Configure a Firewall for Operations Manager
This section describes how to configure your firewall to allow communication between the different Operations Manager features on your network.
Note
Operations Manager does not support LDAP over SSL (LDAPS) at this time.
Port assignments
The following table shows Operations Manager feature interaction across a firewall, including information about the ports used for communication between the features, which direction to open the inbound port, and whether the port number can be changed.
| Operations Manager Feature A | Port Number and Direction | Operations Manager Feature B | Configurable | Note |
|---|---|---|---|---|
| Management server | 1433/TCP ---> 1434/UDP ---> 135/TCP (DCOM/RPC) ---> 137/UDP ---> 445/TCP ---> 49152-65535 ---> |
Operations Manager database | Yes (Setup) | WMI Port 135 (DCOM/RPC) for the initial connection and then a dynamically assigned port above 1024. For more information, see Special considerations for Port 135 Ports 135,137,445,49152-65535 are only required to be open during the initial Management Server installation to allow the setup process to validate the state of the SQL services on the target machine. 2 |
| Management server | 5723/TCP, 5724/TCP ---> | Management server | No | Port 5724/TCP must be open to install this feature and can be closed after installation. |
| Management server, Gateway Server | 53 (DNS) ---> 88 (Kerberos) ---> 389 (LDAP) ---> |
Domain Controllers | No | Port 88 is used for Kerberos authentication, and isn't required if only using certificate authentication.3 |
| Management server | 161,162 <---> | Network device | No | All firewalls between the management server and the network devices need to allow SNMP (UDP) and ICMP bi-directionally. |
| Gateway server | 5723/TCP ---> | Management server | No | |
| Management server | 1433/TCP ---> 1434/UDP ---> 135/TCP (DCOM/RPC) ---> 137/UDP ---> 445/TCP ---> 49152-65535 ---> |
Reporting data warehouse | No | Ports 135,137,445,49152-65535 are only required to be open during the initial Management Server installation to allow the setup process to validate the state of the SQL services on the target machine. 2 |
| Reporting server | 5723/TCP, 5724/TCP ---> | Management server | No | Port 5724/TCP must be open to install this feature and can be closed after installation. |
| Operations console | 5724/TCP ---> | Management server | No | |
| Operations console | 80, 443 ---> 49152-65535 TCP <---> |
Management Pack Catalog web service | No | Supports downloading management packs directly in the console from the catalog.1 |
| Connector framework source | 51905 ---> | Management server | No | |
| Web console server | 5724/TCP ---> | Management server | No | |
| Web console browser | 80, 443 ---> | Web console server | Yes (IIS Admin) | Default ports for HTTP or SSL enabled. |
| Web console for Application Diagnostics | 1433/TCP ---> 1434 ---> |
Operations Manager database | Yes (Setup) 2 | |
| Web console for Application Advisor | 1433/TCP ---> 1434 ---> |
Reporting data warehouse | Yes (Setup) 2 | |
| Connected management server (Local) | 5724/TCP ---> | Connected management server (Connected) | No | |
| Windows agent installed using MOMAgent.msi | 5723/TCP ---> | Management server | Yes (Setup) | |
| Windows agent installed using MOMAgent.msi | 5723/TCP ---> | Gateway server | Yes (Setup) | |
| Windows agent push installation, pending repair, pending update | 5723/TCP 135/TCP 137/UDP 138/UDP 139/TCP 445/TCP *RPC/DCOM High ports (2008 OS and later) Ports 49152-65535 TCP |
No | Communication is initiated from MS/GW to an Active Directory domain controller and the target computer. | |
| UNIX/Linux agent discovery and monitoring of agent | TCP 1270 <--- | Management server or Gateway server | No | |
| UNIX/Linux agent for installing, upgrading, and removing agent using SSH | TCP 22 <--- | Management server or Gateway server | Yes | |
| OMED Service | TCP 8886 <--- | Management server or Gateway server | Yes | |
| Gateway server | 5723/TCP ---> | Management server | Yes (Setup) | |
| Agent (Audit Collection Services forwarder) | 51909 ---> | Management server Audit Collection Services collector | Yes (Registry) | |
| Agentless Exception Monitoring data from client | 51906 ---> | Management server Agentless Exception Monitoring file share | Yes (Client Monitoring Wizard) | |
| Customer Experience Improvement Program data from client | 51907 ---> | Management server (Customer Experience Improvement Program End) Point | Yes (Client Monitoring Wizard) | |
| Operations console (reports) | 80 ---> | SQL Reporting Services | No | The Operations console uses Port 80 to connect to the SQL Reporting Services web site. |
| Reporting server | 1433/TCP ---> 1434/UDP ---> |
Reporting data warehouse | Yes 2 | |
| Management server (Audit Collection Services collector) | 1433/TCP <--- 1434/UDP <--- |
Audit Collection Services database | Yes 2 |
Management Pack Catalog web service 1
To access the Management Pack Catalog web service, your firewall and/or proxy server must allow the following URL and wildcard (*):
https://www.microsoft.com/mpdownload/ManagementPackCatalogWebService.asmxhttp://go.microsoft.com/fwlink/*
Identify SQL port 2
The default SQL port is 1433, however this port number can be customized based on organizational requirements. To identify the configured port, follow these steps:
- In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <instance name>, and then double-click TCP/IP.
- In the TCP/IP Properties dialog, on the IP Addresses tab, note the port value for IPAll.
If using a SQL Server configured with an Always On Availability Group or after migrating an installation, do the following to identify the port:
- In Object Explorer, connect to a server instance that hosts any availability replica of the availability group whose listener you want to view. Select the server name to expand the server tree.
- Expand the Always On High Availability node and the Availability Groups node.
- Expand the node of the availability group, and expand the Availability Groups Listeners node.
- Right-click the listener that you want to view, and select the Properties command, opening the Availability Group Listener Properties dialog window, where the configured port should be available.
Kerberos authentication 3
For Windows clients using Kerberos authentication, and reside in a different domain from where the management servers are located, there are extra requirements that that must be met:
- A two-way transitive trust must be established between domains.
- The following ports must be open between the domains:
- TCP/UDP port 389 for LDAP.
- TCP/UDP port 88 for Kerberos.
- TCP/UDP port 53 for Domain Name Service (DNS).