Using a Firewall with Operations Manager 2007
Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1
Security Hardening Guide
The Microsoft Operations Manager 2007 Security Hardening Guide provides you with essential information about how to further protect, or harden, your Operations Manager 2007 environment by using the Security Configuration Wizard (SCW). SCW is an attack-surface reduction tool for products that are running the Windows Server 2003 Service Pack 1 (SP1) operating systems, the Windows Server 2003 Service Pack 2 (SP2) operating systems, and the Windows Server 2003 R2 operating systems.
In addition to practical, hands-on configuration recommendations, this guide includes information about how to upgrade an agent that has been locked down, how to customize port numbers that have been changed from their default settings, and some examples for hardening a server and an agent. Although most server administrators can benefit from reading this guide, it is designed to produce maximum benefits for administrators who are responsible for Operations Manager 2007 security. For more information, see the System Center Operations Manager 2007 SCW Roles and Security Hardening Guide for Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=120136).
Connecting to the Reporting Data Warehouse Across a Firewall
This section describes how to configure your environment to support the placing of a Report data warehouse behind a firewall.
Note
Separating the Operations console, root management server, management server, or Reporting Server by either a firewall or across a trust boundary is not supported.
In an environment where the Reporting data warehouse is separated from the root management server and Reporting Server by a firewall, Windows Integrated Authentication cannot be used. You need to take steps to configure SQL Server Authentication. The following sections explain how to enable SQL Server Authentication between the root management server (or management server), the Reporting Server, and the Reporting data warehouse, as shown in the following illustration.
.gif "9a8933b5-b4cf-4700-92b5-f935f6971b96")
Management Server and Reporting Data Warehouse
The following steps are necessary to enable SQL Server Authentication:
On the computer hosting the Reporting data warehouse, create a SQL Login in the proper role for reader and writer. The credentials you supply for this account must be made a member of the following roles in the OperationsManagerDW database on the computer running SQL Server:
OpsMgrWriter
db_owner (only for the owning management group in the database)
On the computer hosting the root management server, create a Run As Account (of type Simple) with the credentials from the previous step.
Associate this Run As Account with the Run As Profile called Data Warehouse SQL Server Authentication Account, targeting this Run As Profile to each management server. For more information, see How to Change the Run As Account Associated with a Run As Profile in this guide.
If there is a firewall between the management server and the Reporting data warehouse, you will need to open port 1433.
Reporting Server and Reporting Data Warehouse
If there is a firewall or trust boundary between the Reporting Server and the Reporting data warehouse, point-to-point communications will need to be established.
The account that was specified as the Data Reader Account during setup of Reporting becomes the Execution Account on Reporting Server, and it is this account that will be used to connect to the Reporting data warehouse.
You will need to determine what port number the computer running SQL Server on the Reporting data warehouse is using and enter this number into the dbo.MT_DataWarehouse table in the Operations Manager database. See How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port in this guide.
Reporting Server and Root Management Server Separated by a Firewall
A "Could not verify if current user is in sysadmin Role" error message might display when installing Reporting if the reporting server and the root management server are separated by a firewall. This error message might display even if the proper firewall ports have been opened. This error occurs after entering the computer name for the root management server and clicking Next. This error might also display because Reporting Setup was unable to connect to the Operations Manager database on the root management server. In this environment you will need to determine what port number is being used by the computer running SQL Server and configure the Operations Manager database to use the port number. See the topic How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port in this guide.
Port Assignments
The following table shows Operations Manager 2007 component interaction across a firewall, including information about the ports used for communication between the components, which direction to open the inbound port, and whether the port number can be changed.
| Operations Manager 2007 SP1 Component A | Port Number and Direction | Operations Manager 2007 SP1 Component B | Configurable | Note |
|---|---|---|---|---|
root management server |
1433 ---> |
Operations Manager database |
Yes (Setup) |
|
management server |
1433 ---> |
Operations Manager database |
Yes (Setup) |
|
management server |
5723, 5724 ---> |
root management server |
No |
Port 5724 must be open to install this component and can be closed after this component has been installed. |
gateway server |
5723 ---> |
root management server |
No |
|
root management server |
1433 ---> |
Reporting data warehouse |
No |
|
Reporting server |
5723, 5724 ---> |
root management server |
No |
Port 5724 must be open to install this component and can be closed after this component has been installed. |
Operations console |
5724 ---> |
root management server |
No |
|
Connector framework source |
51905 ---> |
root management server |
No |
|
Web console server |
5724 ---> |
root management server |
No |
|
Web console browser |
51908 ---> |
Web console server |
Yes (IIS Admin) |
Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an available port for https functionality for the Operations Manager 2007 WebConsole Web site. |
connected root management server (Local) |
5724 ---> |
connected root management server (Connected) |
No |
|
Agent installed using MOMAgent.msi |
5723 ---> |
root management server |
Yes (Setup) |
|
Agent installed using MOMAgent.msi |
5723 ---> |
management server |
Yes (Setup) |
|
Agent installed using MOMAgent.msi |
5723 ---> |
gateway server |
Yes (Setup) |
|
gateway server |
5723 ---> |
management server |
Yes (Setup) |
|
Agent (Audit Collection Services forwarder) |
51909 ---> |
management server Audit Collection Services collector |
Yes (Registry) |
|
Agentless Exception Monitoring data from client |
51906 ---> |
management server Agentless Exception Monitoring file share |
Yes (Client Monitoring Wizard) |
|
Customer Experience Improvement Program data from client |
51907 ---> |
management server (Customer Experience Improvement Program End) Point |
Yes (Client Monitoring Wizard) |
|
Operations console (reports) |
80 ---> |
SQL Reporting Services |
No |
The Operations console uses Port 80 to connect to the SQL Reporting Services Web site. |
Reporting server |
1433 ---> |
Reporting data warehouse |
Yes |
|
management server (Audit Collection Services collector) |
1433 ---> |
Audit Collection Services database |
Yes |
|