How to install and manage Microsoft Operations Manager 2005 agent computers that are behind a firewall or in an untrusted domain

This article discusses how to install and manage Microsoft Operations Manager (MOM) 2005 agent computers that are behind a firewall or in an untrusted domain. You may want to install the MOM 2005 agent on a computer that is beyond your corporate firewall. In some instances, you may want to install the MOM 2005 agent on a server that is in a perimeter network. A perimeter network is a network that exists between two other networks. Typically, the two other networks do not trust each other. A perimeter network is also known as a DMZ, a demilitarized zone, or a screened subnet.

By default, the MOM 2005 agent uses TCP port 1270 to send data information, such as alerts and events, to the MOM Management Server. The MOM agent uses UDP port 1270 to send heartbeat information to the MOM Management Server. The MOM agent and the MOM Management Server negotiate an open port to use on the MOM agent computer. The MOM Management Server uses the negotiated port to send rules to the agent.

Requirements for MOM agents that are behind a firewall

MOM agents can communicate with the MOM Management Server if the MOM agent computer is behind a firewall. However, you must open TCP port 1270 and UDP port 1270. Additionally, you must manually install and update MOM agents that are behind a firewall.

If you cannot enable access to port 1270 through the firewall, you must install a MOM management group inside the perimeter network. You can separately monitor the perimeter network management group. Or, you can enable alert forwarding from the perimeter network management group to the internal MOM management group by using port 1271.

You can use the MOM Remote Prerequisite Checker (MOMNetChk.exe) utility in the Microsoft Operations Manager Resource Kit to scan a computer for the status of the ports that are used by the MOM service and related services. To obtain the MOM Resource Kit, visit the following Microsoft Web site: The MOM Remote Prerequisite Checker conducts a series of connectivity tests. These tests include a ping test and test for DNS connectivity. The utility also provides information about the status of services that the MOM service depends on. This information can appear in a report window or be saved in the Momscan.log file. To use the MOM Remote Prerequisite Checker, start MOMNetChk.exe, enter the computer name, and then click Run Scan. If you want to save the results to a log file, click Save to Log File, and then specify the location of the file. To view the results of the tests that were run, expand the nodes in the left pane of the utility window.

Note The MOMNetChk.exe utility tests the status of required network and service components. It does not report specific errors.

If the managed computers belong to the internal domain, the following conditions are true:

• Mutual authentication is available.
• Signed and encrypted communications are available.
• The following ports are open so that the managed computer can authenticate the MOM management domain and communicate with the domain:
  • UDP port 53 to support Domain Name System (DNS) queries and dynamic registrations
  • UDP port 88 to support Kerberos
  • UDP port 123 to support Network Time Protocol (NTP)
  • TCP port 135 to support remote procedure calls (RPC)
  • UDP port 389 and TCP port 389 to support Lightweight Directory Access Protocol (LDAP)
  • TCP port 445 to support server message block (SMB)
  • All ports over 1024 for RPC communication and for response to dynamic source ports on the MOM agent computer.
  If the managed computers belong to a perimeter network domain, the following conditions are true:
  • If a full Active Directory directory service trust relationship exists between the Management Server domain and the agent domain, the following options are available:
    • Mutual authentication
    • Signed and encrypted communications
  • If a full Active Directory trust relationship does not exist, only signed and encrypted communications are available. Mutual authentication is not available.

How to install the MOM agent

You must disable mutual authentication on the MOM server so that the MOM agent can connect to the MOM Management Server. To disable mutual authentication, follow these steps:

1. Start the MOM 2005 Administrator console.
2. Expand Administration, and then click Global Settings.
3. Double-click Security.
4. On the Security tab, click to clear the Mutual authentication required check box, and then click OK.

You must manually install the MOM agent. By default, MOM 2005 is configured to reject new manually installed agents to prevent the automatic installation of unauthorized agents. This configuration helps to prevent harmful or malicious data from being submitted to the MOM Management Server. Manual agent installation is a global setting that you can disable during the manual agent installation process. After you manually install the agents that you want, we strongly recommend that you enable this setting again to help safeguard the MOM environment.

To change the global setting to allow manually installed agents for all MOM Management Servers, follow these steps:

1. In the MOM Administrator console, expand Administration, and then click Global Settings.
2. In the details pane, right-click Management Servers, and then click Properties.
3. On the Agent Install tab, click to clear the Reject new manual agent installations check box, and then click OK.

To change the setting to allow manually installed agents on a single MOM Management Server, follow these steps:

1. In the MOM Administrator console, expand Administration, expand Computers, and then click Management Servers.
2. In the details pane, right-click the MOM Management Server that you want to configure, and then click Properties.
3. On the Agent Install tab, click to clear the Use global settings check box.
4. Click to clear the Reject new manual agent installations check box, and then click OK.

After you reconfigure the MOM Management Server to allow manually installed agents, you must commit the configuration change, and then restart the MOM service on all MOM Management Servers. To commit the change and then restart the MOM service, follow these steps:

1. In the MOM Administrator console, right-click Management Packs, and then click Commit Configuration Change.
2. On the MOM Management Servers, click Start, click Run, type services.msc, and then click OK.
3. Right-click the MOM service, and then click Restart.

To manually install the MOM agent, follow these steps:

1. On the destination computer, insert the MOM 2005 source CD in the CD drive. If the Microsoft Operations Manager 2005 Setup Resources dialog box does not automatically appear, run the Setup.exe program from the MOM 2005 source CD.
2. On the Manual Agent Install tab, click Install Microsoft Operations Manager 2005 Agent to start the Microsoft Operations Manager 2005 Agent Setup Wizard.
3. Click Next two times to open the Agent Configuration dialog box.
4. In the Management Server text box, specify the IP address of the MOM Management Server. If you use the DNS name or the NetBIOS name, you must open additional ports that may decrease network security. We do not recommend that you open ports that are not listed in this article.
5. Under Agent Control Level, click None. By setting the Agent Control Level to None, the MOM Management Server cannot upgrade the agent or perform agent configuration updates. However, the agent can perform attribute scans, download rules, and perform other tasks.
6. If you receive a "The Management Server Could Not Be Contacted" message, click Continue.
7. In the MOM Agent Action Account dialog box, click Local System, and then click Next.
8. On the Active Directory Configuration dialog box, click No, my environment fits one of the following conditions, click Next, and then click Install.

After the MOM agent is installed, you must approve the MOM agent for manual installation. To do this, follow these steps on the MOM Management Server computer:

1. In the MOM Administrator console, expand Administration, expand Computers, and then click Pending Actions.
2. Right-click the computer, and then click Approve Manual Agent Installation Now.

For each agent that you manually install, you must modify the DNS name, host name, and fully qualified domain name (FQDN) values in the Computer table in the OnePoint database. To modify these values, follow these steps on the computer that is running Microsoft SQL Server and that manages the OnePoint database:

1. Start SQL Server Enterprise Manager.
2. Expand Microsoft SQL Servers\SQL Server Group\(local)(Windows NT)\Databases.
3. Expand OnePoint, and then click Tables.
4. Right-click the Computer table, point to Open Table, and then click Return all rows.
5. Find the computer name of the manually installed agent computer.
6. Click the <NULL> value in the DNSName column, and then type the DNS name of the perimeter network domain that contains the manually installed agent computer. For example, type DMZDOMAIN.COM.
7. Click the <NULL> value in the HostName column, and then type the FQDN of the MOM agent computer. For example, type Computer1.DMZ.DOMAIN.COM.
8. Click the <NULL> value in the FQDN column, and then type the FQDN of the MOM agent computer. For example, type Computer1.DMZ.DOMAIN.COM.

Note The DNS name is the Active Directory name, not the NetBIOS domain name that contains the MOM agent computer. The host name and the FQDN will have the same entry. If a disjointed DNS namespace configuration is used, the entry could contain a different DNS domain suffix that depends on the IP configuration of the MOM agent computer but not on the AD domain membership of the entry. A disjointed DNS namespace is a DNS infrastructure that includes two or more top-level DNS domain names. For more information about how to configure name resolution for disjointed namespaces, visit the following Microsoft Technet Web site: Important If the DNSName, HostName, and FQDN entries in the Computer table are not correctly configured, many rules that use scripts in various management packs, such as the Active Directory Management Pack, will not run correctly. Agents that are installed automatically already have these fields populated. You can use the existing data as an example.

How to troubleshoot connectivity issues

To troubleshoot connection issues between the MOM agent and the MOM Management Server behind the firewall, follow these steps on the MOM agent computer:

1. Try to ping the IP address of the MOM Management Server. If you cannot ping the MOM Management Server, make sure that the MOM Management Server is available and that you can access resources behind the firewall. If you can successfully ping the MOM Management Server behind the firewall, go to step 2.
2. Try to ping the MOM Management Server by using the computer name. If you can ping the computer name of the MOM Management Server, go to step 3. If you cannot ping the computer name, consider the following possibilities:
   • Is the MOM agent computer configured to use DNS or Windows Internet Name Service (WINS) for name resolution?
   • Are the DNS and WINS servers available to the MOM agent computer?
   • Is name resolution of the internal computers that are behind the firewall allowed through the firewall?
   In the perimeter network domain, consider installing a DNS or WINS server that contains static entries for the MOM agent computers to reference. Do not let the DNS or WINS server in the perimeter network replicate information with the name servers that are inside the firewall. You may want to use an Lmhosts file on the MOM agent computer to preload the host name of the MOM Management Server.
3. Try to use the Telnet.exe program to connect from the MOM agent computer to port 1270 on the MOM Management Server. A successful telnet session proves that the MOM agent can send data to the MOM Management Server. However, a telnet connection proves only TCP connectivity. A telnet connection cannot verify UDP connectivity.
4. If the MOM Management Server states that no heartbeat information has been received from the client, UDP port 1270 is not open. Open UDP port 1270 in the firewall.
5. If the MOM Management Server tries to ping the MOM agent and does not receive a response, even though the computer is available, the firewall may be blocking Internet Control Message Protocol (ICMP) traffic. Make sure that the firewall is not configured to block ICMP traffic.

To troubleshoot connectivity issues on the MOM Management Server, follow these steps:

1. Make sure that you can successfully ping the IP address of the MOM agent computer.
2. Make sure that you can ping the MOM agent computer by using the host name and the DNS name. If you cannot successfully ping the MOM agent computer name, scripts that rely on name resolution will fail, even though you have successfully installed the agent.

If the Windows firewall is enabled on the MOM agent computer, see the following article in the Microsoft Knowledge Base:Microsoft Knowledge Base article 885726 describes how to modify the firewall settings of the Windows firewall to allow port traffic. The article also describes how to include the MOM agent executable. By default, the Windows firewall settings do not allow successful push installation of the MOM 2005 agent on computers that are running Microsoft Windows XP with Service Pack 2 and Microsoft Windows Server 2003 with Service Pack 1.

For more information, see "Chapter 7: Deploying MOM 2005 in Advanced Environments" in the MOM 2005 Deployment Guide. To view the MOM 2005 Deployment Guide online, visit the following Microsoft Web site: For more information about how to open firewall ports for different programs, click the following article number to view the article in the Microsoft Knowledge Base: