OpsMgr 2007: Port requirements for SCOM agents in a DMZ

image Here’s another interesting issue I came across the other day that I thought I would share with you just in case you happen to find yourself in a similar situation.  Hopefully if you do then this will help you get all this working the way it should. 

Scenario:    An RMS in a parent domain and client agents that are domain controllers in a child domain in a DMZ. 

The manual agent install goes fine on the clients but the agents never appear in the operators console despite Review New Manual agent installations in pending management View and Auto–approve New manually installed agents settings in SETTINGS—SECURITY –GENERAL.

The following event shows up on the agents:

Event Type:          Error
Event Source:       OpsMgr Connector
Event Category:    None
Event ID:              20070
Computer:            DC
Description:          The OpsMgr Connector connected to <domain>, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

This event shows up on the server:

Event Type:          Error
Event Source:       OpsMgr Connector
Event Category:    None
Event ID:              20002
Description:          A device at IP <addr> attempted to connect but could not be authenticated, and was rejected.

None of the agents show up in any of the following tables under Opsmgrdb:


The following powershell command returns nothing:


The product documentation does not talk much about this scenario other than having port 5723 open from the agent to the server:


Regardless, what I’ve found is that we also need to have port 88 and port 389 opened between the agent and the RMS if they’re separated by a firewall.  This has worked for me just about every time I’ve found myself in this situation.

Hope this helps,

Rohit Kaul

Comments (8)

  1. Anonymous says:

    Hi,What does tcp port 88 used for?

    I have another problem about the firewall.

    the RMS and the clients are in the same domain but they were separated by the isa 2006.I have opened the protocols such as to join a computer to the domain and tcp port 5723.and now I am use an action account as a member of a domain admins,but i can’t install the agents to the client because of the rpc unreachable.I try to open tcp port 135 and 1024 plus ports,but no results ,What another ports should I opened?

  2. Anonymous says:

    Feed: The Operations Manager Support Team Blog Here&#39;s another interesting issue I came across the

  3. Anonymous says:

    Check this one out here


    Agent push requirements (including firewall ports):

    The account being used to push the agent must have local admin rights on the targeted agent machine.

    The following ports must be open:

    RPC endpoint mapper                              Port number: 135             Protocol: TCP/UDP

    *RPC/DCOM High ports (2000/2003 OS)    Ports 1024-5000              Protocol: TCP/UDP

    *RPC/DCOM High ports (2008 OS)            Ports 49152-65535           Protocol: TCP/UDP

    NetBIOS name service                             Port number: 137             Protocol: TCP/UDP

    NetBIOS session service                           Port number: 139             Protocol: TCP/UDP

    SMB over IP                                            Port number: 445             Protocol: TCP

    MOM Channel                                          Port number: 5723           Protocol: TCP/UDP

    The following services must be set:

    Display Name:  Netlogon                           Started                 Auto      Running

    **Display Name:  Remote Registry            Started                 Auto      Running

    Display Name:  Windows Installer              Started                 Manual   Running

    Display Name:  Automatic Updates             Started                 Auto      Running

    Extracted from :     http://blogs.technet.com/kevinholman/archive/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007.aspx

  4. Anonymous says:

    Feed: The Operations Manager Support Team Blog Here&#39;s another interesting issue I came across the

  5. Anonymous says:

    Feed: The Operations Manager Support Team Blog Posted on: Tuesday, February 17, 2009 10:38 AM Author

  6. Roberto Martínez says:

    In my own experience, on dmz environments, no need for those 2 ports (88 and 389); but ensure that the RMS server is able to resolve from IP to FQDN. a problem with the DNS configuration will yield event IDs 20002, and all the agents on grey state.

  7. FirearmTutorials.com says:

    Thanks, this came in handy putting in firewall rules between DMZ servers and my SCOM server.

  8. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    Sign Up & Do registration for latest movies on Showbox application