Publish SCOM Gateway, TMG DMZ
-
quarta-feira, 15 de setembro de 2010 02:33
Hello.
I am trying to publish a SCOM gateway server, port 5723 (TCP). The gateway server is in a DMZ, hanging off a TMG 2010 server.
I have this working with ISA 2006, the config is the same but it doesn't work.
There is a published SMTP server in the TMG DMZ, that works fine.
I even installed IIS on the SCOM gateway and published HTTP, that worked fine too.
Any ideas why TMG doesn't like publishing 5723?
thanks.
Todas as Respostas
-
quarta-feira, 15 de setembro de 2010 22:15Some more information. Using the diagnostic logging feature, i had used this before but today i noticed something interesting. The log shows the network rule being found, then moves onto the protocol. This is from the log: "Forefront TMG will check only rules that are associated with the protocol System Center Operation Manager Agent." It does find some rules with the "System Center Operation Manager Agent" but they are not the publishing rule, so it goes onto the default rule and gets dropped. The interesting thing is the definition for "System Center Operation Manager Agent" is port 5723 OUTBOUND. I am publishing using "System Center Operation Manager Agent Server" as this is port 5723 INBOUND. Perhaps TMG is a bit confused, or this this nothing?
-
quarta-feira, 15 de setembro de 2010 22:22
Are you using a server publishing rule or an access rule for this?
What network relationship exists between the two networks involved?
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk -
quarta-feira, 15 de setembro de 2010 22:33Server publishing & NAT. I'm sure this is correct, as the SMTP server is published the same way and the SMTP server lives in the same DMZ. Also have published a web server on the SCOM gateway, that works. What do you thing about the diagnostic log info?
-
quarta-feira, 15 de setembro de 2010 23:29
A server publishing rule requires the protocol to be defined as inbound.
Have you tried disabling the system policy rule for MOM/SCOM?
I assume the SCOM gateway has the correct default gateway defined? Can you connect using telnet on port 5723?
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk -
quinta-feira, 16 de setembro de 2010 00:03
As you say "A server publishing rule requires the protocol to be defined as inbound." the server publishing rule does publish 5723 inbound, however the diagnostic log seams to indicate it is an outbound protocol. Is this something, or a non event?
Disabling the SCOM/MOM system rule did not make any difference.
Yes, can telnet to the SCOM gateway 5723 from another server in the DMZ.
Default gateway, is been set to the TMG DMZ interface.
-
quinta-feira, 16 de setembro de 2010 12:28
So, if you telnet to SCOM gateway from outside the DMZ, what do you get in the TMG realtime monitor?
How have you defined your server publishing rule? I'm sure it is correct, but worth asking ;)
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk -
quinta-feira, 16 de setembro de 2010 21:28
We get this.
Status: The policy rules do not allow the user request.
Rule: Default rule
-
quarta-feira, 22 de setembro de 2010 15:27Usuário que responde
How is your TMG Server set up? Is it an Edge device with another firewall as back end or is it in a 3 leg perimeter scenario?
Did you use the already defined protocol "System Center Operation Manager Agent Server" that is TCP Inbound 5723?
To simulate this I used "Publish Non-Web Server Protocols" Wizard and used the above protocol. After I set it up I went to Troubleshooting and ran the Traffic Simulator.
The result was "Allowed Traffic"
Rule Name: SCOM Gateway Server Publishing
From: External
To:Internal
Network Rule Name: Internet Access
Network Relationship: NAT
Protocol: System Center Operation Manager Agent Server
Can you run the "Traffic Simulator" and let me know your results?
- Marcado como Resposta Nick Gu - MSFTMicrosoft Contingent Staff, Moderator sexta-feira, 8 de outubro de 2010 02:29
-
segunda-feira, 27 de setembro de 2010 18:09Usuário que respondeIs there any update on this?
.png)
