SCOM Management Server initiating connection towards Gateway - permanent solution?

Question

Hi all, I have a concern regarding setting up SCOM Gateway and initialization of connection.

Here's the situation:

• Our domain has SCOM Management Server (we will call it MS), SCOM2016
• In Customer's DMZ, we installed a Gateway on a dedicated server with appropriate certificates as it is an untrusted domain (we will call it GW)
• Both Firewalls are configured with open 5723 ports between these two domains (including modified hosts file)
• All prerequisites listed in Microsoft's installation of gateway guide are checked and confirmed

By default, when the MS approved the new Gateway (using ApprovalTool), the GW appeared in Operations Console but MS and GW can't communicate together. When checking with "netstat -an", the session is not established nor visible.
I've urged Customer's network admin to check their Firewall but he claims that everything is good on their side, and also on our side all the rules are correct.

When I deleted the Gateway and pushed again the approval from MS, but this time adding the parameter for MS to be the connection initiator (/ManagementServerInitiatesConnection=True), as it was added from SCOM2012, everything went good. Gateway was visible and healthy in SCOM Console and "netstat -an" showed established session between those two (local address, foreign address and state: ESTABLISHED).

My question here is, since this is not a default setting for MS to be the initiator of connection, is this setup something that should be done as a workaround or can it stay (like, forever) with no concerns that it may cause some problems in the future?
I'm asking this since, with all the struggle with Customer's Network admin and claims that their Firewall is set up correctly, if we would like to keep this setting for the future and avoid conflict, will it work or there are some chances for issues in the future and we should only keep it as a temporary solution / workaround?

Thanks a lot for all the help!
Regards,
Marko

Answer 1

@Marko Todorovic , Thanks for posting in our Q&A.

In General, when we add "/ManagementServerInitiatesConnection=True", the Management Server will try to reach Gateway Server when initiates the connection. Like
MS > 5723 > GTW
https://learn.microsoft.com/en-us/archive/blogs/predrag_oparnica/initiates-connection-between-management-server-and-gateway-server

If we don't add this parameter, the Gateway Server will try to reach the Management Server. It will be:
GTW > 5723 > MS

For our issue, we can check on the outbound rule on Gateway firewall to see if 5723 is opened. And on our organization firewall, make sure the 5723 port is open on the direction from Gateway to management server. And on management server, make sure the 5723 is open on inbound rule.

Based as I know, there's a known issue before SCOM 2016 UR4. And it is fixed on SCOM 2016 UR4. If our version is above it, we can use any of the method. If your organization doesn't want the connection to be established from outside (GTW), but rather it should be initiated by the MS. We can choose the one by adding "/ManagementServerInitiatesConnection=True":
https://support.microsoft.com/en-us/topic/update-rollup-4-for-system-center-2016-operations-manager-4857e9a6-43f7-243f-a06b-2b998cdb97fa

Hope the above information can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Initiating the connection from the MS is indeed not the default config but shouldn't be anything to worry about, it works just as fine this way. You absolutely can keep it running like this; some would even consider this setup more secure.