Port 5723 for monitroing DMZ servers in SCOM

Fadil Ck 381 Reputation points
2022-11-07T10:19:38.717+00:00

Hi All,

We have setup DMZ servers in SCOM by enabling port 5723 and certificate trust. But the client has informed us that the port has not been hit and asked whether it is required?

Kindly confirm whether the port 5723-5724 is still required after adding using certificate trust? I have seen the port is required as a pre-requisite. Please let us know, why the port is not hitting?

Thanks in advance
Fadil

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,445 questions
0 comments No comments
{count} votes

Accepted answer
  1. CyrAz 5,181 Reputation points
    2022-11-07T10:40:37.007+00:00

    5723 is required from DMZ agent to scom server only, not the other way around.
    5724 is not required.
    If there is no traffic, you should verify that the agent is properly configured (fqdn of scom server especially), that name it's able to resolve that dns name, that it has a network route to scom server etc

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. SChalakov 10,371 Reputation points MVP
    2022-11-07T10:37:12.553+00:00

    Hi Fadil,

    the ports must be opened in order for the agent to communicate with its Management or Gateway Server.
    The certificate based authentication is completely different thing.
    If you don't open the port, there can be no communication and no monitoring, so the port is a very important requirement. This is the official confirmation from Microspoft Learn...From:

    Configuring a Firewall for Operations Manager
    https://learn.microsoft.com/en-us/system-center/scom/plan-security-config-firewall?view=sc-om-2022&WT.mc_id=EM-MVP-5002219#port-assignments

    257882-image.png

    You don't need 5724 from the agents to their Management or Gateway Servers, you only need 5723.

    In order to assure your customer that this port is safe, you can forward him/her this article, which explains how the communication is being encrypted and priovides some security insights into the SCOM communication:

    Authentication and Data Encryption in Operations Manager
    https://learn.microsoft.com/en-us/system-center/scom/plan-security-authentication-data-encryption?view=sc-om-2022&WT.mc_id=EM-MVP-5002219#setting-up-communication-between-agents-and-management-servers-across-trust-boundaries

    I hope I was able to help!

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
    Regards
    Stoyan Chalakov

    2 people found this answer helpful.
    0 comments No comments