Here are some great examples of these articles explaining how to deploy a DMZ agent:
There are even some homemade scripts to deploy the agents like this one: http://systemscentre.blogspot.com.es/2012/03/scom-dmzworkgroup-agent-deployment.html
We are going to revise a check list to avoid some typical problems.
- Have MOMcertImport from support tools of SCOM CD
- Have a C.A with capacity to issue certificates with property Enhanced Key Usage Server Authentication (22.214.171.124.126.96.36.199.1) and Client Authentication (188.8.131.52.184.108.40.206.2), you can use IPsec client template and Ipsec server templates
- Open TCP 5723 port between agent and RMS , from agent to RMS
- Check that client and server had root certificates from C.A on machine account
- Check that the name resolution is OK from RMS and from Agent (you can use host file)
- Agent "must" be installed on the RMS management group, default management group appears on system center console title.
- Run MomCertImport to install the issued certificate in the agent and in the RMS
- Verify if certficate is installed on this resgister key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings
We wrote this check list long time ago in the MSDN wiki: http://social.technet.microsoft.com/wiki/contents/articles/12170.some-tipschecks-to-install-scom-20072012-agent-on-untrusted-domains.aspx
Recently we have experienced some problems in DMZ agents because the name of the SCOM RMS registered in the DMZ agent configuration is different form the name of the certificate, to solve this you have to follow the steps in this url: