DefinIT

Remote Installation of SCOM 2007 R2 Agent on Threat Management Gateway Servers

MSFT-System-Center-logoGetting a SCOM 2007 R2 SCOM agent on TMG is a useful way of monitoring TMG, especially with the SCOM TMG Management Pack – it’s not exactly “out-of-the-box” functionality though, with many sources I’ve read simply stating that it can’t be done. There are some half-working solutions I’ve seen, but nothing that worked for me.

The process involves simply opening the correct ports and protocols between the TMG servers and the SCOM management servers, which after a few attempts watching the live logs, I found.

Creating the SCOM 2007 R2 Agent Push Install Rule

From the Threat Management Gateway Server, Launch the New Access Rule Wizard

image

Obviously we need to allow protocols

image

This is where it gets specific – add the following “standard” protocols from the Add Protocols dialogue (the port, protocol and direction are here for reference only, you can’t edit them):

NetBios Datagram UDP 138 Send
NetBios Name Service UDP 137 Send Recieve
NetBios Session TCP 139 Outbound
Ping ICMP 0/8 Send Recieve
RPC (all interfaces) TCP 135 Outbound

Now add in some custom rules – these can be named what you like. The “NLB (DCOM Dynamic)” rule already existed for the NLB TMG cluster – it allows WMI querying for the SCOM agent install.

RPC (Server 2008 High Ports) TCP 40000-65535 Outbound
NLB (DCOM Dynamic) TCP 10002 Outbound
SMB over IP TCP 445 Outbound

The protocol rules should look something like this:

image

In the Access Rule Sources page of the wizard, add a Network Entity and create a new Computer Set that contains all your SCOM management servers for this site – in my case I called the group “SCOM 2007 R2 Servers”

image

For the Access Rule Destinations, add “Local Host” from the “Networks” group (this will allow to all servers in the TMG array):

image

Keep the default user set “All Users”

image

Create and apply the rule.

Creating a SCOM 2007 R2 Agent Communications Rule

To allow the Agent to communicate back to the management server, start another Access Rule wizard from the TMG console to allow “System Center Operation Manager Agent” and “System Manager Operation Manager Agent Installation” from “Local Host” to your “SCOM 2007 R2 Servers” computer set, applicable to “All Users”.

Create and apply the rule, and you should have something like this:

image

Pushing the SCOM 2007 R2 Agent to Threat Management Gateway Servers

You should now be able to “Discover” your TMG servers in the normal way from the SCOM console – if you have issues I would highly recommend setting a filter on the IP addresses for your SCOM and TMG servers while you do the discovery and installation of the agent – investigate any blocked connections that you might see.

Don’t forget to install the SCOM 2007 R2 Management Pack for TMG. Another useful page is Troubleshooting Issues When You Use the Discovery Wizard to Install an Agent, as is Agent discovery and push troubleshooting in OpsMgr 2007.