When deploying SCOM agents in an environment, there is an 'Agent Proxy' setting that is disabled by default on all newly installed agents titled:
'Allow this agent to act as a proxy and discover managed objects on other computers'
If you install an agent onto for example, an Active Directory, SQL or Exchange server and leave this setting disabled, then SCOM will detect the agent as only being of the 'Windows Server' class and will not allow discovery of Active Directory, Exchange or SQL roles and attributes.
This setting is disabled by default as there is a potential risk associated by allowing an agent to discover external managed objects.
When installing a new SCOM solution, I tend to deploy agents to all of the servers that I know will need this setting switched on first (Exchange, AD, SQL, Hyper-V etc.). I then run a powershell command that turns this setting on for all of these agents in one quick swoop!!
Once all of the agents that I want to have this enabled on have it enabled, then I install the remaining Windows agents and leave the setting as its default of 'disabled'.
Here's how to do it:
Go to the 'Security' tab within the newly installed agent from the SCOM Administration console tab and check to see if the settings is disabled as below
Open up the 'Operations Manager' shell from a SCOM Management Server with administrative permissions as below:
When you have the Operations Manager Shell window opened as above, copy the script below into it and hit 'Enter'
## Enable Agent Proxy for all agents where it is disabled
$NoProxy = get-agent | where {$_.ProxyingEnabled -match "false"}
$NoProxy|foreach {$_.ProxyingEnabled = $true}
$NoProxy|foreach {$_.ApplyChanges()}Updated 5th May 2012: The script above will only work on SCOM 2007 R1/R2 and not SCOM 2012. See below for the SCOM 2012 equivalent:
## Enable Agent Proxy for all agents where it is disabled
$NoProxy = get-scomagent | where {$_.ProxyingEnabled -match "false"}
$NoProxy|foreach {$_.ProxyingEnabled = $true}
$NoProxy|foreach {$_.ApplyChanges()}
$NoProxy = get-scomagent | where {$_.ProxyingEnabled -match "false"}
$NoProxy|foreach {$_.ProxyingEnabled = $true}
$NoProxy|foreach {$_.ApplyChanges()}
Updated (again!) 24th August 2012 - My good buddy Bob Cornelissen (fellow co-author of Mastering System Center 2012 Operations Manager and SCOM/OpsMgr ninja warrior) has just posted an even easier one-liner PowerShell command to enable agent proxy for all of your machines. Check out his post here and see his script below:
Get-SCOMAgent | where {$_.ProxyingEnabled.Value -eq $False} | Enable-SCOMAgentProxy
Once you have run the script above in the Operations Manager Shell window, go back to the 'Agents' window and open up your agents 'Security' tab again. You should now see that all agents present when you ran the powershell command have changed their 'Agent Proxy' setting to enabled!!
Get-SCOMAgent | where {$_.ProxyingEnabled.Value -eq $False} | Enable-SCOMAgentProxy
Once you have run the script above in the Operations Manager Shell window, go back to the 'Agents' window and open up your agents 'Security' tab again. You should now see that all agents present when you ran the powershell command have changed their 'Agent Proxy' setting to enabled!!
Easy!!
Keep in mind that this is just a simple powershell script that will enable the setting for all agents so if you want to specifically enable just a small amount and not the whole lot of them, then this isn't the script for you!!
Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.
ReplyDeleteHi Kevin, for the 2012 version you could try:
ReplyDeleteGet-SCOMAgent | where {$_.ProxyingEnabled.Value -eq $False} | Enable-SCOMAgentProxy
described here:
http://www.bictt.com/blogs/bictt.php/2012/08/24/scom-2012-enable-agent-proxy
Good luck mate!
Even though the book's been finished, you're still editing my writing ;)
DeleteThanks mate, I've updated the post to include your (better) PoSh script!
Kev
Hello Kevin,
ReplyDeleteIn my side, I've play with the Management Group default settings ! This also set by default the agent proxying for all installed agents and also for all new agent ! :)
Do you have a reason to not use this way ?
you 'll find my explanation here : http://tetris38.blogspot.fr/2012/02/opsmgr-2007-play-with-defaults-settings.html
Once connected to your management group in Operation Manager shell
C:PS>set-defaultsetting '-name HealthServiceProxyingEnabled ' -value True
Regards
Tristan
I prefer the method from Tristan.
ReplyDeleteThat way you will never have to worry about enabling proxying again.
Any concerns about this method?
Might be a matter of context. I would not go for set-defaultsettings in, for example, a scaled-out Orchestrator environment.
ReplyDeleteThanks for this post Kevin,
ReplyDeleteWe have thousands of agents in our environment and we can’t enable all of them by default as it will pose a security risk. Would you know how to check if an agent needs proxy enabled? A script that checks if there’s 3rd party software is installed?
I would like to use your one liner to enable those agents.
Thanks
Hi there and thanks for the comment!
DeleteIf you want to control which agents get the Proxy setting and which ones don't in a nice easy manner, then check out the updated SCOM tools by Boris and Daniele here: http://blogs.msdn.com/b/dmuscett/archive/2012/02/19/boris-s-tools-updated.aspx
The Proxy Settings one is what you need.
Hope this helps,
Kevin.
I just had the thought to simplify this via powershell, and it appears I'm 2 years late. Thank you for saving me sometime!
ReplyDeleteThanks, the one-liner worked a treat :-)
ReplyDelete