Thank you all for replying on the DMZ issue. Anyone seen this error before? Thank you.

The OpsMgr Connector has loaded the specified authentication certificate successfully.

 

Event Type:        Error

Event Source:    OpsMgr Connector

Event Category:                None

Event ID:              21006

Date:                     1/30/2009

Time:                     8:50:48 AM

User:                     N/A

Computer:          Agent in DMZ

Description:

The OpsMgr Connector could not connect to Managementserver in DMZ:5723.  The error code is 10061L(No connection could be made because the target machine actively refused it.

).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

 

The OpsMgr Connector could not connect to Management Server:5723.  The error code is 10060L(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

 

 

 

I think what they mean by this line

 

It says “Perform this operation on each gateway server, management server, and computer that will be agent-managed and that is in a domain that is not trusted.”

 

is  you need to install the Cert on the Gateway (if you are going to use one) or on the Agent (if you aren’t using a Gateway). Of course because either the agent or the Gateway needs to report back to a management server the Management Server needs a cert as well. You don’t have to use a Gateway. You can put certs on the agents you want to monitor, open the Firewall ports between those agents and the Mgt Server and monitor them directly. Personally I would use a Gateway, and that’s what we recommend to our customers (depending on the size of the env).

 

·         Gateways can be used to throttle bandwidth, with no certs needed as long as all the agents and servers are in the same domain. So using the Gateway as a collector.

·         Gateways need a cert to talk back to the Mgt Server it will report to.

·         Mgt Servers need certs if they are going to talk to Gateways and/or Agents outside of the Mgt Servers domain.

·         Agents need a cert to talk back to a mgt server out side of the agents domain, (this is if you aren’t going to use a Gateway Server).

·         Agents also need a cert to talk to a gateway if the agent and Gateway are in a workgroup and not a Domain.

 

In the Unleashed book look in Chapter 10 and 11. Chapter 11 (Securing Operations Manger) is where they get in to talking about this in detail.

 

 

David St.Clair

Sr. Technical Consultant

Infront Consulting Group

david.stclair@infrontconsulting.com

Interested in our training offerings, see http://infrontconsulting.com/

Proud Sponsor of MMS 2009 in Las Vegas

 

 

Okay, because the Microsoft Technet “Deploying Gateway Server in the Multiple Server, Single Management Group Scenario”

Is ambigious the way it is written. If you go to that document with link above see;

 

High-Level Procedure Overview (This is first time cert with agent is mentioned but does not say anything about only if the agent is in an untrusted domain separate from the gateway server.)

High-level gateway server installation overview

1.     Request certificates for any computer in the agent, gateway server, management server chain.

2.     Import those certificates into the target computers by using the Operations Manager 2007 MOMCertImport.exe tool.

 

Then down under “Installing Operations Manager 2007 Gateway Server” in the section “Importing Certificates with the MOMCertImport.exe Tool”

It says “Perform this operation on each gateway server, management server, and computer that will be agent-managed and that is in a domain that is not trusted.”

 

So I guess when it says   “and computer that will be agent-managed and that is in a domain that is not trusted” means ONLY install CERT on agent IF the computer will be agent Managed AND that agent is in an untrusted domain.

 

 

 

 

If the agents are going to use a Gateway then the Gateway and the Mgt Server need the certs not the Agents. If the agents are in a DMZ  setting and aren’t going  to use a Gateway then they would need a cert.

 

David

 

Am I correct in understanding that ALL agent that use a gateway also has to have the certificate installed on them after reading the MS docs.?

I thought the certs were only required on the Gateway server and the management servers?

 

 

I resolved the issue with Gateway servers but  I am having problem agent communicating to those gateway servers. Certificate are loaded on those agent but getting two different errors on two different DMZs. Anyone seen this before? Thank you.

 

The OpsMgr Connector has loaded the specified authentication certificate successfully.

 

Event Type:        Error

Event Source:    OpsMgr Connector

Event Category:                None

Event ID:              21006

Date:                     1/30/2009

Time:                     8:50:48 AM

User:                     N/A

Computer:          Agent in DMZ

Description:

The OpsMgr Connector could not connect to Managementserver in DMZ:5723.  The error code is 10061L(No connection could be made because the target machine actively refused it.

).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

 

The OpsMgr Connector could not connect to Management Server:5723.  The error code is 10060L(A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

 

Hi Kevin,

 

I am not sure whether this is a bug or by design. On Server 2008 the registry key for the installation is different. When you run the momcertimporttool it is not writing to the correct registry key. I resolved our issue by copying the registry key to the correct place. Thanks.

 

 

Did you run the momcertimport tool on the GW?  The following event: “No certificate was specified.” Means that the HealthService looks in the registry – and did not find a certificate to load.  The MOMcertimport tool loads the serial number of the correct certificate into the HealthService registry – and this appears to be missing.

 

 

 

Yes Gateway is approved. When I go to the console under management server I see the GW server listed but of course as not monitored.

 

I have another gateway server in another DMZ using the same root certificate which is communicating fine. If I restart the service on the gateway following messages are coming up on the event log.

 

Management Group "PROD" was started.

 

No certificate was specified.  This Health Service will not be able to communicate with other health services unless those health services are in a domain that has a trust relationship with this domain.  If this health service needs to communicate with health services in untrusted domains, please configure a certificate.

 

The Health Service successfully logged on the RunAs account SERVERA\Action_Account for management group PROD.

 

The Health Service has published the public key [F0 E1 5A 56 AC 5D E2 B8 48 74 EB 29 BA 75 32 FF ] used to send it secure messages to management group PROD.   This message only indicates that the key is scheduled for delivery, not that delivery has been confirmed.

 

The OpsMgr Connector cannot create a mutually authenticated connection to omaopsmgr01.csg.csgsystems.com because it is not in a trusted domain.

 

 

Yes Certificate Authority Chain in listed on both servers under trusted roots. Under Operations Manager Certificates both servers certificate are listed as well. What am I missing? Thank you.

 

 

 

Is the GW approved?

 

Do you see an event on the GW and MS - when the HS restarts – about loading the cert?

 

Does the GW and MS have the cert authority chain in the trusted roots?

 

 

 

I have a gateway installed in our DMZ. Installed certificates on both management server and gateway server. I can see the certificate serial number in the registry. We have open TCP ports 5723/5724 within our firewall. Communication isn’t happening. Any thoughts?

Log Name:      Operations Manager

Source:        OpsMgr Connector

Date:          1/29/2009 10:20:01 AM

Event ID:      21007

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DMZserver.csgsystems.com

Description:

The OpsMgr Connector cannot create a mutually authenticated connection to management server SERVERA.csgsystems.com because it is not in a trusted domain.

 

 

Log Name:      Operations Manager

Source:        OpsMgr Connector

Date:          1/29/2009 10:14:45 AM

Event ID:      21016

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DMZserver.csgsystems.com

Description:

OpsMgr was unable to set up a communications channel to SERVERA.csgsystems.com  and there are no failover hosts.  Communication will resume when SERVERA.csgsystems.com is both available and allows communication from this computer.

 

 

Regards,

Santosh Nepal
Technical Infrastructure Group
CSG Systems, Inc.
402.431.7892 (office) | 402.980.6925 (mobile)
www.csgsystems.com

THE BUSINESS OF CUSTOMER INTERACTION™

This e-mail message and any attachments may contain confidential, proprietary or non-public information. This information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this e-mail, please notify the sender immediately and destroy this e-mail. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this e-mail are those of the author personally. Thank you.

 

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/