SCOM 2012: Firewall rules connectivity between agents to the Gateway servers

Forum: Operations Manager4
Viewing 4 posts - 1 through 4 (of 4 total)
  • #230495
    Profile photo of kapildham
    kapildham
    Participant

    Hello fellow SCOM enthusiasts, I need some clarity regarding the information between how Firewall rules work between agents in the DMZ/secured network, Gateway servers and onwards to the Management Server.

    Its available in multiple places that you would need uni-directional connectivity between the Agent to the Gateway server on Port 5723, then on the firewall Unidirectional to the Management Servers in  your trusted network.

    The million $ question is if the traffic is permitted uni-directional how come the MPs get sent to the Gateway and onwards to the SCOM agents in the DMZ? Firewall should not be permitting traffic inbound through the Firewall as no rule is specified except 5723 outbound… then how come the agents get the MPs and are able to update the rules and monitors specified?

    Any help would be highly appreciated.

    #230521
    Profile photo of curtmcgirt
    curtmcgirt
    Participant

    agent1 lives on the dmz

    gateway1 lives on the dmz

    ___FIREWALL___

    management1 lives inside

    agent1 reaches out to gateway1 (or management1, depending on your setup) on 5723.

    gateway1 reaches out to management1 on 5724 (or maybe it’s also 5723).

    I wouldn’t say MPs get “sent to” gateway1 or agent1. gateway1 and/or agent1 *pull* the MPs from management1.

     

     

    #230534
    Profile photo of Wilson W.
    Wilson W.
    Participant

    My understanding is that once a connection is established in one direction, traffic can be initiated over that existing connection from *either direction*.

    #230588

    Hi,
    I think I can answer this by confirming what Wilson said.

    “The million $ question is if the traffic is permitted uni-directional how come the MPs get sent to the Gateway and onwards to the SCOM agents in the DMZ? Firewall should not be permitting traffic inbound through the Firewall as no rule is specified except 5723 outbound… then how come the agents get the MPs and are able to update the rules and monitors specified?”

    The agent (or the GW) are actually initiating the TCP connection in the “outbound” direction, which like you said is allowed on the FW. The agent requests updates in the config or management packs. The reply of the Management server is considered a part of the same TCP “conversation” and is allowed through the firewall. This applies both for Agent to management server TCP sessions, as well as for Agent to GW sessions.
    The only exclusion would be if you set tup your GW with the following swicth:
    /ManagementServerInitiatesConnection=True
    Please see the following article for more information:

    Initiates Connection between Management Server and Gateway Server
    Hope I could help.
    Regards,

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.