-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCreate-SCOMFirewallRules.ps1
350 lines (274 loc) · 7.67 KB
/
Create-SCOMFirewallRules.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
<#############
The below commands are based on the Microsoft Docs for configuring the Firewall for Operations Manager 2019.
https://docs.microsoft.com/en-us/system-center/scom/plan-security-config-firewall?view=sc-om-2019
These commands are to set up the Windows Firewall on the respective machines to use SCOM 2019.
These commands are provided without warranty and should be tested and vetted by your organization before
production deployments.
If using a custom SQL Port, make sure to change 1433 to the custom port number.
#############>
<####
Management Servers
####>
#region ManagementServers
## Management Server >> OpsMgr Database
New-NetFirewallRule `
-DisplayName "SCOM MS to DB" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 1433,135,137,445,49152-65535 `
-Action Allow
## Management Server Interconnection <<>>
New-NetFirewallRule `
-DisplayName "SCOM MS to MS" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5723,5724 `
-Action Allow
## Management Server << Network Device
New-NetFirewallRule `
-DisplayName "SCOM Network Device to MS" `
-Group "SCOM" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 161,162 `
-Action Allow
## Management Server >> Reporting Datawarehouse
New-NetFirewallRule `
-DisplayName "SCOM MS to ReportDW TCP" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 1433,135,445,49152-65535 `
-Action Allow
New-NetFirewallRule `
-DisplayName "SCOM MS to ReportDW UDP" `
-Group "SCOM" `
-Direction Outbound `
-Protocol UDP `
-LocalPort 1434,137 `
-Action Allow
## Management Server ACS << Agent ACS
New-NetFirewallRule `
-DisplayName "SCOM Audit Collection Services TCP" `
-Group "SCOM" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 1433 `
-Action Allow
New-NetFirewallRule `
-DisplayName "SCOM Audit Collection Services UDP" `
-Group "SCOM" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 1434 `
-Action Allow
## Management Server >> Unix/Linux Agent Discovery and Monitoring
New-NetFirewallRule `
-DisplayName "SCOM Console Connection" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 1270 `
-Action Allow
## Management Server >> Unix/Linux Agent Install/Upgrade/Remove
New-NetFirewallRule `
-DisplayName "SCOM Console Connection" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 22 `
-Action Allow
## Management Server << Operations Console
New-NetFirewallRule `
-DisplayName "SCOM Console Connection" `
-Group "SCOM" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 5724 `
-Action Allow
## Connected Management Server (Local) >> Connected Management SErver (Connected)
New-NetFirewallRule `
-DisplayName "SCOM Connected Management Servers" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5724 `
-Action Allow
#endregion
<####
Reporting Server
####>
#region reporting
## Reporting Server >> Management Server
New-NetFirewallRule `
-DisplayName "SCOM Reporting to MS" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5723,5724 `
-Action Allow
## Reporting Server >> Reporting Server Datawarehouse
New-NetFirewallRule `
-DisplayName "SCOM Reporting Server TCP" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 1433 `
-Action Allow
New-NetFirewallRule `
-DisplayName "SCOM Reporting Server UDP" `
-Group "SCOM" `
-Direction Outbound `
-Protocol UDP `
-LocalPort 1434 `
-Action Allow
#endregion
<####
Gateway Servers
####>
#region gateway
## Gateway >> Management Server
New-NetFirewallRule `
-DisplayName "SCOM Gateway to MS" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5723 `
-Action Allow
#endregion
<####
Windows Clients
####>
#region WindowsAgents
## Windows Agent MANUAL Install/Repair/Update
New-NetFirewallRule `
-DisplayName "SCOM Microsoft Monitoring Agnet" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5723 `
-Action Allow
## Windows Agent PUSH Install/Repair/Update <<>>
New-NetFirewallRule `
-DisplayName "SCOM Microsoft Monitoring Agent" `
-Group "SCOM" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 5723,135,137,138,139,445,49152-65535 `
-Action Allow
New-NetFirewallRule `
-DisplayName "SCOM Microsoft Monitoring Agent" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5723,135,137,138,139,445,49152-65535 `
-Action Allow
## Agent Audit Collection Services Forwarder >> Managment Server ACS Collector
New-NetFirewallRule `
-DisplayName "SCOM Agent Audit Collection" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 51909 `
-Action Allow
## Agentless Exception Monitoring Data >> Client to MS Agentless Exception Monitoring File Share
New-NetFirewallRule `
-DisplayName "SCOM Agentless Exception Monitoring" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 51906 `
-Action Allow
## Customer Experience Improvement Program >> Management Server Forwarder
New-NetFirewallRule `
-DisplayName "SCOM Customer Experience Program" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 51907 `
-Action Allow
#endregion
<####
Operations Console Servers
####>
#region console
## Operations Console >> Management Group
New-NetFirewallRule `
-DisplayName "SCOM Console Connection" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5724 `
-Action Allow
## Operations Console (Reports) >> SQL Reporting Services
New-NetFirewallRule `
-DisplayName "SCOM Operations Console Reports" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 80 `
-Action Allow
## Operations Console >> Catalog Web Service
New-NetFirewallRule `
-DisplayName "SCOM Console to Web Catalog" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow
#endregion
<###
Web Console Server
###>
#region WebConsole
## Web Console Server >> Management Server
New-NetFirewallRule `
-DisplayName "SCOM Web Console to MS" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 5724 `
-Action Allow
## Web Console Browser >> Web Console Server
## This is also for user machines that want to get to the Web Console Server
New-NetFirewallRule `
-DisplayName "SCOM Browser to Web Console Server" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 80,443 `
-Action Allow
## Web Console for Application Diagnostics >> OpsMgr DB
New-NetFirewallRule `
-DisplayName "SCOM Web Console App Diag to OpsMgr DB" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 1433,1434 `
-Action Allow
## Web Console for App Advisor >> Reporting DB
New-NetFirewallRule `
-DisplayName "SCOM Web Console App Advisor to Report DB" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 1433,1434 `
-Action Allow
#endregion
<###
Third-Party Connector Server
###>
#region 3PConnectors
## Connector Framework >> Management Server
New-NetFirewallRule `
-DisplayName "SCOM Connector Framework to MS" `
-Group "SCOM" `
-Direction Outbound `
-Protocol TCP `
-LocalPort 51905 `
-Action Allow
#endregion
### Verify rules were created
Get-NetFirewallRule -DisplayGroup "SCOM"