Firewall required ports for SCOM 2016

This section describes how to configure your firewall to allow communication between the different Operations Manager features on your network.

Port assignments

The following table shows Operations Manager feature interaction across a firewall, including information about the ports used for communication between the features, which direction to open the inbound port, and whether the port number can be changed.

Operations Manager Feature A Port Number and Direction Operations Manager Feature B Configurable Note
management server 1433 ---> Operations Manager database Yes (Setup)  
management server 5723, 5724 ---> management server No Port 5724 must be open to install this feature and can be closed after this feature has been installed.
management server 161,162 <---> network device No All firewalls between the management server and the network devices need to allow SNMP (UDP) and ICMP bi-directionally.
gateway server 5723 ---> management server No  
management server 1433 ---> Reporting data warehouse No  
Reporting server 5723, 5724 ---> management server No Port 5724 must be open to install this feature and can be closed after this feature has been installed.
Operations console 5724 ---> management server No  
Connector framework source 51905 ---> management server No  
web console server Web site port ---> management server No  
web console browser 51908 ---> web console server Yes (IIS Admin) Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an available port for https functionality for the Operations Manager web console web site.
connected management server (Local) 5724 ---> connected management server (Connected) No  
Windows agent installed using MOMAgent.msi 5723 ---> management server Yes (Setup)  
Windows agent installed using MOMAgent.msi 5723 ---> gateway server Yes (Setup)  
Windows agent push installation, pending repair, pending update 5723/TCP, 135/TCP, 137/UDP, 138/UDP, 139/TCP, 445/TCP
*RPC/DCOM High ports (2008 OS and later) Ports 49152-65535
     
UNIX/Linux agent discovery and monitoring of agent TCP 1270 <--- management server or gateway server No  
UNIX/Linux agent for installing, upgrading, and removing agent using SSH TCP 22 <--- management server or gateway server Yes  
gateway server 5723 ---> management server Yes (Setup)  
Agent (Audit Collection Services forwarder) 51909 ---> management server Audit Collection Services collector Yes (Registry)  
Agentless Exception Monitoring data from client 51906 ---> management server Agentless Exception Monitoring file share Yes (Client Monitoring Wizard)  
Customer Experience Improvement Program data from client 51907 ---> management server (Customer Experience Improvement Program End) Point Yes (Client Monitoring Wizard)  
Operations console (reports) 80 ---> SQL Reporting Services No The Operations console uses Port 80 to connect to the SQL Reporting Services web site.
Reporting server 1433 ---> Reporting data warehouse Yes  
management server (Audit Collection Services collector) 1433 ---> Audit Collection Services database Yes  

If SQL Server 2014 Service Pack 2 or SQL Server 2016 is installed with a default instance, the port number is 1433. If SQL Server is installed with a named instance, by default it is configured with a dynamic port. To identify the port, do the following:

  1. In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for , and then double-click TCP/IP.
  2. In the TCP/IP Properties dialog box, on the IP Addresses tab, note the port value for IPAall.

If you plan on deploying the Operations Manager databases on a SQL Server configured with an Always On Availability Group or migrate after installation, do the following to identify the port:

  1. In Object Explorer, connect to a server instance that hosts any availability replica of the availability group whose listener you want to view. Click the server name to expand the server tree.
  2. Expand the Always On High Availability node and the Availability Groupsnode.
  3. Expand the node of the availability group, and expand the Availability Groups Listeners node.
  4. Right-click the listener that you want to view, and select the Propertiescommand. This opens the Availability Group Listener Properties dialog box.

Install SCOM agent to monitor servers

Learn how to install SCOM agent to monitor servers 

So we have SCOM 2016 env ready, MP (management packs) imported and tuned the next step is to add the pilot servers to be monitored

In order to install agent on remote servers using pushing option from the console we need to have a user with AD rights for discovery and rights on target server to install the agent and of course ports in firewall opened :) see this article for: Firewall required ports for SCOM 2016

1. Go to console Administration --> Device Management --> Discovery Wizard

SCOM_Discovery_wizard

2. Discovery Windows Computers

SCOM_Discovery_windows_computers

3. Select Advanced computers, I don't want to see in this stage hundreds of servers

SCOM_Discovery_advanced

4. Select specific servers

SCOM_Discovery_advanced_AD

5. Add user with rights on tetra servers

SCOM_Discovery_account_install_agent

6. Select discovered servers

 SCOM_Discovery_select_servers

7. Happy with local system

SCOM_Discovery_finish

8. Install agent was successfully 

SCOM_Discovery_install_agent_success

9. For a few minutes we have the confirmation but no data 

SCOM_Discovery_managed-servers

 After just 5 minutes :

SCOM_Discovery_managed-servers_ready

Easy, no :)

 

Update SCOM 2016 installed MP

How to update SCOM 2016 MP (management pack)

It's always recommended to install the latest management packs (MP) and in SCOM 2016 it's actually very easy :)

1. So in order to update all installed MP go to console Administration --> Management Packs --> Updates and recommendations 

SCOM_update_MP

2. Get MP

SCOM_update_Get_MP

 

3. Install latest MP

SCOM_update_install_MP

SCOM_update_MP_finished

4. Continue and update all others

Tune MP (management packs) in SCOM 2016

Tune MP (management packs) in SCOM 2016

Probably the most important skills in SCOM, learn to tune/override MP. Out of box any MP has monitors, rules already pre-reconfigured for a standard configuration, environment, some are turned off or on, you can override parameters like disk space alerts, disk latency, etc. You will discover soon that you are not happy with some configuration and next step it will be to tune your MP. The golden rule is to keep the original MP clean and save you overrides in a new MP.

Before to start remember about this article: Import SCOM 2016 MP (management pack), who describe what is in MP and learn what can be configured. Please keep documented any change made. In today example I will override SCCM MP and stop the alerts for Intune Connector, in this env. Intune is not used.

1. Unnecessary alert

SCOM_Tune_MP_Alert

2. Create a new MP where we will save the new SCCM MP overrides

2.1 Go to Console -> Administration -> Management Packs -> Create Management pack

SCOM_Tune_MP_New_MP

2.2 New MP general properties

SCOM_Tune_MP_New_MP_general

SCOM_Tune_MP_SCCM

3. Lets override, so our issue is a monitor for the site role Intune

SCOM_Tune_MP_Alert2

3.1 To do the override we will go to Console -> Authoring -> Management Packs Objects -> Monitors and looking for Intune

 SCOM_Tune_MP_SCCM_Intune_Monitor

 3.2 In this case I will override/disable this monitor for all objects, but for other configuration, let's say a file server where you want to increase the level for a free space warning you can select only on server or a file server group.

 SCOM_Tune_MP_SCCM_Intune_Monitor_Disable

3.3 Double check if is what we want to override by going on Show Monitor Properties

SCOM_Tune_MP_SCCM_Intune_Monitor_Properties

3.4 So, by default is enabled, Effective Value is True

SCOM_Tune_MP_SCCM_Intune_Monitor_True

3.5 After you apply the setting you can see now that the Effective Value is disable

SCOM_Tune_MP_SCCM_Intune_Monitor_Disable3

3.6 You can see the override in Overrides tab

SCOM_Tune_MP_SCCM_Intune_Monitor_Disable4

Wasn't difficult, no :) ?

Import SCOM 2016 MP (management pack)

Import SCOM 2016 MP (Management Pack)

Congrats, you just finished to install SCOM 2016, now it's time to discuss about MP (management pack). But first of all What is a Management Pack (MP)? A SCOM management pack is a collection of discovery rules, , monitor, performance counters, monitoring rules, dashboards,  etc for a specific technology. How it works? After you finished to install a management pack, let's say Windows Server 2012 Management Pack (MP) for SCOM 2016, each agent installed on monitored servers it will download the discovery rules and run against his host. If discover that this technology is present than it will go and download all monitors and rules, for example available memory, available space, cpu usage, etc.

A good start to learn about what is inside of a MP is to go on http://mpwiki.viacode.com/default.aspx?g=forum&c=1 read all the details and download the excel with Management Pack Inventory for Windows Server 2012 R2 http://mpwiki.viacode.com/default.aspx?g=posts&t=219796 or download from here an example of MP Windows Server Operating System.xlsx  

SCOM_MP_inventory

From my experience the golden rule after you installed SCOM 2016:

- Don't install any agent on servers yet

- Make a list with required Management Packs

Stage 1:

- Always start with Windows Server management Pack. Check from Management Pack inventory what is included by default and chose what is best for you , keep the excel and high light changes / overwrites

- After MP tuning install a few clients and for a few days weeks check the level of alerts, information, etc

- If you are happy add more servers and keep the eyes on noise level in SCOM console, dashboards, etc . If is necessary re tune you MP

- Finish to add all windows servers

Stage 2:

- After you foundation is stable you can follow same procedure to add and tune other SCOM 2016 MP like AD, DHPC, DNS, Exchange, HP servers hardware, etc

- Add one by one wait to see good results and continue with the next one

Scenario:

If you want to monitor you CRM you distributed application it will rely on this Management Packs:

- Hardware MP for Dell * See details from hardware level like, coolers, power sources, temperature, hdd health, etc

- OS  level * See details from your OS, Windows health and performance

- Custom Monitors for a specific process 

- IIS MP * Details from IIS activity

- .NET MP * Check the .NET code, code performance and error, etc

- Java or cutm MP for different apps

- Configure probe to check Website availability and performance 

- SQL MP * All the details about you DB performance, information, alerts, warnings, backups, etc

- Networking level * Custom or not MP for Cisco, HP, etc Monitor the network hardware involved in your CRM env.

- Storage Level * MP for SAN, NAS, linux server, etc

At the end with just one Icon on Your Dashboard you can see the health of your CRM env.

 

Now lets import our first MP, Windows Server Management Pack. In my env Proxy is confiugred, see How to configure SCOM to use Proxy, so I can download from the console instead of offline installation from Microsoft Catalog.

1. Go to Console --> Administration --> Management Pack --> Import Management Packs

SCOM_Import_MP

2. Add MP

SCOM_Import_MP_Add

3. Select MP

SCOM_Select_MP

4. Install windows server 2012 R2 MP

SCOM_Import_MP_Resolve

SCOM_Import_MP_Resolve2

SCOM_Import_MP_Resolve3

 

5. Installed finished

SCOM_Import_MP_Finished

6. Check SCOM MP windows Installed

SCOM_MP_Windows_Installed

Finished to install our first MP

Now is time to check the MP and tune Windows 2012 R2 MP