Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

My SCOM cannot monitor a Gateway Server

871 views
Skip to first unread message

adsukhai

unread,
Jan 12, 2009, 4:06:00 AM1/12/09
to
Hello,

I installed my SCOM 2007 successfully and that works fine. Now I want to
monitor
via SCOM 2007 servers and workgroups in un-trusted domains. But I see the
gateway server
is not monitored in SCOM 2007.

I followed the guide of System Center Forum (Gateway Server and
Certificate-based
Authorization Scenarios in Operations Manager 2007) and I don't understand
why I am seeing
issues. I tried many different things to solve those issues by following the
website of Wolzak.
(http://www2.wolzak.com/index.php?option=com_content&task=view&id=15&Itemid=9) and other websites.

Firewall Rules:
SYM-SCOM - 5723 tested via telnet and works fine.
SCOM-SYM - 5723 tested via telnet and works fine.


I get 2 errors, 2 warnings and 1 information (this is not good) on the Sym
side:
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 20070
Date: 9-1-2009
Time: 14:24:23
User: N/A
Computer: SYMBSXXXX
Description:
The OpsMgr Connector connected to opsmgr.oe.local, but the connection was
closed immediately after authentication occured. The most likely cause of
this error is that the agent is not authorized to communicate with the
server, or the server has not received configuration. Check the event log on
the server for the presence of 20000 events, indicating that agents which are
not approved are attempting to connect.

Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21016
Date: 9-1-2009
Time: 14:24:26
User: N/A
Computer: SYMBSXXXX
Description:
OpsMgr was unable to set up a communications channel to opsmgr.oe.local and
there are no failover hosts. Communication will resume when opsmgr.oe.local
is both available and allows communication from this computer.

 
Event Type: Information
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21023
Date: 9-1-2009
Time: 14:26:06
User: N/A
Computer: SYMBSXXXX
Description:
OpsMgr has no configuration for management group OE-MG and is requesting new
configuration from the Configuration Service.

Event Type: Warning
Event Source: OpsMgr Connector
Event Category: None
Event ID: 20067
Date: 9-1-2009
Time: 14:06:01
User: N/A
Computer: SYMBSXXXX
Description:
A device at IP 84.81.84.15:5723 attempted to connect but the certificate
presented by the device was invalid. The connection from the device has been
rejected. The failure code on the certificate was 0x800B010A (A certificate
chain could not be built to a trusted root authority.

Event Type: Warning
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21002
Date: 9-1-2009
Time: 14:06:01
User: N/A
Computer: SYMBSXXXX
Description:
The OpsMgr Connector could not accept a connection from 84.81.84.15:5723
because mutual authentication failed.


How can I solve the above problems? Hopefully you can help me by solving
this difficult problem.

In advance thanks!

With regards,

A. Sukhai


Pete Zerger

unread,
Jan 12, 2009, 8:14:23 AM1/12/09
to
Hello adsukhai,

the 20070 and 21016 are generic error you see in every failure and will not
help you much. The error of interest in your case is this one

20067 - The failure code on the certificate was 0x800B010A (A certificate
chain could not be built to a trusted root authority).

Make sure the CA chain that issued the certificates for both parties (even
if these are different CAs) is listed in the "Trusted Root Certificate Authorities"
store on the Gateway server. Mutual authentication will fail for any computer
that does not trust the issuer of the certificates.


Regards,

Pete Zerger, MCSE(Messaging) | MCTS(SQL 2005) | MCTS(Opsmgr) | MVP - Opsmgr
URL:http://www.systemcenterforum.org
User Group: http://www.systemcenterusergroup.com
MP Catalog: http://www.systemcenterforum.org/mps
Tools: http://www.systemcenterforum.org/tools/

michaelspencer

unread,
Dec 17, 2009, 11:29:13 AM12/17/09
to
I have installed my Gateway server and it is saying 'not monitored' in the Operations Console. The only error I have is the 20070 error which you say is generic on the gateway server.

I only have ports open from the Gateway in the DMZ on 5723 to the RMS on the internal LAN, as per the documentation on MS Technet, however I have seen a number of posts and blogs that say I need to open access in both directions.

Can someone confirm this please?

Regards,
Michael

Pete Zerger (MVP) wrote:

Hello adsukhai,the 20070 and 21016 are generic error you see in every failure
13-Jan-09

Hello adsukhai,

the 20070 and 21016 are generic error you see in every failure and will not
help you much. The error of interest in your case is this one

20067 - The failure code on the certificate was 0x800B010A (A certificate
chain could not be built to a trusted root authority).

Make sure the CA chain that issued the certificates for both parties (even
if these are different CAs) is listed in the "Trusted Root Certificate Authorities"
store on the Gateway server. Mutual authentication will fail for any computer
that does not trust the issuer of the certificates.


Regards,

Pete Zerger, MCSE(Messaging) | MCTS(SQL 2005) | MCTS(Opsmgr) | MVP - Opsmgr
URL:http://www.systemcenterforum.org
User Group: http://www.systemcenterusergroup.com
MP Catalog: http://www.systemcenterforum.org/mps
Tools: http://www.systemcenterforum.org/tools/

Previous Posts In This Thread:

On Monday, January 12, 2009 4:06 AM
adsukha wrote:

My SCOM cannot monitor a Gateway Server
Hello,

I installed my SCOM 2007 successfully and that works fine. Now I want to
monitor
via SCOM 2007 servers and workgroups in un-trusted domains. But I see the
gateway server
is not monitored in SCOM 2007.

I followed the guide of System Center Forum (Gateway Server and
Certificate-based
Authorization Scenarios in Operations Manager 2007) and I don't understand
why I am seeing
issues. I tried many different things to solve those issues by following the
website of Wolzak.

(http://www2.wolzak.com/index.php?option=com_content&task=view&id=15&Itemid=9) and other websites.

???

In advance thanks!

With regards,

A. Sukhai

On Tuesday, January 13, 2009 8:33 PM
Pete Zerger (MVP) wrote:

Hello adsukhai,the 20070 and 21016 are generic error you see in every failure
Hello adsukhai,

the 20070 and 21016 are generic error you see in every failure and will not
help you much. The error of interest in your case is this one

20067 - The failure code on the certificate was 0x800B010A (A certificate
chain could not be built to a trusted root authority).

Make sure the CA chain that issued the certificates for both parties (even
if these are different CAs) is listed in the "Trusted Root Certificate Authorities"
store on the Gateway server. Mutual authentication will fail for any computer
that does not trust the issuer of the certificates.


Regards,

Pete Zerger, MCSE(Messaging) | MCTS(SQL 2005) | MCTS(Opsmgr) | MVP - Opsmgr
URL:http://www.systemcenterforum.org
User Group: http://www.systemcenterusergroup.com
MP Catalog: http://www.systemcenterforum.org/mps
Tools: http://www.systemcenterforum.org/tools/


Submitted via EggHeadCafe - Software Developer Portal of Choice
Multicast IP Messaging Infrastructure Part I
http://www.eggheadcafe.com/tutorials/aspnet/664aa217-2a54-4d0a-b26e-c4a8285b07f4/multicast-ip-messaging-in.aspx

Kobile

unread,
Dec 19, 2009, 6:18:01 AM12/19/09
to
Hi Michael,

the direction is from GW to RMS or MS.

you can find the answer here:
http://technet.microsoft.com/en-us/library/bb309428.aspx

kobile

"Michael Spencer" wrote:

> .
>

shahar nus

unread,
Aug 19, 2010, 4:20:47 AM8/19/10
to
try this guide http://www.systemcentercentral.com/tabid/147/IndexId/77779/Default.aspx

you need to download it


> On Monday, January 12, 2009 4:06 AM adsukha wrote:

> ???


>> On Tuesday, January 13, 2009 8:33 PM Pete Zerger (MVP) wrote:

>> Hello adsukhai,
>>
>> the 20070 and 21016 are generic error you see in every failure and will not
>> help you much. The error of interest in your case is this one
>>
>> 20067 - The failure code on the certificate was 0x800B010A (A certificate
>> chain could not be built to a trusted root authority).
>>
>> Make sure the CA chain that issued the certificates for both parties (even
>> if these are different CAs) is listed in the "Trusted Root Certificate Authorities"
>> store on the Gateway server. Mutual authentication will fail for any computer
>> that does not trust the issuer of the certificates.
>>
>>
>> Regards,
>>
>> Pete Zerger, MCSE(Messaging) | MCTS(SQL 2005) | MCTS(Opsmgr) | MVP - Opsmgr
>> URL:http://www.systemcenterforum.org
>> User Group: http://www.systemcenterusergroup.com
>> MP Catalog: http://www.systemcenterforum.org/mps
>> Tools: http://www.systemcenterforum.org/tools/


>>> On Thursday, December 17, 2009 11:29 AM Michael Spencer wrote:

>>> I have installed my Gateway server and it is saying 'not monitored' in the Operations Console. The only error I have is the 20070 error which you say is generic on the gateway server.
>>>
>>>
>>>
>>> I only have ports open from the Gateway in the DMZ on 5723 to the RMS on the internal LAN, as per the documentation on MS Technet, however I have seen a number of posts and blogs that say I need to open access in both directions.
>>>
>>>
>>>
>>> Can someone confirm this please?
>>>
>>>
>>>
>>> Regards,
>>>
>>> Michael

>>> Submitted via EggHeadCafe - Software Developer Portal of Choice

>>> Excel Identifying which formulas are slowing down workbook recalaculation
>>> http://www.eggheadcafe.com/tutorials/aspnet/917072d4-8194-4f18-8455-75b2ebe359f0/excel-identifying-which-formulas-are-slowing-down-workbook-recalaculation.aspx

0 new messages