none
Ports required for SCOM agent push from SCOM server ?

    Question

  • Dear All,

    I have review the SCOM Security guide and deployment guide. It is saying only 5723 port is required for agent installation.  Please provide me the below details.

    1. All ports required only SCOM agent push from SCOM Server in Firewall Scenario.

    2. Protocol used by ports. Either TCP or UDP or both.

    3. Port direction between scom server and Agent. Is it unidirectional or bidirectional.

    I have check the below link, but the port range is high. Also, port direction is not specified. Waiting for you valuable answer.

    http://blogs.technet.com/b/kevinholman/archive/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007.aspx

     


    Mahesh Kumar-MCTS Microsoft Management services
    Monday, July 12, 2010 6:06 AM

Answers

  • Hi,
     
    I am pretty sure that these ports need to be open on the client side to
    perform the agent push. Then I think 5723 needs to be open from the
    agent to the server on an ongoing basis. This may also be of some help,
     
    http://technet.microsoft.com/en-us/library/cc540431.aspx
     

    -- Mike Burr
    • Proposed as answer by Vivian Xing Tuesday, July 13, 2010 7:37 AM
    • Marked as answer by Vivian Xing Thursday, July 15, 2010 9:24 AM
    Monday, July 12, 2010 4:56 PM
  • Communication is established by Agent.  You need inbound port 5723 open on MS for regular monitoring after installation.  This means you’ll need 5723 one-way from Agent to MS on firewall (two-way works, but not required).

    All those other ports you have listed are granular port settings, but this can all be accomplished simply by enabling remote administration and file & print sharing on agent.  These are only required for setup to push installation files and run the setup package.


    HTH, Jonathan Almquist - MSFT
    Wednesday, July 14, 2010 7:07 PM

All replies

  • Hi,
     
    I am pretty sure that these ports need to be open on the client side to
    perform the agent push. Then I think 5723 needs to be open from the
    agent to the server on an ongoing basis. This may also be of some help,
     
    http://technet.microsoft.com/en-us/library/cc540431.aspx
     

    -- Mike Burr
    • Proposed as answer by Vivian Xing Tuesday, July 13, 2010 7:37 AM
    • Marked as answer by Vivian Xing Thursday, July 15, 2010 9:24 AM
    Monday, July 12, 2010 4:56 PM
  • Hi Mike,

    Did you mean that the SCOM agent pushing from SCOM Console require below ports only and these ports need to be open from the client side to SCOM management server ????????

    please confirm.....

     

  • RPC endpoint mapper                              Port number: 135             Protocol: TCP/UDP
  • *RPC/DCOM High ports (2000/2003 OS)    Ports 1024-5000              Protocol: TCP/UDP
  • *RPC/DCOM High ports (2008 OS)            Ports 49152-65535           Protocol: TCP/UDP
  • NetBIOS name service                             Port number: 137             Protocol: TCP/UDP
  • NetBIOS session service                           Port number: 139             Protocol: TCP/UDP
  • SMB over IP                                            Port number: 445             Protocol: TCP
  • MOM Channel                                          Port number: 5723           Protocol: TCP/UDP

  • Mahesh Kumar-MCTS Microsoft Management services
Tuesday, July 13, 2010 8:19 AM
  • SCOM using RPC inorder to copy the agent installation files to the agent. So as I think you need to open the RCP ports (445,135 ETC) from the SCOM server to the agent. You can close the port after the installation (Will need to open if you will performe and SCOM update like service pack) Port 5723 is from the agent to the SCOM server since SCOM server listening to this port
    Tuesday, July 13, 2010 9:09 AM
  • Yep, to confirm, those should be set to be open from the server to the client to successfully perform the push on the client.
    -- Mike Burr
    Tuesday, July 13, 2010 1:31 PM
  • Communication is established by Agent.  You need inbound port 5723 open on MS for regular monitoring after installation.  This means you’ll need 5723 one-way from Agent to MS on firewall (two-way works, but not required).

    All those other ports you have listed are granular port settings, but this can all be accomplished simply by enabling remote administration and file & print sharing on agent.  These are only required for setup to push installation files and run the setup package.


    HTH, Jonathan Almquist - MSFT
    Wednesday, July 14, 2010 7:07 PM
  • HI,

    Thanks all of you for your valuable support.

    Now, my query is related to Gateway server. I want to manage the remote SCOM client. These clients are in DMZ and some domain client which is not a part of DMZ. b

    So, it is mandatory for a gateway server as a domain member.  can i install gateway in workgroup for managing above client. Please clarify.

     

     

     


    Mahesh Kumar-MCTS Microsoft Management services
    Thursday, July 15, 2010 5:19 AM
  • You need to have authentication, either by kerberos (same forest or forest trust) or by using a certificate.

    When you use a gateway you install the gateway in the "dmz" domain and use a certificate to authenticate the gateway with the management servers. The agent managed computer can authenticate with the gateway by using kerberos and this way you only need 1 certficate (and 1 port open in the firewall).

    However when all your dmz servers are in a workgroup, kerberos won't work for authentication with the gateway and you need a certificate on all agents anyway to authenticate with the gateway. in that scenario you can opt to skip a gateway server and use certificates to directly authenticate to the management servers.


    Rob Korving
    http://jama00.wordpress.com/
    Thursday, July 15, 2010 8:22 AM
  • Hi Jonathan,

    I have few servers in untrusted domain and want to open 5723 port on agents to communicate to MS, RMS.

    Do I need to raise a bi-directional request or one-way request from Agent side?

    Please clarify me.

    I will be downloading certificates after opening port.

     

    Thanks,

    Suresh

    Wednesday, January 18, 2012 6:22 PM
  • Hi Jonathan, Is it not required to have the inbound open from the MS to agent over 5723, to get the config/Management packs downloaded? It would of great help if you could clarify this. Regards, Suresh
    Regards, Suresh
    Wednesday, January 18, 2012 7:53 PM
  • I've reviewed many threads regarding this specific request.  Of the many responses I've seen, none have all the requested details including the Microsoft SCOM Port Detail document.  Please confirm the following IN DETAIL to enable centralized Agent Deployment:

    Agent > Management Server  - Source Name (RPC Endpoint Mapper, etc), Port number(s)? TCP? UDP?

    Agent > Gateway Server  - Source Name (RPC Endpoint Mapper, etc), Port number(s)? TCP? UDP?

    Agent > Root Management Server (2007 R1/R2)  - Source Name (RPC Endpoint Mapper, etc),

    Root Management Server (2007 R1/R2) > Agent  - Source Name (RPC Endpoint Mapper, etc), Port number(s)? TCP? UDP?

    Management Server > Agent  - Source Name (RPC Endpoint Mapper, etc), Port number(s)? TCP? UDP?

    Gateway > Agent  - Source Name (RPC Endpoint Mapper, etc), Port number(s)? TCP? UDP?


    dsloyer

    Wednesday, April 25, 2012 8:02 PM