Monitoring Exchange Server 2007 using MOM 2005 (Part 2)

by [Published on 5 July 2007 / Last Updated on 5 July 2007]

In the second part of this article we will implement the MOM Agent in Edge Transport role located in the DMZ network to be monitored by MOM 2005.

If you would like to read the other articles in this series please go to:

Introduction

I assume that you have already read the first part of this article and now you have an environment with the Exchange Server 2007 Management Pack installed, and the internal Exchange Server 2007 box has a MOM Agent installed as well. The last section of Part I dealt with the creation of a test mailbox account so as to test some cmdlets using MOM. We are now going to see how to install a MOM Agent in the Edge Transport Server role. To accomplish this task we will use three Microsoft products: Exchange 2007, MOM and ISA Server.

Installing the MOM Agent in the Edge Transport Server

Now, we are going to install the MOM Agent in the Edge Transport Server. By design, this Exchange 2007 box is outside the domain and should be placed in a DMZ. This means that we are going to use three different products to accomplish this task. These products are: Exchange Server Edge Transport Server which needs a manual MOM Agent installation, ISA server which will allow the MOM Agent to communicate with the MOM in the internal network and finally the MOM Server which needs to be set up in a different way to allow this MOM Agent in the DMZ.

So, let us start to implement our MOM Agent in the DMZ; the order of the tasks will be as follows:

  1. Disable Mutual authentication in the MOM Server
  2. Allow Manual Agent Installation in the MOM Server
  3. Enable the ISA Server to allow the traffic between DMZ and internal network
  4. Install the MOM Agent in the Edge Transport Server
  5. Go back to the MOM Server to finalize the deployment of the MOM Agent

Now let us go into further detail on each of the above-mentioned steps:

Disable Mutual Authentication

First of all, we have to disable Mutual Authentication in the MOM Server to install a MOM Agent in the DMZ.

Open the MOM Administration Console, expand Global Settings, double click on Security, click on Security tab, uncheck the Mutual authentication required option and click OK, as shown in Figure 01.


Figure 01: Disabling Mutual Authentication

A message box will appear informing us that communication will be broken between the Management Servers and agents. We can click OK to continue our process, as shown in Figure 02


Figure 02: Message warning is displayed when we disable Mutual Authentication

Allowing manual agent installations

Still in the MOM Administrator Console, expand Global Settings, and double click on Agent Install. Then, go to the Agent Install tab and uncheck the option “Reject new manual agent installations”, click OK to finish, as shown in Figure 03.


Figure 03: Allowing manual agents

Now, we first have to apply the changes (Figure 04) through the MOM Administrator Console.


Figure 04: Applying the Configuration Changes after we disabled the mutual authentication and allow manual Agent installation

Then, we have to restart the MOM Service in each Management Server, to do that we can open the Services.msc (click Start, Run and type services.msc and click OK), find the MOM service and click on Restart.

Setting up ISA Server 2006

Let us configure the ISA Server 2006 to allow traffic between the MOM Agent located in the DMZ to the MOM Server.

If you do not have the ISA Server installed make sure that port 1270 (UDP/TCP) is open from DMZ to Internal network.

Open the ISA Server Management, expand <server name>, right-click on Firewall, click on New, click on New Access Rule…., in the Welcome to the new Access Rule Wizard fill out the rule name and click on Next, in the Rule Action select Allow and click on Next, in Protocols select Microsoft Operations Manager Agent, as shown in Figure 05.


Figure 05: Adding the Microsoft Operations Manager Agent Protocol in the Access Rule

In the Access Rule Sources section we should create a Computer Object for the Edge Transport Server and add this new object in the list, click Next. In the Access Rule Destination, specify our internal MOM Server using a Computer Object, click Next. In the User Sets, just click Next.

Installing the MOM Agent in the Edge Transport Server

We can use the MOM Remote Pre-requisite Checker (MOMNetChk.exe) tool to validate if the server located in the DMZ machines is able to receive a MOM Agent Install (Figure 06). The tool will scan the computer looking for the port status that are used by MOM service and related services.


Figure 06: Running the MOM Network Check to validate if the server located in the DMZ can communicate with the MOM Server.

Now, we have to insert the MOM media in the Edge Transport Server to start the manual installation.

In the MOM 2005 media auto play we will get a welcome screen to install the product, we have to click on Manual Agent Install tab, click on Install MOM 2005 Agent Install, as shown in Figure 07.


Figure 07: Starting the Manual MOM Agent installation

In the Welcome Screen click Next. In the Destination Folder section, choose the path to install the agent and click Next. In the Agent Configuration fill out the information using the MOM settings, such as Management Group Name, Management Server and Server Port. Select None and then click Next. (Figure 08)

Note:
When we use the server name, we have to ensure that this name is resolved from the DMZ server; we can accomplish that using a host file in the server or setting up the correct DNS Server.


Figure 08: Specifying the MOM configuration manually in the Agent

Now, we should just go to the next screen using the default values and clicking on the Next button to complete the installation.

We can now go back to the MOM Server where we will see our Edge Transport Server on the Pending Actions under Computers. We now have to approve this new manual MOM Agent. To do that just right-click on the server and click on Approve Manual Agent Installation Now, as shown in Figure 09.


Figure 09: Approving the Manual Agent

We will receive a message box asking if we are sure about the approval, just click on Yes. Now we can view the properties of the Edge Transport Server in the MOM Administrator Console, and on the Computer Groups tab we will see the exchange roles that it belongs to, as shown in Figure 10.


Figure 10: The Computer Groups that the Edge Transport Server belongs to

After the approval, we have to set up three values in the One Point database for the new MOM Agent installed in the Edge Transport Server, as follows:

  1. Start SQL Server Enterprise Manager
  2. Expand Microsoft SQL Servers\SQL Server Group\(local)(Windows NT)\Databases.
  3. Expand OnePoint, and then click Tables.
  4. Right-click the Computer table, point to Open Table, and then click Return all rows.
  5. Find the computer name of the manually installed Agent in the Edge Transport Server
  6. Change the <NULL> value in the DNSName column to the same internal domain, because the Edge Transport has the same domain
  7. Change the <NULL> value in the HostName column to the FQDN of the Edge Transport Server
  8. Change the <NULL> value in the FQDN column to the FQDN of the Edge Transport Server

Now we can monitor the Edge Transport Server located in the DMZ through the MOM Operator Console, as shown in Figure 11.


Figure 11: Edge Transport Server belonging to a DMZ network in the MOM Operator Console

Conclusion

In this second article we have just seen how to install the MOM Agent in the Edge Transport Server. Even though we do not have an Exchange 2007 box in a DMZ this tutorial is useful if you want to install MOM Agents in a DMZ environment. In the next article we will uncover more details about Exchange Server 2007 and MOM 2005.

If you would like to read the other articles in this series please go to:

More Information

Implementing MOM Agents beyond the firewall

Installing a MOM Agent in the DMZ

Featured Links