Windows Management User Group

SCOM: DMZ or workgroup machines refusing to connect to SCOM

By Bob Cornelissen

Ran into a customer issue today whereby there was a nice clean SCOM 2012 R2 installation with UR’s. Certificates arranged and momcertimport ran. On the agent machines in DMZ we had the agent installed, UR on it, certificate root imported, certificate meant for computer imported. momcertimport ran to get the correct certficate running. Yet no communication at all between agent and server. This is what I found:

So first checks are:

does the agent machine have the certificate for the name of the server (which in workgroup can be the short name and in a dmz domain a fully qualified name)? Yes
does the agent machine trust the CA which issued the certificate? (in this case a customer own CA, so the root chain cert was imported). Yes
can the agent resolve the SCOM server name you used while configuring the agent? Yes
Is the management group name we used in configuring the agent correct (case sensitive!)? Yes
Is there a firewall blocking TCP 5723 from agent to SCOM server? Yes! OK this was fixed quickly, and verified with telnet. Still no communication! Moving on.
On the SCOM server did we import the CA root chain as …read more

Read more here:: Bob