Forgot to include some detail Enterprise CA is Server 2008 Std Unmanaged host is Server 2008 R2 SCOM Management servers are 2012 R2
From: [email protected] [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Thursday, June 04, 2015 9:55 AM To: '[email protected]' Subject: [msmom] RE: Manual Agent Install Port Requirements (DMZ) Turns out I was way off base on this anyway, as these servers are not domain joined, so we have to use certificate authentication. This is the first time I'm trying to set it up, but it's not working. I have tried following various guides: Create Template: http://thoughtsonopsmgr.blogspot.com/2010/04/enterprise-ca-how-to-create-scom.html Full Process: http://www.toolzz.com/?p=224 After above didn't work (multiple tries, recreating templates and certs and all), I then found this and checked each of these bullet points (specifically cert S/N and registry entries) http://stefanroth.net/2012/12/13/scom-agent-in-dmz-not-monitored-event-id-20071/ Still no luck, even modified TLS settings in IE and registry per another link I cannot find at the moment. After everything, I'm no closer to getting this work-or know where it is breaking. Is there something I am missing? 1. I can ping from the unmanaged host to my SCOM servers. 2. I can telnet on 5723 from unmanaged host to SCOM servers. 3. From our CA I created a SCOM certificate template. This was a duplicate of "IPSec (Offline request)" template with changes made per the above links. 4. Downloaded/Imported root CA onto unmanaged host (root CA already present on management server) 5. Used newly created template to create/download cert containing FQDN of unmanaged host 6. Installed newly created cert to "Personal" store in Local Computer certificate store on the unmanaged host 7. Installed cert from #5 into SCOM Management Server "Personal" local computer store 8. Installed agent onto unmanaged host 9. Ran MOMCertImport on unmanaged host and SCOM management server, both report successful results 10. Verified unmanaged host has proper cert serial# (registry entry and cert S/N match) 11. Immediately after MOMCertImport on unmanaged host, two errors appear in the OpsMgr Event Log a. ID 20071 - Agent connected to SCOM management server but connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server. Check the event log on the server and on the agent for events which indicate a failure to authenticate. i. **Checked the management server, there are no related errors appearing** b. ID 21016 - Unable to set up a communications channel with management server and there are no failover hosts. I read someone mention using "Computer" cert template instead of "IPSec (Offline request)", but every other guide I found (4 or 5 different guides) all use the "IPSec (Offline request)" template. If anyone has any other helpful things to check or a deeper dive to figure out exactly where the failure (root CA vs SCOM cert) is occurring or how to check, I would greatly appreciate a little help over this wall. Thank you! Thanks, Geoff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kevin Holman Sent: Wednesday, June 03, 2015 12:18 PM To: [email protected]<mailto:[email protected]> Subject: [msmom] RE: Manual Agent Install Port Requirements (DMZ) Doh! That should say 5723 TCP From: Kevin Holman Sent: Wednesday, June 3, 2015 2:17 PM To: '[email protected]' Subject: RE: Manual Agent Install Port Requirements (DMZ) Only 5732 TCP is required for minimum management. ICMP is required from MS to Agent if you want reliable "computer down" monitoring. Connectivity direction is FROM agent TO MS initially. Check that name resolution works (ping) from agent to MS. Check certificates to make sure they are both working - the SCOM event log on the agent is the BEST verbose log to look for errors/root cause From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Wednesday, June 3, 2015 2:07 PM To: '[email protected]' Subject: [msmom] Manual Agent Install Port Requirements (DMZ) All: I am trying to manually install SCOM 2012 agent on a couple servers in our DMZ. We are allowing TCP 5723 Inbound/Outbound between host and SCOM management servers. However, after manually installing they do not show up under pending management. I triple checked the Management Group name is spelled correctly across the 3 servers as well as having necessary info to discover the management servers (host records, etc.). However, the agents do not appear under Pending Management. I referenced Microsoft's TechNet article and found the following: Agent, manual installation of MOMAgent.msi System Center Management service 5723/TCP Windows Firewall Agent, push installation * System Center Management service * File and Print Sharing * Remote Administration 5723/TCP 137/UDP, 138/UDP, 139/TCP, 445/TCP 135/TCP, 445/TCP Windows Firewall Windows Firewall Windows Firewall I just want 100% confirmation that only TCP 5723 is required for manual agent installation and management. If so, I can look at our network configuration to confirm each step has the necessary allowances, but wanted to confirm on my end before roping other people into the issue. Thank you. -Geoff Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
