Jaa


Configure a Firewall for Operations Manager

This section describes how to configure your firewall to allow communication between the different Operations Manager features on your network.

Note

Operations Manager does not support LDAP over SSL (LDAPS) at this time.

Port assignments

The following table shows Operations Manager feature interaction across a firewall, including information about the ports used for communication between the features, which direction to open the inbound port, and whether the port number can be changed.

Operations Manager Feature A Port Number and Direction Operations Manager Feature B Configurable Note
Management server 1433/TCP ---> 
1434/UDP ---> 
135/TCP (DCOM/RPC) ---> 
137/UDP ---> 
445/TCP ---> 
49152-65535 --->
Operations Manager database Yes (Setup) WMI Port 135 (DCOM/RPC) for the initial connection and then a dynamically assigned port above 1024. For more information, see Special considerations for Port 135

Ports 135,137,445,49152-65535 are only required to be open during the initial Management Server installation to allow the setup process to validate the state of the SQL services on the target machine. 2
Management server 5723/TCP, 5724/TCP ---> Management server No Port 5724/TCP must be open to install this feature and can be closed after installation.
Management server, Gateway Server 53 (DNS) --->
88 (Kerberos) --->
389 (LDAP) --->
Domain Controllers No Port 88 is used for Kerberos authentication, and isn't required if only using certificate authentication.3
Management server 161,162 <---> Network device No All firewalls between the management server and the network devices need to allow SNMP (UDP) and ICMP bi-directionally.
Gateway server 5723/TCP ---> Management server No
Management server 1433/TCP --->
1434/UDP ---> 
135/TCP (DCOM/RPC) ---> 
137/UDP ---> 
445/TCP ---> 
49152-65535 --->
Reporting data warehouse No Ports 135,137,445,49152-65535 are only required to be open during the initial Management Server installation to allow the setup process to validate the state of the SQL services on the target machine. 2
Reporting server 5723/TCP, 5724/TCP ---> Management server No Port 5724/TCP must be open to install this feature and can be closed after installation.
Operations console 5724/TCP ---> Management server No
Operations console 80, 443 --->
49152-65535 TCP <--->
Management Pack Catalog web service No Supports downloading management packs directly in the console from the catalog.1
Connector framework source 51905 ---> Management server No
Web console server 5724/TCP ---> Management server No
Web console browser 80, 443 ---> Web console server Yes (IIS Admin) Default ports for HTTP or SSL enabled.
Web console for Application Diagnostics 1433/TCP --->
 1434 --->
Operations Manager database Yes (Setup) 2
Web console for Application Advisor 1433/TCP --->
 1434 --->
Reporting data warehouse Yes (Setup) 2
Connected management server (Local) 5724/TCP ---> Connected management server (Connected) No
Windows agent installed using MOMAgent.msi 5723/TCP ---> Management server Yes (Setup)
Windows agent installed using MOMAgent.msi 5723/TCP ---> Gateway server Yes (Setup)
Windows agent push installation, pending repair, pending update 5723/TCP
135/TCP
137/UDP
138/UDP
139/TCP
445/TCP

*RPC/DCOM High ports (2008 OS and later)
Ports 49152-65535 TCP
No Communication is initiated from MS/GW to an Active Directory domain controller and the target computer.
UNIX/Linux agent discovery and monitoring of agent TCP 1270 <--- Management server or Gateway server No
UNIX/Linux agent for installing, upgrading, and removing agent using SSH TCP 22 <--- Management server or Gateway server Yes
OMED Service TCP 8886 <--- Management server or Gateway server Yes
Gateway server 5723/TCP ---> Management server Yes (Setup)
Agent (Audit Collection Services forwarder) 51909 ---> Management server Audit Collection Services collector Yes (Registry)
Agentless Exception Monitoring data from client 51906 ---> Management server Agentless Exception Monitoring file share Yes (Client Monitoring Wizard)
Customer Experience Improvement Program data from client 51907 ---> Management server (Customer Experience Improvement Program End) Point Yes (Client Monitoring Wizard)
Operations console (reports) 80 ---> SQL Reporting Services No The Operations console uses Port 80 to connect to the SQL Reporting Services web site.
Reporting server 1433/TCP --->
1434/UDP --->
Reporting data warehouse Yes 2
Management server (Audit Collection Services collector) 1433/TCP <---
1434/UDP <---
Audit Collection Services database Yes 2

Management Pack Catalog web service 1

To access the Management Pack Catalog web service, your firewall and/or proxy server must allow the following URL and wildcard (*):

  • https://www.microsoft.com/mpdownload/ManagementPackCatalogWebService.asmx
  • http://go.microsoft.com/fwlink/*

Identify SQL port 2

  • The default SQL port is 1433, however this port number can be customized based on organizational requirements. To identify the configured port, follow these steps:

    1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <instance name>, and then double-click TCP/IP.
    2. In the TCP/IP Properties dialog, on the IP Addresses tab, note the port value for IPAll.
  • If using a SQL Server configured with an Always On Availability Group or after migrating an installation, do the following to identify the port:

    1. In Object Explorer, connect to a server instance that hosts any availability replica of the availability group whose listener you want to view. Select the server name to expand the server tree.
    2. Expand the Always On High Availability node and the Availability Groups node.
    3. Expand the node of the availability group, and expand the Availability Groups Listeners node.
    4. Right-click the listener that you want to view, and select the Properties command, opening the Availability Group Listener Properties dialog window, where the configured port should be available.

Kerberos authentication 3

For Windows clients using Kerberos authentication, and reside in a different domain from where the management servers are located, there are extra requirements that that must be met:

  1. A two-way transitive trust must be established between domains.
  2. The following ports must be open between the domains:
    1. TCP/UDP port 389 for LDAP.
    2. TCP/UDP port 88 for Kerberos.
    3. TCP/UDP port 53 for Domain Name Service (DNS).

See also