Sunday, November 18, 2007

Monitoring servers in DMZ or Untrusted domains or Workgroups

In a recent POC, I encountered a scenario where the customer did not allow u to join the Ops Manager server into the domain. This was the challenge put forth as we would have issues with mutual authentication.

Due to limitation of resources as well, we could not set up a Gateway Server.

After much hair loss, we performed the following solution.

The Concept
Create a certificate services environment to achive mutual authentication between the trusted and untrusted domain then install agents to get it monitored.

The Grind
We installed and setup Certificate Services on the Windows 2000 Active Directory Domain Controller (yes. the customer was using this so we had to simulate their environment). We then requested the server certificate and client certificate.

After which we used the MOMCertImport Tool to import the server certificate into the Management Server and the Client certificate into the monitored servers.

We then proceeded to install the Agents. DONE! Hooray!... wait... why isn't anything showing up on the Management Server?

After much more hair loss and loss of brain cells, we finally figured it out. What was missing was the Root Certificate.

So the following are the correct steps:

  1. Use MOMCertImport tool to import the Root Certificate and Server Certificate into the MS
  2. Use MOMCertImport tool to import the Root Certificate and Client Certificate into the Monitored server in the untrusted domain
  3. Install the Agent

Pooof!!! Monitored server appears in the Pending view.

Hope this helps you guys out there who are posed with the situation of monitoring in untrusted domains.

Friday, November 9, 2007

OM 2007 Cleanup

I found this utility quite useful. Even though going through Add/Remove Programs can achieve the removal of OpsMgr, this tool does a better and CLEAN method of it. I encourage everyone to download and use it