Wednesday, January 4, 2012

SCOM - Enable Agent Proxy Setting for all Installed Agents

This is a quick post and mostly for my own reference but some people may find it interesting or useful.

When deploying SCOM agents in an environment, there is an 'Agent Proxy' setting that is disabled by default on all newly installed agents titled:


'Allow this agent to act as a proxy and discover managed objects on other computers'


If you install an agent onto for example, an Active Directory, SQL or Exchange server and leave this setting disabled, then SCOM will detect the agent as only being of the 'Windows Server' class and will not allow discovery of Active Directory, Exchange or SQL roles and attributes.

This setting is disabled by default as there is a potential risk associated by allowing an agent to discover external managed objects.

When installing a new SCOM solution, I tend to deploy agents to all of the servers that I know will need this setting switched on first (Exchange, AD, SQL, Hyper-V etc.). I then run a powershell command that turns this setting on for all of these agents in one quick swoop!!

Once all of the agents that I want to have this enabled on have it enabled, then I install the remaining Windows agents and leave the setting as its default of 'disabled'.

Here's how to do it:

Go to the 'Security' tab within the newly installed agent from the SCOM Administration console tab and check to see if the settings is disabled as below


Open up the 'Operations Manager' shell from a SCOM Management Server with administrative permissions as below:



When you have the Operations Manager Shell window opened as above, copy the script below into it and hit 'Enter'


## Enable Agent Proxy for all agents where it is disabled
$NoProxy = get-agent | where {$_.ProxyingEnabled -match "false"}
$NoProxy|foreach {$_.ProxyingEnabled = $true}
$NoProxy|foreach {$_.ApplyChanges()}

Updated 5th May 2012: The script above will only work on SCOM 2007 R1/R2 and not SCOM 2012. See below for the SCOM 2012 equivalent:


## Enable Agent Proxy for all agents where it is disabled
$NoProxy = get-scomagent | where {$_.ProxyingEnabled -match "false"}
$NoProxy|foreach {$_.ProxyingEnabled = $true}
$NoProxy|foreach {$_.ApplyChanges()}

Updated (again!) 24th August 2012 - My good buddy Bob Cornelissen (fellow co-author of Mastering System Center 2012 Operations Manager and SCOM/OpsMgr ninja warrior) has just posted an even easier one-liner PowerShell command to enable agent proxy for all of your machines. Check out his post here and see his script below:

Get-SCOMAgent | where {$_.ProxyingEnabled.Value -eq $False} | Enable-SCOMAgentProxy

Once you have run the script above in the Operations Manager Shell window, go back to the 'Agents' window and open up your agents 'Security' tab again. You should now see that all agents present when you ran the powershell command have changed their 'Agent Proxy' setting to enabled!!


Easy!!

Keep in mind that this is just a simple powershell script that will enable the setting for all agents so if you want to specifically enable just a small amount and not the whole lot of them, then this isn't the script for you!!

10 comments:

  1. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.

    ReplyDelete
  2. Hi Kevin, for the 2012 version you could try:
    Get-SCOMAgent | where {$_.ProxyingEnabled.Value -eq $False} | Enable-SCOMAgentProxy
    described here:
    http://www.bictt.com/blogs/bictt.php/2012/08/24/scom-2012-enable-agent-proxy
    Good luck mate!

    ReplyDelete
    Replies
    1. Even though the book's been finished, you're still editing my writing ;)

      Thanks mate, I've updated the post to include your (better) PoSh script!

      Kev

      Delete
  3. Hello Kevin,
    In my side, I've play with the Management Group default settings ! This also set by default the agent proxying for all installed agents and also for all new agent ! :)
    Do you have a reason to not use this way ?


    you 'll find my explanation here : http://tetris38.blogspot.fr/2012/02/opsmgr-2007-play-with-defaults-settings.html


    Once connected to your management group in Operation Manager shell
    C:PS>set-defaultsetting '-name HealthServiceProxyingEnabled ' -value True

    Regards
    Tristan

    ReplyDelete
  4. I prefer the method from Tristan.

    That way you will never have to worry about enabling proxying again.

    Any concerns about this method?

    ReplyDelete
  5. Might be a matter of context. I would not go for set-defaultsettings in, for example, a scaled-out Orchestrator environment.

    ReplyDelete
  6. Thanks for this post Kevin,

    We have thousands of agents in our environment and we can’t enable all of them by default as it will pose a security risk. Would you know how to check if an agent needs proxy enabled? A script that checks if there’s 3rd party software is installed?

    I would like to use your one liner to enable those agents.

    Thanks

    ReplyDelete
    Replies
    1. Hi there and thanks for the comment!

      If you want to control which agents get the Proxy setting and which ones don't in a nice easy manner, then check out the updated SCOM tools by Boris and Daniele here: http://blogs.msdn.com/b/dmuscett/archive/2012/02/19/boris-s-tools-updated.aspx

      The Proxy Settings one is what you need.

      Hope this helps,

      Kevin.

      Delete
  7. I just had the thought to simplify this via powershell, and it appears I'm 2 years late. Thank you for saving me sometime!

    ReplyDelete
  8. Thanks, the one-liner worked a treat :-)

    ReplyDelete