Monitoring Untrusted Servers over the Internet

As most people know, OpsMgr is uniquely suited to monitor a server over the public Internet. I wanted to quickly write a short post addressing one of the biggest pitfalls implementers experience, FQDN resolution and the Gateway server. When communicating over a network which requires DNS, such as the Internet, it is critical that the gateway server's FQDN matches the FQDN the agent is initiating communication with and of course that would be the name on the corresponding certificate. I recently discovered, that the agent resolves the gateway servers actual host name, regardless of what DNS its assigned. 

During the agent installation on the untrusted server, a management server (Gateway) has to be specified in FQDN format. Lets say it is gateway.corp.com. The actual server hosting the gateway server role must be named gateway.corp.com. If it is named anything else, it will not work, even if DNS is modified to reflect gateway.corp.com because the agent resolves the server host name and is corresponding DNS suffix. Host files play a huge role in helping out if the servers are not configured correctly. If, for example, the gateway server is part of a workgroup and is named gateway01, then the untrusted agent has to communicate with gateway01. This is possible with a HOST file pointing gateway01 to the IP address of the actual gateway server. Not optimal, but a fix just in case the gateway was not configured correctly.