You are correct, if we are talking about Workgroups then a cert needs to be on both the agent and the Gateway. If the DMZ is a domain then the cert only needs to be on the Gateway and the Mgt Server that Gateway will report to.

 

David

 

David,

 

What you are saying is true then how is the authentication handle between the gateway and the agent in the workgroup environment in DMZ? Thank you.

 

 

If the agents are going to use a Gateway then the Gateway and the Mgt Server need the certs not the Agents. If the agents are in a DMZ  setting and aren’t going  to use a Gateway then they would need a cert.

 

David

 

Am I correct in understanding that ALL agent that use a gateway also has to have the certificate installed on them after reading the MS docs.?

I thought the certs were only required on the Gateway server and the management servers?

 

 

I resolved the issue with Gateway servers but  I am having problem agent communicating to those gateway servers. Certificate are loaded on those agent but getting two different errors on two different DMZs. Anyone seen this before? Thank you.

 

The OpsMgr Connector has loaded the specified authentication certificate successfully.

 

Event Type:        Error

Event Source:    OpsMgr Connector

Event Category:                None

Event ID:              21006

Date:                     1/30/2009

Time:                     8:50:48 AM

User:                     N/A

Computer:          Agent in DMZ

Description:

The OpsMgr Connector could not connect to Managementserver in DMZ:5723.  The error code is 10061L(No connection could be made because the target machine actively refused it.

).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

 

The OpsMgr Connector could not connect to Management Server:5723.  The error code is 10060L(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

 

Hi Kevin,

 

I am not sure whether this is a bug or by design. On Server 2008 the registry key for the installation is different. When you run the momcertimporttool it is not writing to the correct registry key. I resolved our issue by copying the registry key to the correct place. Thanks.

 

 

Did you run the momcertimport tool on the GW?  The following event: “No certificate was specified.” Means that the HealthService looks in the registry – and did not find a certificate to load.  The MOMcertimport tool loads the serial number of the correct certificate into the HealthService registry – and this appears to be missing.

 

 

 

Yes Gateway is approved. When I go to the console under management server I see the GW server listed but of course as not monitored.

 

I have another gateway server in another DMZ using the same root certificate which is communicating fine. If I restart the service on the gateway following messages are coming up on the event log.

 

Management Group "PROD" was started.

 

No certificate was specified.  This Health Service will not be able to communicate with other health services unless those health services are in a domain that has a trust relationship with this domain.  If this health service needs to communicate with health services in untrusted domains, please configure a certificate.

 

The Health Service successfully logged on the RunAs account SERVERA\Action_Account for management group PROD.

 

The Health Service has published the public key [F0 E1 5A 56 AC 5D E2 B8 48 74 EB 29 BA 75 32 FF ] used to send it secure messages to management group PROD.   This message only indicates that the key is scheduled for delivery, not that delivery has been confirmed.

 

The OpsMgr Connector cannot create a mutually authenticated connection to omaopsmgr01.csg.csgsystems.com because it is not in a trusted domain.

 

 

Yes Certificate Authority Chain in listed on both servers under trusted roots. Under Operations Manager Certificates both servers certificate are listed as well. What am I missing? Thank you.

 

 

 

Is the GW approved?

 

Do you see an event on the GW and MS - when the HS restarts – about loading the cert?

 

Does the GW and MS have the cert authority chain in the trusted roots?

 

 

 

I have a gateway installed in our DMZ. Installed certificates on both management server and gateway server. I can see the certificate serial number in the registry. We have open TCP ports 5723/5724 within our firewall. Communication isn’t happening. Any thoughts?

Log Name:      Operations Manager

Source:        OpsMgr Connector

Date:          1/29/2009 10:20:01 AM

Event ID:      21007

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DMZserver.csgsystems.com

Description:

The OpsMgr Connector cannot create a mutually authenticated connection to management server SERVERA.csgsystems.com because it is not in a trusted domain.

 

 

Log Name:      Operations Manager

Source:        OpsMgr Connector

Date:          1/29/2009 10:14:45 AM

Event ID:      21016

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DMZserver.csgsystems.com

Description:

OpsMgr was unable to set up a communications channel to SERVERA.csgsystems.com  and there are no failover hosts.  Communication will resume when SERVERA.csgsystems.com is both available and allows communication from this computer.

 

 

Regards,

Santosh Nepal
Technical Infrastructure Group
CSG Systems, Inc.
402.431.7892 (office) | 402.980.6925 (mobile)
www.csgsystems.com

THE BUSINESS OF CUSTOMER INTERACTION™

This e-mail message and any attachments may contain confidential, proprietary or non-public information. This information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this e-mail, please notify the sender immediately and destroy this e-mail. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this e-mail are those of the author personally. Thank you.

 

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/