Some Server 2008 Windows Firewall rules needed to install OpsMgr R2

kevinhol — Tue, 02 Jun 2009 02:03:03 GMT

I recently rebuilt a POC environment all on Server 2008, and SQL 2008.

Out of the box – the R2 install is a bit rocky – because of the Windows Firewall enabled on Server 2008 by default.

These required custom firewall rules are documented on the supported configuration guide…. located at http://technet.microsoft.com/en-us/library/bb309428.aspx

I just want to provide a little context around them.

My three servers are OMRMS, OMDB, and OMDW.

OMRMS – Root Management Server

OMDB – OperationsManager database role with SQL 2008 Database Services.

OMDW – OperationsManagerDW database role, Reporting Role, with SQL 2008 Database Services and Reporting Services

First off – during the install of the RMS, it will fail to locate the SC database. This is because it tries to contact the SQL database server on OMDB over port 1433, and this is blocked by the Windows Firewall on OMDB. To resolve – I need to allow the SQL server program access through the firewall:

I create a new rule – called “Custom - SQL DB Engine Program” and choose rule type of program – and give it the path to SQLServer.exe – in my case: E:\Program Files\Microsoft SQL Server\MSSQL10.I01\MSSQL\Binn\sqlservr.exe

In addition – I am using a named instance of SQL. When we use a named instance of SQL, the DB Engine instance will not use port 1433 by default. It will pick a random port and assign it to the DB engine instance. When clients connect to this instance – they do not know this random port…. therefore – they can leverage the SQL broker service – which will communicate the random port to the SQL client for communication.

Therefore – I need another rule on the firewall of the SQL server: this time a port based rule – allowing 1434 UDP.

Here is a screenshot of my two access rules:

Now – the RMS install is able to locate the SC database – and we continue.

Next up – I perform the reporting install on OMDW. I install the DW and the Reporting server roles here. The install goes fine. However – the RMS starts logging the following events:

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          6/1/2009 5:08:19 PM
Event ID:      31551
Task Category: Data Warehouse
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      OMRMS.opsmgr.net
Description:
Failed to store data in the Data Warehouse. The operation will be retried.
Exception 'SqlException': A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)

One or more workflows were affected by this.

Workflow name: Microsoft.SystemCenter.DataWarehouse.CollectEventData
Instance name: OMRMS.opsmgr.net
Instance ID: {E61C0DD2-AB2A-4CFA-D252-37B84BCF9A83}
Management group: PROD1

This is because the RMS cannot contact SQL on the data warehouse SQL server. Therefore – I need to add the same two firewall rules on OMDW that I enabled on OMDB…. to allow remote SQL connections.

Now – I have installed the RMS, and I have installed reporting into the management group. However – when I click on “Reporting” in the SCOM console – I get the following error:

Date: 6/1/2009 5:16:31 PM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Error
Message: Loading reporting hierarchy failed.

System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.10.10.7:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ReportingService.ReportingService2005.ListChildren(String Item, Boolean Recursive)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ManagementGroupReportFolder.GetSubfolders(Boolean includeHidden)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ManagementGroupReportFolder.GetSubfolders()
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingSubtree(TreeNode node, ManagementGroupReportFolder folder)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingTree(ManagementGroupReportFolder folder)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingTreeJob(Object sender, ConsoleJobEventArgs args)
System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.10.10.7:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)

See the bolded blue part above. The console is not able to establish a connection to the HTTP reporting server address.

Additionally – you will see the following in the RMS event log:

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          6/1/2009 5:40:22 PM
Event ID:      31569
Task Category: Data Warehouse
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      OMRMS.opsmgr.net
Description:
Report deployment process failed to request management pack list from SQL RS Server. The operation will be retried.
Exception 'WebException': Unable to connect to the remote server

One or more workflows were affected by this.

Workflow name: Microsoft.SystemCenter.DataWarehouse.Deployment.Report
Instance name: OMRMS.opsmgr.net
Instance ID: {E61C0DD2-AB2A-4CFA-D252-37B84BCF9A83}
Management group: PROD1

This is all due to the fact that the Windows Firewall is blocking port 80 (HTTP) by default. We need to open another access rule – for TCP port 80 for this:

Now – I go ahead and open it for TCP 80, and TCP 443, since I might lock this down using SSL in the future.

Once the HTTP rule is enabled on the Reporting server role – the RMS almost immediately throws the following events:

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          6/1/2009 5:51:42 PM
Event ID:      31570
Task Category: Data Warehouse
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      OMRMS.opsmgr.net
Description:
Report deployment process successfully requested management pack list from SQL RS Server

One or more workflows were affected by this.

Workflow name: Microsoft.SystemCenter.DataWarehouse.Deployment.Report
Instance name: OMRMS.opsmgr.net
Instance ID: {E61C0DD2-AB2A-4CFA-D252-37B84BCF9A83}
Management group: PROD1

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          6/1/2009 5:52:27 PM
Event ID:      31568
Task Category: Data Warehouse
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      OMRMS.opsmgr.net
Description:
Reporting components successfully deployed

One or more workflows were affected by this.

Workflow name: Microsoft.SystemCenter.DataWarehouse.Deployment.Report
Instance name: OMRMS.opsmgr.net
Instance ID: {E61C0DD2-AB2A-4CFA-D252-37B84BCF9A83}
Management group: PROD1

A quick check of the Reporting tab of the console now yields:

And I wait an hour or so – and go back to the RMS – and make sure the RMS OperationsManager event log is clean – before doing anything else to the management group.

Kevin Holman's OpsMgr Blog : firewall

Some Server 2008 Windows Firewall rules needed to install OpsMgr R2