none
Monitoring UAG 2010 RRS feed

  • Question

  • Hello All,

    We are using a product called IPMonitor to alert our server group of issues with the servers we run.  However, I can't seem to find the UAG server on the network most likely because of the TMG firewall.

    My question is, what are others doing to monitor their UAG 2010 servers?  In the end, do I have to poke holes in the TMG firewall so I can get at the SNMP service?

    Wednesday, February 1, 2012 7:16 PM

Answers

  • Please follow these steps.

     

    1. Install the OpsMgr agent manually by transferring the installation files. (See this video: http://www.youtube.com/watch?v=55WAYXLMW6M)

    2.  Open the TMG Management Console.

    3. Navigate to the "Firewall Policy" > Click "Edit System Policy Rules"(See this picture: http://www.freeimagehosting.net/4i5bh)

    4. Click "Add" > Click "New" > Click "Computer"

    5. Enter the name of your OpsMgr server and also the IP adress. Klik "Ok"

    6. Select the computer object you added and then click "Add"

    7. When the computer object is added to the list of "To" objects click "OK"

     

    If you would like to deploy the OpsMgr agent from the OpsMgr console you will need to create a access rule that contains all the requirements for pushing the agent onto a computer with a firewall. You will see all tje exceptions below.

     

    Microsoft OpsMgr port requirements and explanation can be found here: http://blogs.technet.com/b/kevinholman/archive/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007.aspx

     


    Peter Selch Dahl - www.peterdahl.net - Blog: http://blog.peterdahl.net - Twitter @PeterSelchDahl
    • Marked as answer by MRMO Friday, February 17, 2012 6:21 PM
    Thursday, February 2, 2012 6:49 PM

All replies

  • UAG/TMG won't answer to anything unless you permits it. So if you need to monitor your server over SNMP, then you need to allow that, if you use SCOM, then you need to allow that traffic etc.

    Quite a few uses SCOM to monitor TMG and UAG as there's a management pack available. If anyone else have some insight on what to use, feel free...

    Configuring products for SCOM management pack:

    UAG

    http://technet.microsoft.com/en-us/library/ff404160.aspx

    TMG

    http://technet.microsoft.com/en-us/library/ee958141.aspx


    Hth, Anders Janson Enfo Zipper
    Thursday, February 2, 2012 9:23 AM
  • If you add your monitoring server to the default Remove Management Computers computer set, it will then be able to ping the TMG server.

    If you want to use SNMP, yes, you will need to define a custom TMG rule (outside of the TMG system policy) for SNMP but I believe this is not 100% supported as discussed here: http://technet.microsoft.com/en-us/library/ee522953.aspx 

    Ping is a pretty poor level of montioring and something like SCOM will give you mountains of more detailed as well as "is it up or is it down".

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 2, 2012 11:18 AM
    Moderator
  • Hi,

    Like both Anders and Jason mentioned Microsoft Operations Manager is the best possible choice if you wish to monitor all aspekt of the UAG 2010 installation. If you only want to use your Solarwins IPMonitor for basic Windows monitoring like memory, cpu and availability (PING). Then i'm pretty sure you need to create a custom access rule instead of using the system policies. IPMonitor uses WMI and thereby also RPC communication.

    Most companies choose a combination of a network monitoring product and then a specific monitoring product for monitoring the OS and applications.

    You should consider implementing OpsMgr if you would like to monitor all aspects of your UAG 2010 installation. If you only want basic monitoring consider making the correct firewall rules in the TMG server. I would recommend that you make your monitoring server a member of the Remote Management Servers like Jason said. This will include the server in some of the System Policies for remote access like Computer Management (Using RPC/WMI) allowing Ping.

    If this doesn't work create a custom rule.


    Peter Selch Dahl - www.peterdahl.net - Blog: http://blog.peterdahl.net - Twitter @PeterSelchDahl
    Thursday, February 2, 2012 11:50 AM
  • I have a SCOM server running, but my concern is poking holes in the TMG firewall.  I have read that tampering with TMG can cause issues with UAG.
    Thursday, February 2, 2012 12:50 PM
  • I have a SCOM server running, but my concern is poking holes in the TMG firewall.  I have read that tampering with TMG can cause issues with UAG.


    SCOM is included in the TMG system policies and this statement is in the Support Boundaries document:

    You can use Forefront TMG running on the Forefront UAG server, as follows:

    • Limiting users, groups, sources and destinations on Forefront TMG system policy rules, with the purpose of enabling access to corporate servers and remote management to and from the Forefront UAG local host server.

    Source: http://technet.microsoft.com/en-us/library/ee522953.aspx


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 2, 2012 12:55 PM
    Moderator
  • Use the system policies as Jason says.

    You will find them on this list http://technet.microsoft.com/en-us/library/cc441740.aspx nr. 25 and 26.

    If you want to deploy the agent using the OpsMgr console you should enable rule nr. 26 temporary. Normally only port TCP 5723 is needed outgoing, but depending on the level of functionality you would like to have using OpsMgr you need to open other ports as well.

    One example is agent failure. If the agent fails the OpsMgr will try to ping the server to check if it is still running. PING (ICMP ECHO) is not allow by TMG and for that reason the OpsMgr server can't verify the server health state.

    There is allow some security consideration you should consider before making any exception. If the OpsMgr server gets affected with a virus it might infect the TMG/UAG server as well.

    I would recommend that you only make exceptions for PING and OpsMgr Agent communication not RPC or CIFS.

     


    Peter Selch Dahl - www.peterdahl.net - Blog: http://blog.peterdahl.net - Twitter @PeterSelchDahl
    Thursday, February 2, 2012 1:17 PM
  • I have added the SCOM and IPMonitor servers to the Remote Management Computers group in TMG, but I'm not sure what the proper procedure is to open the correct ports in TMG so I can keep an eye on UAG using SCOM.

    Any ideas, or links to blogs that explain?

     

    Thursday, February 2, 2012 6:03 PM
  • Please follow these steps.

     

    1. Install the OpsMgr agent manually by transferring the installation files. (See this video: http://www.youtube.com/watch?v=55WAYXLMW6M)

    2.  Open the TMG Management Console.

    3. Navigate to the "Firewall Policy" > Click "Edit System Policy Rules"(See this picture: http://www.freeimagehosting.net/4i5bh)

    4. Click "Add" > Click "New" > Click "Computer"

    5. Enter the name of your OpsMgr server and also the IP adress. Klik "Ok"

    6. Select the computer object you added and then click "Add"

    7. When the computer object is added to the list of "To" objects click "OK"

     

    If you would like to deploy the OpsMgr agent from the OpsMgr console you will need to create a access rule that contains all the requirements for pushing the agent onto a computer with a firewall. You will see all tje exceptions below.

     

    Microsoft OpsMgr port requirements and explanation can be found here: http://blogs.technet.com/b/kevinholman/archive/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007.aspx

     


    Peter Selch Dahl - www.peterdahl.net - Blog: http://blog.peterdahl.net - Twitter @PeterSelchDahl
    • Marked as answer by MRMO Friday, February 17, 2012 6:21 PM
    Thursday, February 2, 2012 6:49 PM