In the first part of this article, I introduced the concept of monitoring Azure IaaS VMs with OpsMgr, and briefly reviewed the prerequisite steps for setting up connectivity from your corpnet to the Azure network. In this part of the article, I will demonstrate the necessary configuration steps for monitoring the Azure VMs with OpsMgr.
Recall that my lab is comprised of a AD domain, a OpsMgr Management group, and a Microsoft PKI, and that I have configured cross-premises connectivity to my Azure virtual network which contains my Azure VMs. We also confirmed that the test Azure VM, AppSrv2, can connect to the OpsMgr Management Server in my lab. The Azure VM is outside of the trusted environment of the OpsMgr Management group, and as such we will have to make use of certificates for mutual authentication with the on-premise Management Server. If however this server were in the same trusted environment as the OpsMgr management group, Kerberos would be used for authentication.
The process of configuring certificates in order to agent-manage Azure IaaS VMs is fairly straightforward. We will leverage a PKI to support Operations Manager. Note that if you make use of 3rd party certificates, the same concept applies. You will have to generate and install the root certificate, and client certificates into the appropriate certification stores on both the Azure side and in your OpsMgr management group, and approve the certificates for use by the OpsMgr agent.
In this article, and for the purpose of this demo, I’ll make use of a standalone Certificate Authority (CA) in my lab. Note that the agent-managed virtual machine in the Azure virtual network will need the trusted root Certificate as well as a individual client certificate. This individual certificate must also be configured to be trusted by the OpsMgr Agent.
If you’ll be managing more than a handful of VMs in Azure, deploy a OpsMgr Gateway server to Azure. The certificates will then be deployed to the Gateway server, which will use it for mutual authentication with your on-premise management group. The Gateway sever will then manage all of the downstream servers that are outside of the OpsMgr trust boundary.
The high-level steps for deploying the agent to the untrusted VM in Azure are:
- Ensure that you can connect to the Management Server from the Azure VM over port 5723
- Import the root certificate on the Azure VM(s)
- Generate and Install the individual client certificate(s) on the Azure VM(s)
- Manually Install the OpsMgr agents on the Azure VM
- Run the MOMCertImport approval tool on the Azure VM
- Approve the Pending Agents in the OpsMgr Console
Note that your OpsMgr Management servers will also need client certificates, so steps 2 and 3 should also be performed once on your Corpnet management servers. Let us walk through each of the steps listed above:
Test the Connection to the OpsMgr Management Server over TCP 5723
From the VM in Azure, confirm communication with the OpsMgr management server over port 5723. I’ll make use of the PortQry utility here, but you could test this with any other tools that you may prefer
Install the Root Certificate in the Trusted Root Certification Authorities Certificate Store of the Azure VM
We’ll request a certificate for our Azure VM from any server that has the CA Web Enrollment Pages installed on it.
Start IE and navigate to the certificate server website (https://<ServerName>/certserv). Note that if you have not configured the website for your CA to use HTTPS authentication (this should be standard practice in a production PKI deployment), the default website will use HTTP, for instance (http://<serverName>/certserv)
- Click on Download a CA certificate, certificate chain, or CRL
- Click on Download CA certificate chain, and save the certificate
- Load the certificates snap-in on the Azure VM. From the command prompt, type MMC. In the resulting window , click on the File tab and select Add/Remove snap in.
- In the resulting window, select Certificates from the Available snap-ins, and click the Add button to add it to your Selected snap-ins. Select the Computer account radio button in the resulting window, and click on Finish. Select the Local Computer to be managed by the snap-in, and click Finish. Click OK to exit to the certificate console.
- Expand the Certificates (Local Computer) option, right click on the Trusted Root Certification Authorities folder, select All Tasks and Import. Click through the Certificate Import wizard, and import the Root CA into the Trusted Root Certification Authorities certificate store
Install the Individual certificate(s) in the Azure VM(s)
- Start IE and navigate to the certificate server website (https://[ServerName]/certserv)
- Click on Request a certificate
- Under Advanced Certificate Request, choose Create and submit a request to this CA
- In the resulting windows, select an appropriate template from the drop down. The selected template must be configured for server and client authentication
- Enter the Name FQDN name of the Azure VM in the Name text box, and enter the same name for the friendly name textbox. Leave all the default key options and Additional options unchanged, as they are strong enough. Click the submit button
- Once the certificate has been issued, click on Install the certificate. The certificate will get installed in the User Account’s Personal certificate store. It’s important that this certificate be imported into the Personal computer store of the Local Computer, as the OpsMgr agent will make use of this for mutual authentication with the OpsMgr management group
- Export the certificate from the User account’s personal certificate store (select yes, to export the private key and enter a password), and import the certificate into the Local Computer personal certificate store
Manually Install the OpsMgr agent(s) on the Azure VM(s)
- Run setup from the OpsMgr install media
- In the OpsMgr install window, click on Local agent under Optional Installations. If you get an error about trusted domains enumeration failure, click on ok, and continue through the wizard to the Management Group Configuration
- Enter the Management Group Name, and Management server Name is the respective fields. Ensure that the management server name entered can be resolved. Use the Azure VMs Host file if you must. Click Next, leave the default Local System radio button selected and click on the install button to Install the Microsoft Monitoring Agent on the Azure VM
- Upon completion of the agent installation, click the finish button
Run the MOMCertImport Approval Tool on the Azure VM
- Open an elevated command prompt on the Azure VM
- Navigate to the install media, Support Tools, AMD64 and run the MOMCertImport.exe. Select the correct certificate if you are presented with a list, and click OK.
Confirm that the certificate was successfully installed
Depending on your manual agent installations security settings in OpsMgr, You will notice 21016 and 20070 events indicating that the agent is still not authorized to communicate with the Management server. This takes us to the final part of the configuration
Approve the Pending Agent in the OpsMgr Console
Open the OpsMgr Console, select Administration and under Device Management, select Pending Management. The Azure VM should be visible in this pane. Note that if the agent is not visible in this pane, ensure that your OpsMgr security settings are not configured to Reject new manual agent installation. Confirm this under Administration > Security > Settings > and right click Security under settings > Check the radio button to Review new manual agent installations in pending management view, and leave the Automatically approve new manually installed agents checkbox unchecked
Click on the Azure VM and select Approve in the Task pane on the right side of your screen to approve this agent. Once the agent is approved it should populate under Agent Managed devices as seen below
You can now monitor this Azure VM and any application(s) that reside in it, just like you would any other On-premise server in your Corpnet. Cheers!
Latest posts by Chiyo Odika (see all)
- Zero Trust and the Azure Firewall service - July 9, 2019
- Making the move to Azure Security Center and Azure Sentinel - July 9, 2019
- Azure Monitor Management solution for RDS, Windows VDI and Citrix - February 28, 2019