Here are the links to the other posts in this series:
Using Internal Certificates with SCOM on Windows Server 2008 Part 1
Using Internal Certificates with SCOM on Windows Server 2008 Part 2
Using Internal Certificates with SCOM on Windows Server 2008 Part 3
In this post I will detail how to manually install the SCOM agent, update it to the latest Cumulative Update 5 (CU5), and then how to import the certificate into SCOM for PKI authentication of your untrusted domain / DMZ or SCOM Gateway server.
To manually install the SCOM agent onto an untrusted domain / DMZ server
Firstly, you need to ensure that you can ping by using FQDN, the SCOM Management Server from the untrusted domain /DMZ or SCOM Gateway server and then also you must be able to ping the untrusted domain / DMZ or SCOM Gateway server from the SCOM Management Server too. You may need to use static host entries on the local computers to achieve this but it is imperative that this step is complete before moving onto the next steps.
You will also need to ensure that traffic is allowed over the relevant ports as per Microsoft Documentation (particularly TCP port 5723) - see link:
Once communication between the SCOM Management Servers and the untrusted domain / DMZ or SCOM Gateway server has been established, on the SCOM Management Server, go to the ‘Administration’ tab and then select ‘Settings’ on the left hand side of the screen. From here, double click on the ‘Security’ option in the middle of the screen to open the ‘Global Management Server Settings – Security’ window as below
From the ‘Global Management Server Settings – Security’ window that opens, you need to select ‘Review new manual agent installations in pending management’ and then also decide whether or not you want SCOM to ‘Automatically approve new manually installed agents’
If you leave the ‘Automatically approve new manually installed agents’ tick box unchecked, then you will need to go to the ‘Pending Management’ queue after an agent is manually installed and allow it to be monitored within your SCOM environment
Once you have decided on your manual agent installation policy, log on to the computer in the untrusted domain / DMZ that you want SCOM to monitor with an account that is a member of the ‘Local Administrators’ group.
The SCOM agent needs to be manually installed on the server/computer that you wish to monitor before you can import the certificate into SCOM. To install the SCOM agent, create a folder on the C drive of the server to be monitored called something like ‘SCOM Agent Files’ and ensure you have copied the SCOM Agent installation folder from the original SCOM installation media here.
You will also need to copy the SCOM Agent update folder from the latest Cumulative Update version 5 (CU5) download to the server as the original SCOM agent installation will need to be upgraded to CU5 before you bring it into SCOM. Finally, you will need to copy the ‘Support Files’ folder from the original SCOM media to the ‘SCOM Agent Files’ folder that you created from the previous paragraph as this folder contains the ‘MOMCertImport.exe’ utility that is needed to import the certificate once the agent has been manually installed and updated to CU5.
See the screen below for an example of the folders needed to be copied:
Once the folders above have been copied to the local C:\ drive of the untrusted domain / DMZ server that you want to bring into SCOM, then open up a command prompt with Administrative privileges to continue.
Using the command line, browse to the AMD64 folder within the original SCOM installation ‘Agent’ folder (or the i386 folder if you are installing onto a 32Bit O/S) and run the ‘MOMAgent.msi’ installer to begin the installation.
Click ‘Next’ from the screen below to start the Agent installation wizard
Leave the default install location as it is and click ‘Next’
Ensure ‘Specify Management Group Information’ is selected, then click ‘Next’
Fill out the fields in the following screen with information relevant to your SCOM installation
Leave ‘Local System’ selected and then click ‘Next’
Click on the ‘Install’ button from the final screen to install the SCOM agent from the original installation media.
When the agent installation is completed, you should see the screen below
Once the original SCOM media agent installation is complete, open up a command prompt again with Administrative privileges and browse to the location that contains the CU5 Agent installation files
Run the ‘KB2495674-x64-Agent.msp’ file to begin the upgrade of the agent to CU5
Once complete, you should see the following window again
That completes the installation of the SCOM agent and also the upgrade of the orginal SCOM agent to CU5. All that's left to do now is to import the certificate into SCOM that was issued by the internal Certificate Authority to the untrusted domain / DMZ or SCOM Gateway server using the 'MOMCertImport.exe' utility.
Importing certificates using the 'MOMCertImport.exe' utility
If you have been following this blog series through to this point, you should now have the following implemented on your untrusted domain, DMZ or SCOM Gateway server:
- CA Root certificate imported into ‘Trusted Root Certification Authorities’
- Certificate requested from CA using SCOM Certificate Template
- Requested certificate imported into the ‘Certificates – Local Computer’ store
- SCOM agent manually installed and updated to CU5
On the Windows desktop, click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
Expand the ‘Personal’ folder and then expand the ‘Certificates’ sub-folder under here to see the certificate that we requested and imported previously as below
Now open up a command prompt with Administrative privileges and browse to the location that you have copied the ‘Support Tools’ folder from the original SCOM media.
Browse to the ‘MomCertImport.exe’ utility in either the AMD64 or i386 subfolders (depending on whether or not you are installing to an x64 or x32 bit machine) of the ‘Support Tools’ folder as below
Now add the /subjectname switch to the end of the ‘MOMCertImport.exe’ utility and specify the full subjectname of your imported certificate exactly as it displayed back in the ‘Certificates – Local Computer\Personal\Certificates’ store
If all is successful, then you should get the following message back
This should be all you need to do to get the untrusted / DMZ or SCOM Gateway server communicating with your SCOM Management Server using internal certificates. If there is any issues with the agent not becoming active within the ‘SCOM Agents’ window, make sure you don’t have the ‘Reject New Manual Agent Installations’ option selected from within the SCOM ‘Administration tab (this has been described further back in this blog series).
If you have allowed manual installation of the SCOM agents through the security settings and have followed everything in these posts correctly but the agent still doesn’t become active in SCOM, then it would be worth restarting the Health Service on firstly the untrusted domain /DMZ server and then secondly on the SCOM Management Server. This can sometimes be a final step needed to start the monitoring of your untrusted servers.