further, I recommend
  you to enable the Audit level logging in the Event Viewer and double-check the related clues in the event viewer. To do that, please use the following steps:
  1.    
  On the RD Gateway server open RD Gateway Manager. To open RD Gateway Manager, click
  Start, point to Administrative Tools, point to
  Remote Desktop Services, and then click RD Gateway Manager.
  2.    
  In the console tree, right-click the node that represents your RD Gateway server, which is named for the computer on which the RD Gateway server is running, and then
  click Properties.
  3.    
  On the
  Auditing tab, select or clear the appropriate check boxes to specify the events that you want to monitor for RD Gateway, and then click
  OK.
  When these events occur, you can monitor the corresponding events by using Windows Event Viewer. RD Gateway Manager server events are stored in Event Viewer under
  Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway\.
  Let us know the result if possible. We’d like to help further based on your information replied. Thanks.
  Lionel Chen
  TechNet
  Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Gateway server cant comunicate with managemant server

  Hi all,
  I have some issues with a gateway server. So I've installed the new server following Microsoft documentation. I've add the new server in OP console, I can see him but is unmonitored. I've installed same certificate on both servers in Trusted store (computer).
  ON GW I've check and 5723 it's opened. On GW I have this errors:
  EV 20057, OpsMgr Connector
  Failed to initialize security context for target MSOMHSvc/computer The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
  EV 20057, OpsMgr Connector
  Failed to initialize security context for target MSOMHSvc/computer The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
  EV 21001, OpsMgr Connector
  The OpsMgr Connector could not connect to MSOMHSvc/copscomsvr01.corp.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship
  between the two domains.
  EV 20071, OpsMgr Connector
  The OpsMgr Connector connected to copscomsvr01.corp.local, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check
  the event log on the server and on the agent for events which indicate a failure to authenticate.
  Any ideas?

  Hi,
  Please check the registry. Go to the OPS reg hive and check if the FQDN name is supplied for the Networkname and AuthenticationName. If this doesn’t match your certificate common name you will get the 20071 event.
  Just change it and restart the OpsMgr service.
  More details:
  https://michelkamp.wordpress.com/2012/01/05/solving-the-gateway-20071-event/
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Can xendesktop mp monitor Xendesktop infrastructure in a remote forest where only a gateway server available?

  We have a SCOM2012R2 management group of which the management server(s) is/are in forestA, and there is a gateway server in forestB which has no two-way trust with forestA. We can monitor windows servers in forestB with no problems with Windows base OS management
  Pack. Now, we want to manage Xendesktop infrastructure in forestB using ComTrade Xendesktop MP. The user guide comes with the MP does not mention whether the Xendesktop infrastructure has to be in the same forest where the management server (not gateway servr)
  resides. However we are having issues in our scenario, at installing xendesktop management agent on DDCs, as well as unable to discover the Xendesktop topology. Anything we did wrong or the MP does not support the scenario?
  Thanks in advance

  Adding more info:
  ComTrade Management Pack for Citrix XenServer
  https://citrix.com/ready/en/comtrade/citrix-xenserver-mp
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Certificate Template - SCOM Gateway Server

  Hi
  I am using AD Domain level 2003 in my organization. Is there any particular requirement for certificate template to provide authentication between SCOM Management server and SCOM Gateway server.
  I tried a lot but I am getting authentication issues.
  Any solution would be really appreciated.
  Thanks in advance.
  Abhinav | MCTS-Server Virtualization

  Hi,
  Here is a similar thread, please also go through it for more helpful information:
  SCOM 2012 Gateway Server Certificate
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/f499a9c5-1f52-464d-819d-7cbc8a96a845/scom-2012-gateway-server-certificate
  Step-by-step walkthrough: Installing an Operations Manager 2012 Gateway
  http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• Gateway Server in SCOM

  Hi experts,
  I need your advice on the below point
  * It is recommended to keep Management server in the same datacenter. But in case if we got another datacenter with less network bandwidth, can we place GATEWAY server there though its a trusted zone. Please clarify.
  Regards, Pratap

  Hello Pratap,
  If you need a gateway server, then it has to be in the another DataCenter and the agents in that same datacenter will point to the Gateway Server. The best part about this will be you do not need to install certificates on each server in that second data
  center. All you need to do is configure certificates on the Gateway Server and the Management Server, where the Gateway Server will be pointing to.
  And Since Bandwidth is an issue, if the agents from different datacenter point to the MS (in another DC) directly, then it will take up a lot of bandwidth for each agent however, if the communication is only between the Gateway Server and MS then that should
  utilize less bandwidth.
  Hope this helps!
  Regards,
  Abdul Karim. (http://sites.google.com/site/scomblogs Twitter:@Abdul_SCOM)

• Gateway Server address and Certificate subject name do not match error on Vista client

  RD Gateway server is 2012, RD Server is 2008 R2. Client is (currently) Vista Gold (surprised me too).
  User was able to connect through the Gateway in the past, but seems to have broken around the time that we switched to a real wildcard SSL certificate. Prior to this, it was using a self issued cert.
  I'm stalling for time (and hoping this fixes it) by having the user install the Vista Service Packs. Can anyone verify if this is what's causing the issue, or if I need to look at something else?

  Hi,
  Yes, updating should fix the issue--the old client versions didn't work properly with wildcard.  I recommend you have them install the latest version of the Remote Desktop Client for Vista which is RDP 7.0 capable:
  Description of the Remote Desktop Connection 7.0 client update for Remote Desktop Services (RDS) for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2
  http://support.microsoft.com/kb/969084
  -TP

• SCOM Agents in DMZ via Gateway Server

  I need to monitor all the web servers in our DMZ by placing a Gateway Server between them and SCOM RMS.
  Jus a  simple Question I have ................do I need to install certificates on all my web servers in DMZ to talk to SCOM Gateway Server or not????
  If I need certificates on all my DMZ webservers then what is the purpose of a gateway server?
  thanx

  Hi There,
  The certificate installation depends on the scenario.
  Scenario 1# If the Gateway server is in domain but, the servers in DMZ are not part of domain. We need certificate for each server to create Trust with Gateway server. Otherwise Gateway may not authenticate agent servers due to domain mismatch. And AD authentication
  is must while installing Agents.
  Scenario 2# If the Gateway Server and Agent Servers are in same domain in DMZ. In this scenario we need to have certificate only for Agent Servers not for Agent Servers, as the agents will be authenticated using AD (due to same domain).
  Scenario 3# If none of the Gateway server or Agent Server are in Domain. This case we need to issue certificate for each Server, including Gateway Server. This scenario the Gateway server will work as a mediator for communication only(in a Manner of speaking).
  Be sure that Gateway server concept can be avoided with servers DMZ and not in domain, but this will increase the security risk by authorizing multiple endpoint rules in firewall.
  Below link will give you more info about Gateway servers and its uses.
  http://technet.microsoft.com/en-us/library/hh212823.aspx
  http://technet.microsoft.com/en-us/library/hh230684.aspx
  Thanks,
  Goutam Nepak

• RD Gateway Server Credentials in SBS 2011, new prompt in RWA

  Hey All,
  I know this has been asked and answered in one way or another, but I am having difficulties finding the answer. I have several SBS 2011 Standard clients and most use RWA to remote connect to their desktops. Just recently, one of them, it started to prompt
  for the RD Gateway Server credentials. If the user puts in domain\user then password, they are then handed to the next sign in and then they have access. For the past 2 years it has never done that before. It is not so much of a problem, but an annoyance to
  have to login 3 times before having access to the computer. This happened to my SBS box and I fixed it when addressing another issue, but I don't know how I did it. Any help would be great.

  Did they check the box to save the password in the RD Gateway Credential prompt?
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+