locked
FCS dashboard not able to display non-domain computer RRS feed

  • Question

  • Hi,

    I have follow below installation steps for non-domain computer, but i still cant see the computer details in FCS dashboard.

    Steps:

    1. In the MOM Administrator console, expand the Administration node and select Global Settings.

    2. In the details pane, select Management Servers.

    3. Select the Agent Install tab, and then clear the Reject new manual agent installations check box.

    4. On the Administration pane, select Global Settings.

    5. On the Security tab, clear the Mutual Authentication Required field.

    6. Right-click the Management Pack folder, and click Commit Configuration Change.

    7. Stop and then start the MOM Service on all management servers in the management group.

         8. install FCS client with /nomom parameter  ie: clientsetup.exe /NOMOM

         9. create registry key.reg in the Forefront security server

       10. Deploy policy (.reg) using fcslocalpolicytool.exe

                Command as below:

                            fcslocalpolicytool.exe /i ‌policyname.reg

     11. Restart Forefront security services 

     

    Your advise is highly appreciated.

     

    Regards,

    Jin

    Thursday, September 16, 2010 7:30 AM

Answers

  • Hi Jin,

     

    Thank you for the post.

     

    For the non-domain computer, you can deploy a policy to a file and apply that policy to the client using Fcslocalpolicytool. Since MOM uses Mutual Authentication to verify client computer, this client cannot report event data back to the collection server.  So you cannot get reporting data and manage data via FCS Dashboard. If you disable Mutual Authentication, then an unauthenticated client can send data to the server as well as an unauthenticated server can communicate with clients.

     

    Regards,


    Nick Gu - MSFT
    • Marked as answer by Nick Gu - MSFT Tuesday, September 21, 2010 2:45 AM
    Tuesday, September 21, 2010 2:45 AM

All replies

  • Hi!

    First let me say that, turning off mutual authentication is not a supported configuration.

    You still need the MOM agent on the computer for it to report to the MOM server. by running clientsetup.exe /NOMOM you are not installing the MOM agent.

    Run the  fcslocalpolicytool.exe /i ‌policyname.reg first and then run clientsetup.exe (without /nomom)

    /Johan


    MCSE, forefront spec | www.msforefront.com
    • Proposed as answer by Nick Gu - MSFT Tuesday, September 21, 2010 2:32 AM
    Thursday, September 16, 2010 9:54 PM
  • Hi Johan,

    Thanks for your reply.

    I have follow your steps which are:

    1)Run the  fcslocalpolicytool.exe /i ‌policyname.reg

    2) Run clientsetup.exe (without /nomom)

     

    But i still cant see the agent reported to the FCS dashboard, any steps which need to be done on the FCS dashboard server (MOM server)?

     

    ** FYI, i can ping the FCS and MOM server from the client machine, both client machine and FCS server are sit on the same subnet, no firewall in between. I got no problem on getting the Forefront definition update from the WSUS server.

     

    ** WSUS server, MOM server and FCS dashboard server all sit on the same set of server.

     

     

    Thanks.


    Regards,

    Jin

    Friday, September 17, 2010 7:01 AM
  • Hello!

     

    do you see any errors in the eventlog on the client?

    If you open the MOM admin console, do yo have any computers under the "pending actions" node?

    /Johan 


    MCSE, forefront spec | www.msforefront.com
    Sunday, September 19, 2010 8:05 PM
  • Hi Johan,

     

    Thanks again for your reply.

     

    The error message i found on my client PC after the clientsetup.exe command is:

    "The agent is configured to require Mutual Authentication, but the MOM Server host/BACKUPSVR is not in a trusted domain.  Until the agent and/or server is reconfigured the agent will not be able to talk to the MOM Server.  To reconfigure the MOM Agent, re-run setup and disable mutual authentication.  To reconfigure the MOM Server, disable mutual authentication, commit configuration changes, and restart all MOM Servers in the management group."

    How to configure the agent "Do Not require Mutual Authentication"? I believe i have done all the necessary part on the MOM server side.

     

    *** I don't see any computers under the "pending action" node.

    Thanks.

     

    Regards,

    Jin

    Monday, September 20, 2010 8:53 AM
  • Hi!

     

    I'm jetting off to a meeting but found this article...see if you can find anything usefull.

    http://support.microsoft.com/kb/904866

    I'll check in later.

    /Johan


    MCSE, forefront spec | www.msforefront.com
    Monday, September 20, 2010 2:14 PM
  • Hi Jin,

     

    Thank you for the post.

     

    For the non-domain computer, you can deploy a policy to a file and apply that policy to the client using Fcslocalpolicytool. Since MOM uses Mutual Authentication to verify client computer, this client cannot report event data back to the collection server.  So you cannot get reporting data and manage data via FCS Dashboard. If you disable Mutual Authentication, then an unauthenticated client can send data to the server as well as an unauthenticated server can communicate with clients.

     

    Regards,


    Nick Gu - MSFT
    • Marked as answer by Nick Gu - MSFT Tuesday, September 21, 2010 2:45 AM
    Tuesday, September 21, 2010 2:45 AM
  • Hi Johan,

     

    Thanks for your reply. Really appreciate your feedback on this.

     

    Regards,

    Jin

    Tuesday, September 21, 2010 2:58 AM