none
Cannot Connect Server in DMZ zone to Management Server via Gateway RRS feed

  • Question

  • Hi All,

    Since weeks, I have been attempting to connect a server in my DMZ zone (untrusted) to our Operations Manager in our Datacenter.  I have a Operations Manager Gateway in the middle.  The Operations Manager Gateway and Operations Manager are connected fine.  The Gateway is shown in Management Servers as "Healthy".

    Server to be managed is running Windows Server 2016 Standard; Operations Manager Gateway OS Windows Server 2019 Standard; Operations Manager (2016) and OS is Windows 2016.

    The Operations Manager Gateway is in the DMZ zone, which does not have a domain.  After creating certificates, and opening ports accordingly, I got the Operations Manager Gateway and the Operations Manager  Server to see each other as stated above.  I further create a certificate for another server (to be monitored) that resides in the DMZ zone (also untrusted).  I have implemented the certificate according to procedure.

    For RunAs Account, I have gone under the RunAs Profiles, modified "Default Action Account" and assured the Operations Manager Gateway server used "Local System Action" as Run As account.

    I have attempted first discovery from the Operations Manager Server, pointing at the Operations Manager Gateway server and using "local system account".  I do see, via Wireshark, activity shortly afterwards while the Discovery Wizard is running.  After negotiation of port 445, the connection is ended with a [RST, ACK].  In the event viewer on the Operations Manager Gateway, I see EventID 11551 "Computer verification failure for Machine Name: xxx is 0X800706BA.  The RPC server is unavailable. On the server I want to connect to Operations Manager, I have an eventid of 21007 "The OpsMgr Connector cannot create a mutually authenticated connection to xxxx because it is not in a trusted domain.

    I believe the certificate is fine as I created it the same way I have done with the Gateway and MS connection.  But, I now am not too sure.

    Other info - I have opened all ports between the two servers in the DMZ zone and also have temporarily disabled firewall.  I have been busy looking at most of the things on the internet relating to this matter and I am a little frustrated that I cannot figure it out.

    Any ideas/help/advice?

    Monday, July 1, 2019 12:31 PM

Answers

  • Hello,

    Here event id 21007 on workgroup server is showing it is using Kerberos authentication rather than certificates to communicate with GTW server.

    I would suggest you to manually install scom agent on workgroup server providing GTW server as reporting management server. After that, run momcertimport on workgroup server and then check you get event id 20053 in Operations manager event logs on workgroup server for successful import of certificate and then restart scom service on workgroup server.

    Now your workgroup server should start talking to your GTW server.

    Check below link as well-

    https://support.microsoft.com/en-us/help/947691/when-you-try-to-install-a-system-center-operations-manager-agent-on-a

     

    • Marked as answer by Blue Crescent Friday, July 5, 2019 11:07 AM
    Tuesday, July 2, 2019 3:54 PM
  • I got it working!!!! :-).  I found out the issue was with the certificates and the order in which to import the certs as well as assuring the right chain cert was imported.  Also, had to assure that the fqdn was in the local certificate and not the netbios name.  After that, whala!!!  Connectivity :-).

    Thanks all for your help and guidance :-)


    Friday, July 5, 2019 9:18 AM

All replies

  • Hi

    Couple suggestions:

    Have you tried manual installation?

    Make sure that the certificates are issues with the same trusted CA at both ends (your DMZ server and GW in this case).

    For RPC, check this to see that helps:

    Fixing RPC server unavailable

    HTH

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) Blog:AnalyticOps Insights Twitter:Sameer Mhaisekar

    Monday, July 1, 2019 4:41 PM
  • Hi,

    Thank you for your post and the detailed information provided.

    It is correct to put the gateway server in the same domain as the agents.



    Based on the description above, it seems the mutual authentication fails. Here's a step-by-step guide to configure the certificates and approve the gateway, we may check to see if our deployment is correct.

    DEPLOY AND CONFIGURE SCOM GATEWAY SERVER
    https://myitworld.azurewebsites.net/2015/07/27/deploy-configure-scom-gateway-server/

    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Tuesday, July 2, 2019 2:26 AM
  • Hi Sameer,

    I created the CA's with the same root certificate (chain) as the GW.  Yet, it still doesn't seem to work.  I think it could be somewhere in the certificate.  Maybe something with how to name the CN? I will try to do this again from scratch.  Maybe I will remove the chain cert and the certificate from the server that tries to connect to the operations manager.  As I said before, the connection between the GW and the management server are fine.

    Thanks for your idea.  I will try and then update my thread here.

    Tuesday, July 2, 2019 6:58 AM
  • Hi Alex,

    The issue is that the DMZ zone is not actually in its own domain.  All the servers in our DMZ are individual servers in their own (generic) workgroup.  I will look at the link you sent and walk through the steps again.  The thing is tho that my GW can see and talk with the Management server.  Therefore, the certificates between the two trust each other.

    Thanks again and I will update my post to let you know how it goes.

    Tuesday, July 2, 2019 7:01 AM
    1. Check if there are incorrect DNS settings.
    2. Check if the time and time-zone settings of the machine are correct.
    3. Check if the "TCP/IP Helper" service is running.
    4. Check if the "Remote Registry" service is running.

      roger
    Tuesday, July 2, 2019 8:43 AM
  • Just to clarify one point :

    Agent push install doesn't rely at all on the certificates, they are only required afterwards when the agent actually tries to communicate with the gateway.

    Actually you can't run momcertimport to validate the certificate if the agent is not previously installed, if I remember correctly.

    So if you are not able to push the agents, the issue is not with the certificates.




    • Edited by CyrAz Tuesday, July 2, 2019 1:22 PM
    Tuesday, July 2, 2019 1:21 PM
  • Hello,

    Here event id 21007 on workgroup server is showing it is using Kerberos authentication rather than certificates to communicate with GTW server.

    I would suggest you to manually install scom agent on workgroup server providing GTW server as reporting management server. After that, run momcertimport on workgroup server and then check you get event id 20053 in Operations manager event logs on workgroup server for successful import of certificate and then restart scom service on workgroup server.

    Now your workgroup server should start talking to your GTW server.

    Check below link as well-

    https://support.microsoft.com/en-us/help/947691/when-you-try-to-install-a-system-center-operations-manager-agent-on-a

     

    • Marked as answer by Blue Crescent Friday, July 5, 2019 11:07 AM
    Tuesday, July 2, 2019 3:54 PM
  • I got it working!!!! :-).  I found out the issue was with the certificates and the order in which to import the certs as well as assuring the right chain cert was imported.  Also, had to assure that the fqdn was in the local certificate and not the netbios name.  After that, whala!!!  Connectivity :-).

    Thanks all for your help and guidance :-)


    Friday, July 5, 2019 9:18 AM