Getting a SCOM 2007 R2 SCOM agent on TMG is a useful way of monitoring TMG, especially with the SCOM TMG Management Pack – it’s not exactly “out-of-the-box” functionality though, with many sources I’ve read simply stating that it can’t be done. There are some half-working solutions I’ve seen, but nothing that worked for me.
The process involves simply opening the correct ports and protocols between the TMG servers and the SCOM management servers, which after a few attempts watching the live logs, I found.
Creating the SCOM 2007 R2 Agent Push Install Rule
From the Threat Management Gateway Server, Launch the New Access Rule Wizard
Obviously we need to allow protocols
This is where it gets specific – add the following “standard” protocols from the Add Protocols dialogue (the port, protocol and direction are here for reference only, you can’t edit them):
|NetBios Name Service||UDP||137||Send Recieve|
|RPC (all interfaces)||TCP||135||Outbound|
Now add in some custom rules – these can be named what you like. The “NLB (DCOM Dynamic)” rule already existed for the NLB TMG cluster – it allows WMI querying for the SCOM agent install.
|RPC (Server 2008 High Ports)||TCP||40000-65535||Outbound|
|NLB (DCOM Dynamic)||TCP||10002||Outbound|
|SMB over IP||TCP||445||Outbound|
The protocol rules should look something like this:
In the Access Rule Sources page of the wizard, add a Network Entity and create a new Computer Set that contains all your SCOM management servers for this site – in my case I called the group “SCOM 2007 R2 Servers”
For the Access Rule Destinations, add “Local Host” from the “Networks” group (this will allow to all servers in the TMG array):
Keep the default user set “All Users”
Create and apply the rule.
Creating a SCOM 2007 R2 Agent Communications Rule
To allow the Agent to communicate back to the management server, start another Access Rule wizard from the TMG console to allow “System Center Operation Manager Agent” and “System Manager Operation Manager Agent Installation” from “Local Host” to your “SCOM 2007 R2 Servers” computer set, applicable to “All Users”.
Create and apply the rule, and you should have something like this:
Pushing the SCOM 2007 R2 Agent to Threat Management Gateway Servers
You should now be able to “Discover” your TMG servers in the normal way from the SCOM console – if you have issues I would highly recommend setting a filter on the IP addresses for your SCOM and TMG servers while you do the discovery and installation of the agent – investigate any blocked connections that you might see.
Don’t forget to install the SCOM 2007 R2 Management Pack for TMG. Another useful page is Troubleshooting Issues When You Use the Discovery Wizard to Install an Agent, as is Agent discovery and push troubleshooting in OpsMgr 2007.