When you want to manage and monitor an ISA server, you need to install the OpsMgr agent.
However, there is no guide published for the OpsMgr 2007 ISA MP..... It comes with the MOM 2005 guide. In ISA, there was a system policy which you could enable for MOM. This would open the necessary ports for the MOM agent to communicate with a management server. However, these ports have changed, yet there seems to be no guidance on how to manage an ISA box with SCOM.
I will document the steps necessary:
When you install an OpsMgr agent on a ISA server, you will see in the event log the following event, when the agent starts:
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21006
Time: 11:05:36 AM
The OpsMgr Connector could not connect to OMRMS:5723. The error code is 10065L(A socket operation was attempted to an unreachable host.
). Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.
There is the problem! We DO have a firewall blocking the traffic.
The OpsMgr agent needs to be able to communicate, outbound, to a management server over TCP_5723. We will use this for all communications, including heartbeats. Therefore, we need an access rule to allow this traffic:
1. Create a new access rule. Give it a name according to your corporate ISA rule naming standards. Click Next:
2. Choose "Allow" and click Next.
3. On Protocols, click "Add", then "New" then "Protocol". Give this new protocol a new, such as "OpsMgr Agent tcp_5723"
4. On the "New Protocol Definition Wizard" screen, click "New" and fill out the boxes. We want TCP, Outbound, and port 5723. Then click OK.
5. Click Next, No secondary connections, and then click Finish.
6. Find your new protocol under User Defined, and click "Add", then Close, then Next.
7. On the access rule sources - we want FROM "Localhost", which is located under the "Networks" object:
8. On the "Access Rule Destinations" - we want the IP addresses of all possible OpsMgr management servers/gateways that this ISA will report, or fail over to. For this example, I am using the "Internal" network object, which includes all internally defined IP subnets:
Accepts the default settings for "All Users", click Next, Finish, then apply this new rule to the firewall configuration.
You should no longer see an Event ID 21006, after bouncing the Healthservice on the ISA server. However, in order to support mutual authentication, you might still need to configure Certificates, or rules allowing AD communications if the ISA server is a member of the same forest as the OpsMgr servers.