System Center operations Manager logo http://www.Oostdam.infoSystem Center Operations Manager 2007 R2 is a great product. It has some difficulties, but doesn't have any products have a problem here and there? Now this article has been made here, for several reasons. First of all, I collected all these errors, installs and warnings for my own personal reference. But, it is always better to share knowledge, so I decided to publish these articles, with a little extra explanation on this site, through these articles. So, I hope this article will help you with your problem as well. Now, this article is not about a specific error or warning, but it want to give you a direction on how to install a SCOM 2007 R2 Agent on a Forefront TMG 2010 server. It is a little different from the normal way you discover and install agents, as TMG is running it's own firewall, and refuses every discovery. But why would there be a standard MP for Forefront TMG is we cannot use it.? Underneath I try to explain to you how this works in a step-by-step guide. Due to the fact that most visitors of this page are from a lot of different countries, this article is in the english language.


How to install a Operations Manager 2007 R2 Agent on Forefront TMG:
Install System Center Operations Manager Agent on a Forefront TMG 2010 picture 01We start by logging on to the TMG machine which holds the actual firewall and dashboard with an account that has administrative permissions. In most situations de TMG databases will reside on a separate server, and you will have no problem discovering and installing agents on that one.  Open the Forefront Threat Management Gateway 2010 console and browse to the Firewall Policy. Richt click this and choose "New" and after that "Access Rule". You can see an example of these actions in the picture on the right.


The Access rules wizard will come up and you have to provide a name for the new rule, for instance "SCOM Monitoring Rule". Click the "Next" button and set the "Rule Action" to "Allow".
Hit the "Next" button again.

Install System Center Operations Manager Agent on a Forefront TMG 2010 picture 02
The wizard wil go to the protocols dialog now. 

You can check the current installed protocols, but we are interested in the "Add" button.

You will get a new screen in which you can create a custum protocol, or choose pre-installed protocols for common programs, tools etc. As Forefront TMG is also from the Microsoft product family, it is to expected that a set of rules for Operations Manager 2007 is present, and indead there is! Expand the "Infrastructure" folder (as shown in the picture on the left) and look for the four pre-defined System Center Operation Manager protocols. (as shown in the picture on the right)Install System Center Operations Manager Agent on a Forefront TMG 2010 www.oostdam.info picture 03


Select these protocols and they will appear in the protocol dialog screen. You are able to select the protocols and choose the "Edit" button. Here you can check that ports 5723 and 5724 are present. There is no need to change anything in this sets.

I would advise though, to separate this into 2 rules. One for the Agent (port 5723) and one for the installation (port 5724). This way you can disable the rule after installation for more security, and have it enabled very fast for future use, for instance when you are rolling out a service pack or cumulative update from Operations Manager.

So we go along with the wizard and click the "Next" button.

The wizard continues with the "Access Rule Sources". This is the rule for Forefront which actually says which traffic from which computer wille be allowed.
Install System Center Operations Manager Agent on a Forefront TMG 2010 www.oostdam.info picture 04
Hit the "Add" button and a set of pre-defined "Rule Elements" wil come up. As the source and the destination are members from our domain, they will not be present at this time. So expand/select the "Computers Entity" folder and click on the "New" section in the bar above. Choose "Computer" now. This will present you the "New Computer Rule Element" box, which you can also see on the picture here on the right side.

Fill in the Fully Qualified Domain Name (FQDN) and the IP  address of that server. You are able to use the browse button to find the machine in the Active Directory and very nice after that, is a button that resolves the IP address for you. But, as a good administrator, you will have documented everything very well,... and probably know/memorize the FQDN and IP address. But, it could be a nice extra feature though,....  A description is optional, as usual. 

Note 1: Add your Forefront TMG server as well is this rule, otherwise you will be trapped in the last default rule from TMG itself, that denies any traffic, and contains the local host communications as well.

Note 2: If you are using a Enterprise Array Firewall policy, for example on a separate server which also can host a loadbalancing function, you should add the FQDN's of the managed TMG servers as well. The enterprise policy will update the other TMG servers with this rule. You need to do this, as an enterprise policy rule is applied before any individual TMG array firewall policy.

Note 3: Never use this method of setup in a DMZ. There are other designs for that purposes, which includes certificate verification or the use of a gateway.
 
Now you created a computer rule element, select the machines, click the "Add" button and the machines will appear in Access Rule Sources screen. With this, you said to the rule that these computers are trusted as a source for this traffic, say the "From" part. You should repeat these same steps for the next rule which is the "Sent" rule. As you created the "computer rule elements before" they will be present this time and you just have to select them.

The next thing in the wizard is to create a user set for this access rule.
Install System Center Operations Manager Agent on a Forefront TMG 2010 www.oostdam.info picture 05This means that, beside the port protocol and the servernames, there is also an extra check on the users that can use this functionality. Now this is rather strange, for a great product like TMG, but the default setting in this wizard is the buildin group "All Users". I took a picture of it, which you can see on the left side of this text. This is a possible security breach!! Keep that in mind! It is possible that an administrator or someone with delegated rights, leaves a screen open in the serverroom.
It doesn't have to be you! Therefore, I strongly advise to always create a separate Global Security Group in your Active Directory at a classified container, and select this group as the user set which can use this SCOM agent. Do not forget to join the Security Groups for your co-administrators and SCOM Operators to this role as well. As they, most likely, have more rights in Operations Manager they probably should have rights to the TMG server as well. Test and try to find a good compromise in this matter.

So, select a Security Group here, and remove the "All Users" group!

The usual summary screen follows an with 1 extra click you have created your SCOM Agent/Installation rule. Remember what I wrote above about splitting this into 2 rules. I repeat my recommendation about splitting these rules again here. Youre rule shows up in the dashboard, but is not working yet. On the top of the Forefront Management Gateway console there will be an "Apply Changes" button now. Click that and provide a Change description. Make this a habbit, save other administrators work and it is always clear who has done what! A confirmation will appear and only after this, the rule will be in place and active.

But we are not done yet....

  • Go to the Operations Management Server and make sure that the the Management Pack Forefront TMG has been imported without any dependencies. Make sure you are working with the latest version to make use of all the default support functionality that SCOM an offer you.
  • Forefront TMG does not support the remote installation of the SCOM agent yet, so until this is fixed, we might wait to the next version, we will have to install the SCOM agent manually from the Forefornt TMG server and manually type in the SCOM Management Group and the primary FQDN server name. Do not forget to apply the correct patches from CU2 (MS KB979257) or for CU3 (MS KB2251525).
  • You must open the services.msc on the Forefront TMG server and stop/start the Forefront TMG FireWall service. This is crucial!!! and will disconnect all current sessions for a brief moment. Pay attention to this and always do this in a maintenance window. When the service is starting again, even you're own session will be disconnected. 

After these actions the data will be going to flow. This can take a couple minutes, by the way. Check the Operations Manager Event log and find the usual confirmation events.
Logon to the Management Server involved and approve the SCOM agent for the TMG server.

Install System Center Operations Manager Agent on a Forefront TMG 2010 www.oostdam.info picture 06
If the agent does not show up, in you're Pending Agent section, or in your Agent Managed section, please consider to adjust your security settings for a brief moment. By default, the security setting for manual agent installs is to reject them. I personally always change this setting to "Review new manual agent installations in pending management view", as you can also see in the picture on the right-side. Please do never use the "Automatically approve new manual installed agents" setting here. This is also a potential security breach, keep that in mind please.

Thats all! This should do the trick. Now you control your Forefront TMG server as well in your monitored environment.
Still no TMG server in your managed servers?  Examine your event logs and be so kind to email me the event and your solution, I will add it to this article after verification.


Hope that this article will have helped you a bit further............
Have fun, using System Center Operation Manager!




-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ben OostdamBen Oostdam has been working with Windows systems since 1993. Worked for several companies as a system administrator, and is currently a Senior Support Engineer for a large company in the Netherlands specialized in System Center Solutions.

Disclaimer: The information contained in this website/article is for general information purposes only. The information is provided as is, by Ben Oostdam and others, and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website you are sometimes able to link to other websites which are not under my control. I have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, I take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control. All entries in these articles, are my individual opinion, or from co-writers, and they don't necessary reflect the opinion of my employer.



 

Wednesday the 16th, October 2019. All rights reserved.. // Oostdam WebDesign