locked
Clients in DMZ RRS feed

  • Question

  • Hi,

    I have some Windows 2003 servers and XP clients in the DMZ. I would like them be managed by the FCS management server inside our network (on the other side of the firewall), and pick up the updates from the wsus server inside our domain.

    Which ports do I need open on the firewall to achieve this?

     

    Thanks

    Friday, February 6, 2009 1:40 PM

All replies

  • Are Clients(Windows 2003 Servers and XP Clients) in the DMZ joined to DC in the inside network? or not?

    If you just want to update. Just open the port TCP 80 to Internal WSUS Server or internal network.

    and, you want to manage them. you also open ports 1433(TCP, UPD), 445(TCP, UDP), 443(TCP).

    but, I'm sorry could not tested.

    Have a good luck.

    [Reference]

    http://technet.microsoft.com/en-us/library/bb404251.aspx

    Component Connection Topologies Port (protocols) Notes

    Collection server

    To collection database

    Five-server and six-server

    1433 (TCP and UDP)

    None.

    Management server

    To collection server

    Four-server, five-server, and six-server

    445 (TCP and UDP), 135 (TCP), and DCOM port range

    Using a firewall between these two servers is not supported. The Microsoft Operations Manager (MOM) Administrator and Operator consoles on the management server require a connection to the collection server.

    Management server

    To collection database

    Four-server, five-server, and six-server

    1433 (TCP) and 1434 (UDP)

    None.

    Management server

    To reporting server

    Three-server, four-server, five-server, and six-server

    80 (TCP) or 443 (TCP)

    Port 80 is used for HTTP and port 443 is used for HTTPS.

    Reporting database

    To collection database

    Three-server, four-server, and six-server

    1433 (TCP) and 1434 (UDP)

    Using a firewall between these two databases is not supported.

    Reporting server

    Collection database

    Four-server, five-server, and six-server

    1433 (TCP) and 1434 (UDP)

    None.

    Reporting server

    Reporting database

    Three-server, five-server, and six-server

    1433 (TCP) and 1434 (UDP)

    None.

    Distribution server

    To Microsoft Update or upstream WSUS server

    All

    80 (TCP) or 443 (TCP)

    To obtain updates from Microsoft Update, the distribution server uses port 80 for HTTP and port 443 for HTTPS.


    Urikiri
    Saturday, February 7, 2009 3:25 PM
  • The clients are not joined to the internal domain.

    I will open these ports and give it a go. I guess I need to open the ports both ways?

    Thanks

     

    Monday, February 9, 2009 8:30 AM
  • Hi

    If the clients are not joined to the domain you will not be able to install the MOM componenet automatically to manage the clients.

    The above answer also assumed that you use TCP port 80 for your WSUS server.  However it could also be 443, 8530 and 8531(ssl).

    You would also need to open up port 1270 between the DMZ and internal network for MOM communication.

    To acheive what you want to do I can recommend the following:

    1.  Turn off Mutual authentication on the Forefront MOM server.  (lowers overall security of Forefront enviroment but is the only option to manage non-domain joined clients.
    2.  Create a registry file policy from the forefront client security console.  Import this policy on the non-domain joined machines using the FCSLOCALPOLICYTOOL.
    3.  Create a manual local group policy on the non-domain joined machines that points them to your internal WSUS server.
    4. Run a gpupdate /force to update the policies immediatly if required.
    5.  Install the forefront client
    6.  Install the MOM agent on these machines manually using the following switches : msiexec /i momagent.msi CONFIG_GROUP_OPERATION="AddConfigGroup" CONFIG_GROUP="your group name" MANAGEMENT_SERVER="your server name"AM_CONTROL="Full" REQUIRE_AUTH_COMMN="0" /q

    You will now be able to manage the non-domain joined machines from your forefront console.

    Kind Regards

    Robert Lourenco

    Monday, February 9, 2009 11:17 AM
  • Hi!

    You shouls also know that turning of Mutual authentication is not supported by Microsoft.

    Good Luck

    /Johan
    MCSE, forefront spec | www.msforefront.com
    Monday, February 9, 2009 3:59 PM