Communications
As you can see in Figure 3.4, MOM uses a variety of communications methods that are optimized for security and efficiency. Notice that the communications between the management server and the agent are different depending on the direction of the communication. This has important ramifications for firewall support and security, which we will discuss later in this section.
Figure 3.4 Component communications protocols and ports.
For the Remote Procedure Calls (RPC)/Distributed Component Object Model (DCOM) protocols, RPC uses Transmission Control Protocol (TCP) port 135, and DCOM uses a nightmarish combination of TCP, User Data Protocol (UDP), ports, and connections.
DCOM is particularly troublesome for firewall access because it dynamically assigns ports to processes. By default, it freely assigns TCP and UDP ports ranging from 1024 to 65535, making it difficult to function securely across a firewall. In addition, new connections are established when responding to a client, meaning that the port the client used for the request is not the same as the port used for the response. Also, DCOM does not support Network Address Translation (NAT), which is among the more common methods of configuring a firewall. You can configure DCOM to only use TCP, restrict the ports the client and server use, and open up the firewall just enough to get the communications through. However, the bottom line is these actions seriously compromise the security of your firewall and the communications across it.
In keeping with its commitment to the Trustworthy Computing Initiative, Microsoft does not support communications requiring RPC/DCOM across a firewall. Communications are supported which use a standard TCP port that can be secured properly across a firewall, such as the agent-to-management server communications. Table 3.1 lists the various connections, their communications method, and their firewall supportability.
Table 3.1. Communications and Firewall Compatibility
From |
To |
Firewall? |
Port, Protocol, or Remark |
Agent |
Management server |
YES |
TCP/UDP port 12701 |
Management server |
Agent |
NO |
RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535) |
Management server |
Agentless |
NO |
RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535) |
Administrator console |
Management server |
NO |
RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535) |
Operator console |
Management server |
NO |
RPC (TCP Port 135) and DCOM Ports (TCP/UDP 1024-65535) |
Reporting console |
Reporting database |
YES |
HTTP Port 80 or HTTPS Port 443 |
Web console |
Management server |
YES |
TCP port 1272 |
Management server |
Operations database |
YES |
OLEDB Tunneling, port 14332 |
MOM-to-MOM connector |
MOM-to-MOM connector |
YES |
TCP Port 1271 |
Connector |
Third-party application |
YES |
TCP Port 1271 |
Operations database |
Reporting database |
NO |
DTS (TCP Port 1433) |
Notice that the agent-to-management server communication method is supported over a firewall, but the management server-to-agent communication method is not. The process of "push" installing agents on managed computers requires RPC and DCOM, whereas the monitoring and rules distribution use a secure TCP port. The downside of this is that if you want to manage an agent on the other side of a firewall, you will have to manually install the agent. Thereafter, the agent will securely initiate the communications. Also, note that managing agentless computers across a firewall is not supported, due to the RPC/DCOM requirements.
The port used by the management server for communicating with agents (12701 by default) is easily configurable on a management server by management server basis. This is also true for the connector port (1271) and the Web console port (1272). You can change the other ports with varying degrees of difficulty.
As Table 3.1 attests, most of the key MOM 2005 communications such as agents and connectors are supported across a firewall, making MOM 2005 a flexible product that can centrally manage your entire enterprise.