Check Exchange 2007 with System Center Operations Manager 2007 - Part 2

In this article we will show you how to enable certificate-based authentication for checking that Exchange Edge servers are not in the domain.

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 1Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 1 Check Exchange 2007 using System Center Operations Manager 2007 - Part 1

Rui Silva

In this article we will show you how to enable certificate-based authentication for checking that Exchange Edge servers are not in the domain.

Install Agent on the Edge Server

The Edge Transport server can be deployed as a separate server or as a member of the Active Directory domain (to know the advantages and disadvantages of each configuration, refer to the deployment options for the machine. Master Edge Transpor).

In the first part topology, we decided to install Edge Server as a separate server (workgroup). That means that authentication for Operations Manager servers must be done with certificates, because the agent in workgroup cannot authenticate with the domain management server using the Kerberos protocol.

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 2Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 2
Figure 1: Certificate authentication

In this scenario, the agent must be manually installed. Although the agent setup is available in the Operations Manager installation section, we will use the binaries from the Management Server because the required hotfixes are here.

  1. From the Edge server, locate the folder where you installed the OpsMgr binary on the Management server. In our case, it's OpsMgrD $ Program FilesSystem Center Operations Manager 2007 AgentManagementAMD64 (Figure 2). Double-click MOMAgent.msi to activate the installation process (Figure 3). Click Next .

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 3Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 3
Figure 2: Agent's binary binaries

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 4Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 4
Figure 3: Operations Manager Agent Setup

  1. On the Destination Folder window (Figure 4), use the default installation path and click Next . On the next window (Figure 5), click Next to specify the Management Group information.

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 5Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 5
Figure 4: Agent Setup: Destination Folder

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 6Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 6
Figure 5: Agent Setup: Management Group Configuration
  1. In the Management Group Configuration window (Figure 6), specify the Management Group Name , the Management Server and the Management Server Port . Click Next .

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 7Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 7
Figure 6: Agent Setup: Management Group Configuration (cont.)

  1. In the Agent Action Account window (Figure 7), select Local System and click Next . Review the summary table (Figure 8), click Install then Finish (Figure 9).

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 8Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 8
Figure 7: Agent Setup: Agent Action Account

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 9Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 9
Figure 8: Agent Setup: Ready to Install

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 10Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 10
Figure 9: Agent Setup: Finish

  1. Go back to the directory where you installed the OpsMgr binary on the Management server ( OpsMgrD $ Program FilesSystem Center Operations Manager 2007AgentManagementAMD64 ) and run any hotfix that is there.

After these steps, the agent will be installed but cannot communicate with the Management Server, because it does not have an assigned certificate.
Perform the following steps on both computers that are configuring agents and the Management Server with the same CA for each machine:

  1. Request certificates from CA
  2. Allow certificate requests on CA
  3. Install authorized certificates in the computer certificate store
  4. Use the MOMCertImport tool to configure Operations Manager 2007

You can use a private CA, no need to purchase public certificates. Depending on the type of internal CA you have - Enterprise or Standalone - the procedures for issuing the required certificates vary slightly. The difference in the 'template' required for the certificate: Stand-Alone CA will allow you to specify OID for the required certificate type, whereas Enterprise has a very well defined 'template' that you have. can use. That's why with the Enterprise CA we will need to create and activate the new certificate 'template'.

Note: To create and activate the required template, you must run Windows Certificate Service on Windows Server Enterprise Edition. If you don't have an Enterprise Edition, our advice for you is to install a new Stand-Alone CA.

Since we already have a Stand-Alone preinstalled on DC, we will describe the steps for this type of CA.

Perform these steps on the Edge server and on OpsMgr server (both require certificates):

  1. Start Internet Explorer, and then connect to the computer that is configuring Certificate Services ( Error! Hyperlink reference not valid. ). On the Microsoft Certificate Services Welcome page , click Request a certificate . In the Request a Certificate page, click Or, submit an advanced certificate request . In Advanced Certificate Request, click Create and submit a request to this CA.
  2. On the Advanced Certificate Request page (Figure 10), do the following:

    a) In Identifying Information , in the Name field, enter the full domain name (FQDN) of the computer on which you are requesting the certificate. (Event ID 20052 of this error is generated if the full domain name entered in the name field does not match the hostname).

    b) Under Type of Certificate Needed , click on the list, then select Other . In the OID field, enter 1.3.6.1.5.5.7.3.1.1.3.6.1.5.5.7.3.2

    c) In the Key Options section, click Create a new key set ; in the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0 ; Set default options ( Key Usage: Both , Key Size: 1024 , Automatic key container name has been selected). Select Mark keys as exportable , delete Export keys to file , delete Enable strong private key protection and then click Store certificate in the local computer certificate store .

    d) Under Additional Options , in the Friendly Name field , enter the domain name of the computer you are requesting the certificate for and click Submit . If the Potential Security Violation dialog box is displayed, click Yes.

    e) When the Certificate Pending page is displayed, close the browser.

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 11Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 11
Figure 10: Online certificate request

  1. To enable the upcoming certificate request, log on to the computer that configures Certificate Services certificate services as an administrator and open the CA administration interface. Expand the button for your CA name, then click Pending Requests . In the results pane, right-click the upcoming request from the previous procedure, point to All Tasks and click Issue .
  2. To retrieve the certificate, log in to the computer where you want to install the certificate (and from where you issued the request). Start Internet Explorer, and connect to the computer that is configuring Certificate Services (http://// certsrv).

    a) On the Microsoft Certificate Services Welcome page , click View the status of a pending certificate request .

    b) On the View the Status of a Pending Certificate Request page, click the certificate you requested

    c) On the Certificate Issued page, install Install this certificate . In the Potential Scripting Violation dialog box, click Yes.

    d) On the Certificate Installed page, after you see the message that your new certificate has been successfully installed , close the browser.
  3. Since both servers must trust the CA who issued the certificates, we must import the CA certificate on both machines (Edge and OpsMgr). Start Internet Explorer, and connect to the computer that is configuring Certificate Services (http://// certsrv).

    a) On the Welcome page, click Download a CA Certificate, certificate chain, or CRL .

    b) On the Download a CA Certificate, Certificate Chain, or CRL page , click Download CA certificate chain .

    c) In the File Download dialog box, click Save , specify the file name (.P7B), and then click Save again. Close the browser.
  4. Run MMC and add the Certificates snap-in (in the Certificates snap-in dialog box, select Computer account, and click Next. Make sure Local computer is selected, and then click Finish). Expand Certificates (Local Computer), open Trusted Root Certification Authorities, click Certificates, select All Tasks, and then click Import. Browse to where you saved the .P7B file and import the certificate.
  5. To import certificates using the MOMCertImport, browse to the directory where the binary binaries of Operations Manager 2007 reside. The MOMCertImport utility is located on SupportToolsi386 (for 64-bit computers SupportToolsamd64). Run the following command:

    MOMCertImport / SubjectName

(You can export the previously issued certificate to the .PFX file and run the MOMCertImport .pfx command)

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 12Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 12
Figure 11: Running MOMCertImport

If you need to remove certificates that have been imported with the MOMCertImport tool, just run MomCertImport / Remove .

Allow self-installing agent

Before installing the agent yourself, the global setting must be changed from rejecting to 'Review new manual installation in pending management view' in the OpsMgr 2007 interface.
Open the console and in the Administration panel, select Settings . On the right pane, open the Server and click on Security (Figure 12). Click Properties and the General tab, select Review new manual agent installation in pending management view (Figure 13). Click OK to finish.

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 13Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 13
Figure 12: Allow to install the agent yourself

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 14Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 14
Figure 13: Global Management Server Settings - Security

After each agent installation, a new agent must be enabled in System Center Operations Manager Console:

Open the console, in the Administration panel, open Device Management and select Pending Management . In the right pane, right-click the server that is requesting permission and select Approve l (Figure 14).

To check if the agent has been successfully enabled, look in the Agent Managed folder and see if the agent has been allowed to be located here.

Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 15Check Exchange 2007 with System Center Operations Manager 2007 - Part 2 Picture 15
Figure 14: Allow Agent installation

Conclude

Now we will finish part 2. In the next section, we will introduce the configuration process in the System Center Operations Console, which is required to test Exchange 2007 servers with Operations Manager 2007.

4.5 ★ | 2 Vote