Managing Gateway Servers in Operations Manager 2007

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

Microsoft System Center Operations Manager 2007 requires mutual authentication be performed between agents and management servers prior to the exchange of information between them. To secure the authentication process between the two, the process is encrypted. When the agent and the management server reside in the same Active Directory domain or in Active Directory domains that have established trust relationships, they make use of Kerberos V5 authentication mechanisms provided by Active Directory. When the agents and management servers do not lie within the same trust boundary, other mechanisms must be used to satisfy the secure mutual authentication requirement.

In Operations Manager 2007, this is accomplished through the use of X.509 certificates issued for each computer. If there are many agent monitored computers, this results in high administrative overhead for managing all those certificates. In addition, if there is a firewall between the agents and management servers as well, multiple authorized endpoints must be defined and maintained in the firewall rules to allow communication between them.

To reduce this administrative overhead, Operations Manager 2007 has a new server role called the gateway server. Gateway servers are located within the trust boundary of the agents and can participate in the mandatory mutual authentication. Because they lie within the same trust boundary as the agents, the Kerberos V5 protocol for Active Directory is used. Each agent then communicates only with the gateway servers that it is aware of. The gateway servers communicate with the management servers.

To support the mandatory secure mutual authentication between the gateway servers and the management servers, certificates must be issued and installed, but only for the gateway and management servers. This reduces the number of certificates required, and in the case of an intervening firewall it also reduces the number of authorized endpoints to be defined in the firewall rules.

As your IT environment or monitoring requirements change, you might need to add or remove gateway servers from an Operations Manager 2007 management group and perform tasks on the gateway servers.

Determining the Health of Gateway Servers

To determine the health of a gateway server, you must examine it from two perspectives. The first, most direct method is to examine the health status in the Operations console and in Health Explorer. This examination will tell you the status of the monitored components, indicate whether or not there are any open alerts, and show you performance data. The second, indirect method is to be sure that data from the agents that are being monitored through the gateway server is being reported in a timely fashion.

Direct Method

Gateway servers are a type of management server, and therefore they are included in the Management Servers container under Device Management in the Administration view of the Operations console. In the details pane of this view, you can immediately see the Health State of any of management servers in the management group. By selecting any gateway server (or any server for that matter) and opening the context menu, you can view the properties of the server or any of the views that are available. Typically, you can directly access the Event View, Alert View, Performance View, Diagram View, and State View for the selected object.

For a more comprehensive understanding of the health of a gateway server, open the Monitoring view and navigate to the Operations Manager, Management Server folder and select the Management Server State view object in the navigation pane. This displays the state of all management servers in the management group, with gateway servers displayed next to the bottom by default. In the Gateway Management Server State pane, select the health status icon for the server you are interested in under the Gateway column to bring up the health state of the gateway servers component monitors in the details pane. Typically, you will get details on the Health Service Availability, Audit Collection Availability, Configuration, Performance, and Security.

Indirect Method

Gateway servers relay monitoring data from agents to collection management servers in the management group across trust boundaries. They also relay configuration information from the collection management server to the agents that they serve. Therefore, if agents that have a gateway server as their primary management server are reporting their data and are showing a heartbeat, you can be sure that their gateway server is performing satisfactorily.

Viewing Agents by Gateway

Use the following procedure to view the primary management server for an agent.

How to view an agent’s primary management server

  1. Open the Operations console, and then click the Administration button.

  2. In the Administration pane, expand Administration, expand Device Management, and then click Agent Managed.

  3. Displayed in the results pane are all the agent-managed devices grouped by their Primary Management Server.

  4. Look for the gateway server of interest. Grouped under it are all the agents that are currently using the gateway server.

Using Multiple Gateway Servers

Multiple gateway servers can be deployed across a trust boundary to provide redundant pathways for agents that lie across that trust boundary. Just as agents can fail over between a primary management server and one or more secondary management servers, they can also fail over between gateway servers. In addition, multiple gateway servers can be used to distribute the workload of managing agentless-managed computers and managed network devices.

In addition to providing redundancy through agent-gateway failover, gateway servers can be configured to fail over between collection management servers in a management group if multiple collection management servers are available.

Configuring Agent Failover Between Multiple Gateway Servers

If you have deployed multiple gateway servers into a domain that does not have a trust relationship established with the domain that the rest of the management group is in, you can configure agents to utilize those gateway servers as necessary. To do this, you must use the Operations Manager 2007 command shell.

Use the Set-ManagementServer -AgentManagedComputer command in the command shell as shown in the following example to configure an agent to fail over to multiple gateway servers. The commands can be run from any command shell in the management group.

Important

When changing the primary management server of an agent, allow the agent to connect to its new primary management server before making changes to its failover server. Allowing the agent to get current topology information from the new primary management server prevents the agent from losing communication with all management servers.

To configure agent failover to multiple gateway servers

  1. Log on to the computer with an account that is a member of the Administrators group.

  2. On the Windows desktop, click Start, point to Programs, point to System Center Operations Manager, and then click Command Shell.

  3. In the command shell, run the following command:

    $primaryMS = Get-ManagementServer | where {your filter here}
    $failoverMS = Get-ManagementServer | where {your filter here}
    $agent = Get-Agent | where {your filter here}
    Set-ManagementServer -AgentManagedComputer: $agent 
    -PrimaryManagementServer: $primaryMS 
    -FailoverServer: $failoverMS
    

    In the code example, you need to create a filter statement for the first three commands. The following is an example of a filter command written to find the computer contoso.com that will be assigned to the $failoverMS variable:

    $failoverMS = Get-ManagementServer | where {$_.Name –eq ’contoso.com’ }
    

    Two Set-ManagementServer commands are used to enable the agent to connect to its new primary management server for configuration information before changing the failover server.

    For help with the Set-ManagementServer command, type the following in the command shell window:

    Get-help Set-ManagementServer -full
    

Configure a Gateway Server to Failover Between Multiple Management Servers

Use the Set-ManagementServer-GatewayManagementServer command in the command shell as shown in the following example to configure a gateway server to fail over to multiple management servers. The commands can be run from any command shell in the management group.

To configure gateway server failover to multiple management servers

  1. Log on to the gateway server with an account that is a member of the Administrators role for the management group.

  2. On the Windows desktop, click Start, point to Programs, point to System Center Operations Manager, and then click Command Shell.

  3. In the command shell, run the following command:

    $primaryMS = Get-ManagementServer | where {your filter here}
    $failoverMS = Get-ManagementServer | where {your filter here}
    $gatewayMS = Get-ManagementServer | where {your filter here}
    Set-ManagementServer -GatewayManagementServer: $gatewayMS
    -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS
    

    In the code example, you need to create a filter statement for the first three commands. The following is an example of a filter command written to find the computer contoso.com that will be assigned to the $failoverMS variable:

    $failoverMS = Get-ManagementServer | where {$_.Name –eq ’contoso.com’ }
    

    For help with the Set-ManagementServer command, type the following in the command shell window.

    Get-help Set-ManagementServer -full
    

Managing Certificate Renewal for Gateway Servers and Management Servers

Eventually, the certificates that were obtained and installed on the gateway server and collection management servers will expire and will need to be replaced with new ones. You might also need to replace an existing certificate if, for security reasons, the certificate has been revoked.

To do this, follow the procedures that were used to obtain and import the certificates in the first place. See “Deploying Gateway Servers” in the “Multiple Server, Single Management Group Scenario” section of the Operations Manager 2007 Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=95133). It is not necessary to rerun the Gateway Approval Tool.

Removing a Gateway Server from a Management Group

Throughout the life cycle of your Operations Manager 2007 implementation, you might need to modify the structure and configuration of your deployment. In the case of gateway servers, these types of changes can stem from the decommissioning of an untrusted domain so that monitoring is no longer required or from the old server hardware being replaced with new hardware. To remove a gateway server from service, complete the following steps.

Overview of Decommissioning a Gateway Server

  1. Configure all objects that are being managed by the gateway server to use a different primary management server. For an agent-managed computer, this means using either another gateway server or a management server.

  2. Uninstall the gateway server software from the server.

  3. Delete the gateway server from the management group.

Configure Managed Objects to Use an Alternate Primary Management Server

Gateway servers can manage three different types of objects: agent-managed computers, agentless-managed computers, and network devices acting as a proxy agent.

To configure agent-managed computers to use a different primary management server using the Operations console

  1. Log on to a management server with an account that is a member of the Administrators role for the Operations Manager 2007 management group.

  2. In the Operations console, click the Administration button.

  3. In the Administration pane, expand Administration, expand Device Management, and then click Agent Managed.

  4. In the Agent Managed pane, select the computers for which you want to change the primary management server, right-click them, and then select Change Primary Management Server.

    Note

    The Change Primary Management Server option will be unavailable if Active Directory Domain Services was used to assign any of the selected computers to the management group.

  5. In the Change Management Server dialog box, select the new management server from the list, and then click OK. The change takes effect on the agent after its next update interval.

Alternatively, this configuration can be changed on the agent-managed computer itself using either of the following two procedures.

To change the primary management server for agent-managed computers by using the MOMAgent.msi setup wizard

  1. Log on to the agent-managed computer with an account that is a member of the Administrators security group for the computer.

  2. In Add or Remove Programs, click Change for System Center Operations Manager 2007 Agent.

    Note

    The Agent Setup Wizard can also be run by double-clicking MOMAgent.msi, which is located on the Operations Manager 2007 installation media.

  3. In the Agent Setup Wizard, click Next.

  4. On the Program Maintenance page, select Modify, and then click Next.

  5. On the Management Group Configuration page, leave Specify Management Group information selected, and then click Next.

  6. In the next Management Group Configuration page, do the following:

    1. Type the name of the Management Server.

    2. Type in a value for Management Server Port, or leave the default 5723.

    3. Click Next.

  7. On the Ready to Install page, review the settings, and then click Install to display the Installing System Center Operations Manager Agent page.

  8. When the Completing the System Center Operations Manager Agent Setup Wizard page displays, click Finish.

To change the primary management server for agent-managed computers using MOMAgent.msi from the command line

  1. Log on to the agent-managed computer with an account that is a member of the Administrators security group for the computer.

  2. Open the command window.

  3. At the prompt, run the following command:

    %WinDir%\System32\msiexec.exe /i \\path\Directory\MOMAgent.msi /qn USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=MG1 MANAGEMENT_SERVER_DNS=MS2.Domain1.net
    

    This command reconfigures the agent to use MS2.Domain1.net as its primary management server for management group MG1.

    Note

    Microsoft Windows Installer public properties must be uppercase, such as PROPERTY=value. For more information about Windows Installer, see Windows Installer in the Microsoft Developer Network library (https://go.microsoft.com/fwlink/?LinkId=70004).

    If the Domain Name System (DNS) and Active Directory names for the management server differ, the MANAGEMENT_SERVER_AD_NAME property also needs to be set to the fully qualified Active Directory Domain Services name.

Redirecting Agentless-Managed Computers and Network Devices

To change the proxy agent for agentless-managed computers and network devices

  1. Log on to a management server computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group.

  2. In the Operations console, click the Administration button.

  3. In the Administration pane, expand Administration, expand Device Management, and then click Agentless Managed. If you are working with a network device, select Device Management and then Network Devices.

  4. In the Agentless Managed pane, select the agentless-managed computers for which you want to change the proxy agent, right-click them, and then select Change Proxy Agent. Or if you are working with a network device, in the Network Devices pane, select the network devices for which you want to change the proxy agent, right-click them, and then select Change Proxy Agent.

  5. In the Change Proxy Agent dialog box, select the computer you want to be the new proxy agent, and then click OK.  

The final steps in removing a gateway server from a management group are straightforward:

  • Log on to the gateway server with an account that has administrative rights.

  • In Add or Remove Programs, select System Center Operations Manager 2007 Gateway, and then click Remove.

In the Operations console, in the Administration view, under Device Management, Management Servers, select the gateway server, right-click it, and then click Delete.