Installing System Center 2016 Operations Manager Step by Step – Part 5

Part 5 – Gateway Installation

Gateway servers are used to enable agent-management of computers that are outside the Kerberos trust boundary of management groups, such as in a domain that is not trusted. The gateway server acts as a concentration point for agent-to-management server communication. Agents in domains that are not trusted communicate with the gateway server and the gateway server communicates with one or more management servers. Because communication between the gateway server and the management servers occurs over only one port (TCP 5723), that port is the only one that has to be opened on any intervening firewalls to enable management of multiple agent-managed computers. Multiple gateway servers can be placed in a single domain so that the agents can failover from one to the other if they lose communication with one of the gateway servers. Similarly, a single gateway server can be configured to failover between management servers so that no single point of failure exists in the communication chain.

Because the gateway server resides in a domain that is not trusted by the domain that the management group is in, certificates must be used to establish each computer’s identity, agent, gateway server, and management server. This arrangement satisfies the requirement of Operations Manager for mutual authentication.

To monitor computers that lie outside the trust boundary of a management server without the use of a gateway server, you need to install and manually maintain certificates on the management servers and the computers to be monitored. When this configuration is used instead of using a gateway server, additional ports must be opened for agent-to-management server communication.

Procedure is:

  1. Request and Install Certificate.
  2. Approve Gateway on Management Server.
  3. Install Gateway Server.

Request and Install Certificate.

For agents connecting to Gateway servers, a certificate must be installed on agent, Gateway Server and Management Server.

  1. First Request certificates for any computer in the agent, gateway server, management server chain.
  2. Import those certificates into the target computers by using the MOMCertImport.exe tool.

MOMCertImport.exe tool can be found in support folder for SCOM Installation folder.

Approve Gateway on Management Server.

Then you also need to approve the Gateway server, before installing the Gateway server.

To do this you will need Microsoft.EnterpriseManagement.GatewayApprovalTool.exe, which is again found in %SCOMInstallDirectory%\Server\Microsoft.EnterpriseManagement.GatewayApprovalTool.exe

If not found, copy it from %SCOMInstallDirectory\ SupportTools\AMD64\ Microsoft.EnterpriseManagement.GatewayApprovalTool.exe” to %SCOMInstallDirectory%\Server\Microsoft.EnterpriseManagement.GatewayApprovalTool.exe

At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully

Now you have the Certificates installed on Gateway Server and approved on Management Server, you can install the Gateway server

 Install Gateway Server.

 Install Gateway Server via command line

 msiexec.exe /i MOMGateway.msi /qn /l*v %TEMP%\GatewayInstall.log ADDLOCAL=MOMGateway MANAGEMENT_GROUP=%ManagementGroupName% IS_ROOT_HEALTH_SERVER=0 ROOT_MANAGEMENT_SERVER_AD=%FirstManagementServerFQDN% ROOT_MANAGEMENT_SERVER_DNS=%FirstManagementServerFQDN% ACTIONS_USE_COMPUTER_ACCOUNT=1 ROOT_MANAGEMENT_SERVER_PORT=5723 AcceptEndUserLicenseAgreement=1

 Install Gateway Server via GUI

In the Operations Manager installation media, start Setup.exe.
In the Install area, click the Gateway management server link

gw_1
On the Welcome screen, click Next.

On the Destination Folder page, accept the default, or click Change to select a different installation directory, and then click Next

On the Management Group Configuration page, type the target management group name in the Management Group Name field, type the target management server name in the Management Server field, check that the Management Server Port field is 5723, and then click Next. This port can be changed if you have enabled a different port for management server communication in the Operations console

gw_2

On the Gateway Action Account page, select the Local System account option, unless you have specifically created a domain-based or local computer-based gateway Action account. Click Next.

gw_3

On the Microsoft Update page, optionally indicate if you want to use Microsoft Update, and then click Next.

gw_4

On the Ready to Install page, click Install
On the Completing page, click Finish

 References:

https://technet.microsoft.com/en-us/library/hh456447(v=sc.12).aspx

https://technet.microsoft.com/en-us/library/hh456445(v=sc.12).aspx

 

  1. Part 1
    1. Operations Manager Overview
    2. System Center Requirements
  2. Part 2
    1. SQL 2016 Installation
  3. Part 3
    1. First Management Server Installation
  4. Part 4
    1. Second M Management Server Installation
  5. Part 5
    1. Gateway Installation
  6. Part 6
    1. Reporting Services Installation
  7. Part 7
    1. Installing Agents
  8. Part 8
    1. Conclusion

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s