Thursday, April 21, 2011

Using Public Certificates With SCOM Part 2

In Part 1 of this series, I explained the basic options for bringing untrusted servers and clients into your SCOM monitoring environment and outlined a High Level Overview of the process required to use a 3rd Party Public Certificate Authority for SCOM authentication.

In this blog post, I will go into deeper detail around the steps required to get this working. If you are reading this and feel that at times I am explaining some of the steps at too basic a level, then apologies but - believe me when I say this - 'It is VERY easy to make a mistake in this process!'

Initial SCOM Server Configuration

  • Ensure that TCP Port 5723 is allowed from the DMZ / Untrusted Domain to both the RMS and MS servers
  • From the 'Administration' tab in the SCOM Console Wunderbar, select 'Setttings' and then 'Security' and then select 'Review new manual agent installations in pending management' and click 'OK' (See Below)

Manual SCOM Agent Installation

Run the SCOM installer on each untrusted server or client and select 'Install Operations Manager 2007 R2 Agent' from the startup splash screen

Click 'Next' from the first window that pops up

Accept the default installation path and click 'Next' again

Ensure 'Specify Management Group information' is selected, then click 'Next' again

In this next window, it is VERY important that you get the information here correct. You must input in your SCOM Management Group Name, Management Server name and Management Server Port number. The key here is to ensure that you input in the FQDN of your Management Server and not just the NETBIOS name.

Leave 'Local System' selected in the next window, then click 'Next'

From the next window, verify that all of your settings are correct, and then select 'Install'

Finally, when the wizard is completed, click on 'Finish' to close the Agent installation.

This completes the manual SCOM agent installation onto your DMZ / untrusted based servers and clients.

In part 3 of this series, I will demonstrate how to build a certificate template to create and approve the Public 3rd Party certificate using the 'CertReq.exe' utility and to then bring the new agent into your SCOM Management Console.


  1. Hi,

    when i am installing agents in a untrusted domain on this servers by using a gatewayserver, which Infomation are necessary by the manual agent installation.
    When iam installing the Agents, in the Field Management Server ...(Picture 6) which one is here necessary ...the gateway server or the RMS?
    Thanks for a answer

  2. Hi Rob,

    Thanks for the comments!

    In relation to your query, in the 6th picture down on the above post, the entry for 'Management Server' refers to the SCOM Management server that you will have this manual agent installation pointing to.

    This can be the RMS, a standard Management Server or even a Gateway server.

    Hope this helps!


  3. Thanks ...
    i will try it next week when the certificates are implemented.
    By the way, after using GatewayApprovalTool i found a checkbox "using gateway server as proxy agent" --> so autodiscover in the undtrusted domain is also possible like in the RMS Domain??
    I can't try it in a TestLab so the answer is very helpful.

  4. HI again Rob,

    Autodiscover in the untrusted domain is the same as in the main domain / scom management group. When you install a Gateway server, it is effectively a SCOM management server that agents report to so has all of the functionality of another standard Management server (with the exception of the RMS of course!).


  5. Hi Kevin,

    I am new to SCOM, hope you would help me out. We have to do SCOM gateway installation in untrusted domain. We have two forest without any trust between them. So we have decided to install SCOM gateway using internal certificate authority. SCOM gateway appears fine on management server. We install SCOM agent manually on servers in untrusted domain. During installation selected Gateway server as Management server with default port 5723. We are getting 20070 and 20016 event ID in event viewer on server which has SCOM agent installed.
    I dont know where to look at it. I believe communication between SCOM gateway and SCOM agent is kerberos.

    1. Hi Vikas,

      Ensure that you are using the correct certificate between the SCOM management server and the SCOM gateway server firstly.

      You say that you install the SCOM agent manually in the untrusted domain and then select the Gateway server as their management server. If this is the case, then that's what your problem is.

      In situations where you have a Gateway server deployed, you shouldn't have to manually install the agents in the untrusted domain. Instead, once communication between the Gateway and the Management Server has been configured, you can simply use the Discovery Wizard from the Gateway server to automatically 'push' the agent installation out to your untrusted domain computers.

      Try this and I'm sure you will get up and running in no time :)