Share via

SCOM: Monitoring DMZ servers

  • Article

SCOM requires Mutual Authentication to Trust and Communicate with the agents for Monitoring and reporting. Initially SCOM tries to establish Kerberos authentication with the agents. This happens for all internal agents which are joined on the domain.

For the workgroup machines which are in the DMZ network SCOM uses the certificate-based authentication for secure communication and then it monitors them.

High level steps

Below are the high-level steps:

  1. Configure your firewall to pass traffic from DMZ agents (DMZ servers) to SCOM management server’s port 5723 & 5724.
  2. Request certificate from all DMZ machines (certificate type must be server authentication & Client Authentication)
  3. Request certificate from SCOM machine (certificate type must be server authentication & Client Authentication)
  4. Import the server authentication & Client Authentication certificates on the DMZ machines
  5. Import the server authentication & Client Authentication certificates on the SCOM 2012
  6. Run the MOMCERTIMPORT on all Machines and assign the certificate
  7. Approve the DMZ agents in the SCOM Server.

Publish Certificate request for SCOM

For Publish Certificate request for SCOM there are two types based on the CA we have.

  1. Enterprise CA
  2. StandAlone CA

1) Enterprise CA

If we are going to request a certificate from Enterprise CA then we need to use Publish a Certificate Template for SCOM through your enterprise CA.

To perform the task through enterprise CA do the below:

Open Certificate Authority – Navigate to Certificate Templates – Select Manage

https://exchangequery.files.wordpress.com/2016/11/sc1.png?w=600

Right click the Computer Certificate and click Duplicate

https://exchangequery.files.wordpress.com/2016/11/dmzsc.png?w=600

Make sure the option allow private keys to be exported is chosen

https://exchangequery.files.wordpress.com/2016/11/dmzsc1.png?w=600

The most important thing that we need to note is that in the extensions it need to have both server and client authentication enabled. This is applicable for both the SCOM and the DMZ hosts throughout the configuration no matter we are requesting them either from Enterprise CA or Stand Alone CA.

https://exchangequery.files.wordpress.com/2016/11/dmzsc2.png?w=600

Once the above is completed we can import this duplicate certificate to the SCOM.

2) StandAlone CA

Below are the steps that need to be carried over for Stand Alone CA SCOM Certificate Request:

Go to the SCOM 2012 Server

Connect to the computer hosting certificate services

https://ca.exchangequery.com/certsrv

https://exchangequery.files.wordpress.com/2016/11/dmzsc3.png?w=600

Click request a certificate and submit advanced certificate request

https://exchangequery.files.wordpress.com/2016/11/dmzsc4.png?w=600

Click create and submit request to this CA

After that, we will get confirmation on web access information as below and click Yes

https://exchangequery.files.wordpress.com/2016/11/dmzsc5.png?w=600

Below are the information that needs to be filled:

Once the CA request is completed from the CA we can go ahead and import them on the SCOM server.

Request certificate for DMZ Servers to be Monitored

First and foremost is that we can request the Certificate from an internal domain server since most of the times the DMZ servers will not have access to certificate web enrollment services on port 443 to the internal certificate authority server.

What we can do is generate a cert request from one machine in the domain now and then import them to the DMZ servers.

Perform the same process of submitting the certificate request for all the DMZ servers

Below are the information that needs to be filled

  • Name – name of the DMZ server that requires the certificate.
  • Type of Certificate – choose Other
  • In OID  enter – 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This plays a major role in enhanced key usage)
  • Key Options – select Create new key set
  • CSP – select Microsoft Enhanced Cryptographic Provider v1.0
  • Key Usage – select Both
  • Key Size – 1024
  • Select – Mark Keys as exportable.
  • Request Format – CMC
  • Hash Algorithm – SHA1

 Give it a friendly name and click Submit.

Once the above is done we need to approve the request from the CA and then import them on the server from where we requested the certificate for those DMZ machines.

Now we need to export this certificate from this requested machine and them import them on all DMZ servers which need to be monitored.

There are multiple ways of doing this including the Digicert Windows Utility Tool.

Download the DigiCert Windows Utility Tool from the below URL on the certificate requested machine.

https://www.digicert.com/util/

On opening, we can see all the issued SSL certificates which owns the private key on that machine.

Select the DMZ  servers requested certificate and click on Export

https://exchangequery.files.wordpress.com/2016/11/dmzsc8.png?w=600

Select the option export the private key and export them with password.

https://exchangequery.files.wordpress.com/2016/11/dmzsc9.png?w=600

Once the above steps are completed we need to import these certificates on the DMZ servers computer personal store.

We can use the same certificate import wizard like below and import the above certificate on DMZ servers

https://exchangequery.files.wordpress.com/2016/11/dmzsc11.png?w=600

Now the final step is to run the MOMCERTIMPORT on all Machines and select this certificate and we are done.

This tool MOMCERTIMPORT GUI can be found on the SCOM 2012 Installation Media path in below directory

E:\supporttools\AMD64\MOMCERTIMPORT

Make sure the same version of the tool from the setup is copied to all machines

Just run this tool on all machines and we will get a pop up window to confirm the certificate. Please confirm by choosing the relevant requested certificate on all servers.

After the above is completed wait for some time and these DMZ servers will appear on the Administration – pending in the SCOM server and just we need to approve them and we are done.