Part 5 – Gateway Installation
Gateway servers are used to enable agent-management of computers that are outside the Kerberos trust boundary of management groups, such as in a domain that is not trusted. The gateway server acts as a concentration point for agent-to-management server communication. Agents in domains that are not trusted communicate with the gateway server and the gateway server communicates with one or more management servers. Because communication between the gateway server and the management servers occurs over only one port (TCP 5723), that port is the only one that has to be opened on any intervening firewalls to enable management of multiple agent-managed computers. Multiple gateway servers can be placed in a single domain so that the agents can failover from one to the other if they lose communication with one of the gateway servers. Similarly, a single gateway server can be configured to failover between management servers so that no single point of failure exists in the communication chain.
Because the gateway server resides in a domain that is not trusted by the domain that the management group is in, certificates must be used to establish each computer’s identity, agent, gateway server, and management server. This arrangement satisfies the requirement of Operations Manager for mutual authentication.
To monitor computers that lie outside the trust boundary of a management server without the use of a gateway server, you need to install and manually maintain certificates on the management servers and the computers to be monitored. When this configuration is used instead of using a gateway server, additional ports must be opened for agent-to-management server communication.
- Request and Install Certificate.
- Approve Gateway on Management Server.
- Install Gateway Server.
Request and Install Certificate.
For agents connecting to Gateway servers, a certificate must be installed on agent, Gateway Server and Management Server.
- First Request certificates for any computer in the agent, gateway server, management server chain.
- Import those certificates into the target computers by using the MOMCertImport.exe tool.
MOMCertImport.exe tool can be found in support folder for SCOM Installation folder.
Approve Gateway on Management Server.
Then you also need to approve the Gateway server, before installing the Gateway server.
To do this you will need Microsoft.EnterpriseManagement.GatewayApprovalTool.exe, which is again found in %SCOMInstallDirectory%\Server\Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
If not found, copy it from %SCOMInstallDirectory\ SupportTools\AMD64\ Microsoft.EnterpriseManagement.GatewayApprovalTool.exe” to %SCOMInstallDirectory%\Server\Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully
Now you have the Certificates installed on Gateway Server and approved on Management Server, you can install the Gateway server
Install Gateway Server.
Install Gateway Server via command line
msiexec.exe /i MOMGateway.msi /qn /l*v %TEMP%\GatewayInstall.log ADDLOCAL=MOMGateway MANAGEMENT_GROUP=%ManagementGroupName% IS_ROOT_HEALTH_SERVER=0 ROOT_MANAGEMENT_SERVER_AD=%FirstManagementServerFQDN% ROOT_MANAGEMENT_SERVER_DNS=%FirstManagementServerFQDN% ACTIONS_USE_COMPUTER_ACCOUNT=1 ROOT_MANAGEMENT_SERVER_PORT=5723 AcceptEndUserLicenseAgreement=1
Install Gateway Server via GUI
In the Operations Manager installation media, start Setup.exe.
In the Install area, click the Gateway management server link
On the Welcome screen, click Next.
On the Destination Folder page, accept the default, or click Change to select a different installation directory, and then click Next
On the Management Group Configuration page, type the target management group name in the Management Group Name field, type the target management server name in the Management Server field, check that the Management Server Port field is 5723, and then click Next. This port can be changed if you have enabled a different port for management server communication in the Operations console
On the Gateway Action Account page, select the Local System account option, unless you have specifically created a domain-based or local computer-based gateway Action account. Click Next.
On the Microsoft Update page, optionally indicate if you want to use Microsoft Update, and then click Next.
On the Ready to Install page, click Install
On the Completing page, click Finish