locked
Management Pack Download through Proxy Server RRS feed

  • Question

  • Hi.
    When trying to download management packs via the SCOM R2 console - I get an error (Operations Manager cannot connect to the Web Service). I have done a packet capture on our Proxy Server and it is showing outbound http requests to the Microsoft download sites from the console are being denied due to proxy authentication (our proxy only allows domain users access to the Internet). Is there a way to provide windows authentication credentials to the SCOM console to allow it to download management packs from the Internet?
    Monday, January 11, 2010 10:49 PM

Answers

  • Hi John.

    Thanks for your reply.
    As you suggested, I tried adding the computer account running the OpsMgr console  to the Domain Users group, but did not solve the problem. Unfortunately the packet captures dont seem to have the security context of the outbound traffic from the OpsMgr console machine. I'm no network expert, but it seems there is no authentication data in the packets.
    I can change the proxy server rules to allow outbound traffic to the multiple sites that the Management Pack download connects to for the IP address of the OpsMgr console machine.
    This works, but is not my ideal solution.
    I can also work around the issue by using another proxy server that doesn't expect domain user authentication, so I won't waste too much time on this issue, but would have preferred to be able to set the account OpsMgr console uses to access the proxy server somehere in the OpsMgr R2 configuration settings.

    Best Regards.

    GG



     
    Wednesday, January 13, 2010 11:42 PM

All replies

  • Hi GG_Aus:

    If I understand your situation, the proxy server does not see the outbound traffic as coming from an account that is a member of the Domain Users group?

    The simplest solution would be to have the proxy server rules modified to allow the desired traffic. I would recommend you make that request of your firewall team if that is practical.

    If the proxy rules cannot be modified, perhaps you can get information from the proxy logs on what security context the denied traffic is being received. For example, if the outbound traffic is seen as coming from the SYSTEM (computer) account where the download task is occuring, that account could be added to the Domain Users group if security permits.

    Also, depending on the proxy server you are using, there might be 'firewall client' software you can run on the computer running the download task that will pass domain user credentials on behalf of other applications.

    Another thing that comes to mind to try is to configure IE on the computer with the necessary proxy settings, then run one of these two commands (depending on OS):

    Windows 2003: proxycfg -u
    Windows 2008: netsh winhttp import proxy ie

    These settings essentially push the current user proxy settings into the system's proxy settings, and can sometimes allow system processes which are not otherwise proxy-aware to find the proxy server.

    John Joyner
    MVP-OM


    Tuesday, January 12, 2010 5:20 PM
  • Hi John.

    Thanks for your reply.
    As you suggested, I tried adding the computer account running the OpsMgr console  to the Domain Users group, but did not solve the problem. Unfortunately the packet captures dont seem to have the security context of the outbound traffic from the OpsMgr console machine. I'm no network expert, but it seems there is no authentication data in the packets.
    I can change the proxy server rules to allow outbound traffic to the multiple sites that the Management Pack download connects to for the IP address of the OpsMgr console machine.
    This works, but is not my ideal solution.
    I can also work around the issue by using another proxy server that doesn't expect domain user authentication, so I won't waste too much time on this issue, but would have preferred to be able to set the account OpsMgr console uses to access the proxy server somehere in the OpsMgr R2 configuration settings.

    Best Regards.

    GG



     
    Wednesday, January 13, 2010 11:42 PM