Export (0) Print
Expand All
7 out of 19 rated this helpful - Rate this topic

Using a Firewall with Operations Manager 2007

Updated: May 22, 2009

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

Security Hardening Guide

The Microsoft Operations Manager 2007 Security Hardening Guide provides you with essential information about how to further protect, or harden, your Operations Manager 2007 environment by using the Security Configuration Wizard (SCW). SCW is an attack-surface reduction tool for products that are running the Windows Server 2003 Service Pack 1 (SP1) operating systems, the Windows Server 2003 Service Pack 2 (SP2) operating systems, and the Windows Server 2003 R2 operating systems.

In addition to practical, hands-on configuration recommendations, this guide includes information about how to upgrade an agent that has been locked down, how to customize port numbers that have been changed from their default settings, and some examples for hardening a server and an agent. Although most server administrators can benefit from reading this guide, it is designed to produce maximum benefits for administrators who are responsible for Operations Manager 2007 security. For more information, see the System Center Operations Manager 2007 SCW Roles and Security Hardening Guide for Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=120136).

Connecting to the Reporting Data Warehouse Across a Firewall

This section describes how to configure your environment to support the placing of a Report data warehouse behind a firewall.

noteNote
Separating the Operations console, root management server, management server, or Reporting Server by either a firewall or across a trust boundary is not supported.

In an environment where the Reporting data warehouse is separated from the root management server and Reporting Server by a firewall, Windows Integrated Authentication cannot be used. You need to take steps to configure SQL Server Authentication. The following sections explain how to enable SQL Server Authentication between the root management server (or management server), the Reporting Server, and the Reporting data warehouse, as shown in the following illustration.

9a8933b5-b4cf-4700-92b5-f935f6971b96

Management Server and Reporting Data Warehouse

The following steps are necessary to enable SQL Server Authentication:

  1. On the computer hosting the Reporting data warehouse, create a SQL Login in the proper role for reader and writer. The credentials you supply for this account must be made a member of the following roles in the OperationsManagerDW database on the computer running SQL Server:

    1. OpsMgrWriter

    2. db_owner (only for the owning management group in the database)

  2. On the computer hosting the root management server, create a Run As Account (of type Simple) with the credentials from the previous step.

  3. Associate this Run As Account with the Run As Profile called Data Warehouse SQL Server Authentication Account, targeting this Run As Profile to each management server. For more information, see How to Change the Run As Account Associated with a Run As Profile in this guide.

If there is a firewall between the management server and the Reporting data warehouse, you will need to open port 1433.

Reporting Server and Reporting Data Warehouse

If there is a firewall or trust boundary between the Reporting Server and the Reporting data warehouse, point-to-point communications will need to be established.

The account that was specified as the Data Reader Account during setup of Reporting becomes the Execution Account on Reporting Server, and it is this account that will be used to connect to the Reporting data warehouse.

You will need to determine what port number the computer running SQL Server on the Reporting data warehouse is using and enter this number into the dbo.MT_DataWarehouse table in the Operations Manager database. See How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port in this guide.

Reporting Server and Root Management Server Separated by a Firewall

A "Could not verify if current user is in sysadmin Role" error message might display when installing Reporting if the reporting server and the root management server are separated by a firewall. This error message might display even if the proper firewall ports have been opened. This error occurs after entering the computer name for the root management server and clicking Next. This error might also display because Reporting Setup was unable to connect to the Operations Manager database on the root management server. In this environment you will need to determine what port number is being used by the computer running SQL Server and configure the Operations Manager database to use the port number. See the topic How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port in this guide.

Port Assignments

The following table shows Operations Manager 2007 component interaction across a firewall, including information about the ports used for communication between the components, which direction to open the inbound port, and whether the port number can be changed.

 

Operations Manager 2007 SP1 Component A Port Number and Direction Operations Manager 2007 SP1 Component B Configurable Note

root management server

1433 --->

Operations Manager database

Yes (Setup)

 

management server

1433 --->

Operations Manager database

Yes (Setup)

 

management server

5723, 5724 --->

root management server

No

Port 5724 must be open to install this component and can be closed after this component has been installed.

gateway server

5723 --->

root management server

No

 

root management server

1433 --->

Reporting data warehouse

No

 

Reporting server

5723, 5724 --->

root management server

No

Port 5724 must be open to install this component and can be closed after this component has been installed.

Operations console

5724 --->

root management server

No

 

Connector framework source

51905 --->

root management server

No

 

Web console server

5724 --->

root management server

No

 

Web console browser

51908 --->

Web console server

Yes (IIS Admin)

Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an available port for https functionality for the Operations Manager 2007 WebConsole Web site.

connected root management server (Local)

5724 --->

connected root management server (Connected)

No

 

Agent installed using MOMAgent.msi

5723 --->

root management server

Yes (Setup)

 

Agent installed using MOMAgent.msi

5723 --->

management server

Yes (Setup)

 

Agent installed using MOMAgent.msi

5723 --->

gateway server

Yes (Setup)

 

gateway server

5723 --->

management server

Yes (Setup)

 

Agent (Audit Collection Services forwarder)

51909 --->

management server Audit Collection Services collector

Yes (Registry)

 

Agentless Exception Monitoring data from client

51906 --->

management server Agentless Exception Monitoring file share

Yes (Client Monitoring Wizard)

 

Customer Experience Improvement Program data from client

51907 --->

management server (Customer Experience Improvement Program End) Point

Yes (Client Monitoring Wizard)

 

Operations console (reports)

80 --->

SQL Reporting Services

No

The Operations console uses Port 80 to connect to the SQL Reporting Services Web site.

Reporting server

1433 --->

Reporting data warehouse

Yes

 

management server (Audit Collection Services collector)

1433 --->

Audit Collection Services database

Yes

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.