設定 Operations Manager 的防火牆Configuring a Firewall for Operations Manager

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

本節說明如何設定防火牆以允許在網路上的不同 Operations Manager 功能之間的通訊。This section describes how to configure your firewall to allow communication between the different Operations Manager features on your network.

注意

Operations Manager 會針對多個動作 (例如代理程式探索、Active Directory 整合等) 使用連接埠 389 進行 LDAP 查詢。Operations Manager 不支援 LDAP。Operations Manager uses port 389 for LDAP queries for multiple actions such as agent discovery, active directory integration, etc. Operations Manager does not support LDAPs.

通訊埠指派Port assignments

下表顯示 Operations Manager 功能跨越防火牆的互動方式,包括功能之間進行通訊所使用的連接埠相關資訊、開啟輸入連接埠的方向,以及是否可以變更連接埠號碼。The following table shows Operations Manager feature interaction across a firewall, including information about the ports used for communication between the features, which direction to open the inbound port, and whether the port number can be changed.

Operations Manager 功能 AOperations Manager Feature A 連接埠號碼與方向Port Number and Direction Operations Manager 功能 BOperations Manager Feature B 可設定Configurable 注意Note
管理伺服器Management server 1433/TCP --->1433/TCP --->
1434/UDP --->1434/UDP --->
135/TCP (DCOM/RPC) --->135/TCP (DCOM/RPC) --->
137/UDP --->137/UDP --->
445/TCP --->445/TCP --->
49152-65535 --->49152-65535 --->
Operations Manager 資料庫Operations Manager database 是 (安裝)Yes (Setup) 使用 WMI 連接埠 135 (DCOM/RPC) 進行初始連線,然後是 1024 以上的動態指派連接埠。WMI Port 135 (DCOM/RPC) for the initial connection and then a dynamically assigned port above 1024. 如需詳細資訊,請參閱連接埠 135 的特殊考量For further information, see Special considerations for Port 135
只有在管理伺服器初始安裝期間,連接埠 135、137、445、49152-65535 才需要開啟,以允許安裝流程驗證目標機器上的 SQL 服務狀態。Ports 135,137,445,49152-65535 are only required to be open during the initial Management Server installation to allow the setup process to validate the state of the SQL services on the target machine. 22
管理伺服器Management server 5723, 5724 --->5723, 5724 ---> 管理伺服器management server No 您必須開啟連接埠 5724 才能安裝此功能,等到此功能安裝完成後即可將它關閉。Port 5724 must be open to install this feature and can be closed after this feature has been installed.
管理伺服器Management server 161,162 <--->161,162 <---> 網路裝置network device No 管理伺服器和網路裝置之間的所有防火牆都必須雙向允許 SNMP (UDP) 和 ICMP。All firewalls between the management server and the network devices need to allow SNMP (UDP) and ICMP bi-directionally.
閘道伺服器Gateway server 5723 --->5723 ---> 管理伺服器management server No
管理伺服器Management server 1433/TCP --->1433/TCP --->
1434/UDP --->1434/UDP --->
135/TCP (DCOM/RPC) --->135/TCP (DCOM/RPC) --->
137/UDP --->137/UDP --->
445/TCP --->445/TCP --->
49152-65535 --->49152-65535 --->
報表資料倉儲Reporting data warehouse No 只有在管理伺服器初始安裝期間,連接埠 135、137、445、49152-65535 才需要開啟,以允許安裝流程驗證目標機器上的 SQL 服務狀態。Ports 135,137,445,49152-65535 are only required to be open during the initial Management Server installation to allow the setup process to validate the state of the SQL services on the target machine. 22
報表伺服器Reporting server 5723, 5724 --->5723, 5724 ---> 管理伺服器management server No 您必須開啟連接埠 5724 才能安裝此功能,等到此功能安裝完成後即可將它關閉。Port 5724 must be open to install this feature and can be closed after this feature has been installed.
Operations 主控台Operations console 5724 --->5724 ---> 管理伺服器management server No
Operations 主控台Operations console 443 --->443 ---> 管理組件類別目錄 Web 服務Management Pack Catalog web service No 支援直接在主控台中從類別目錄下載管理組件。1Supports downloading management packs directly in the console from the catalog.1
連接器架構來源Connector framework source 51905 --->51905 ---> 管理伺服器management server No
Web 主控台伺服器Web console server 5724 --->5724 ---> 管理伺服器management server No
Web 主控台瀏覽器Web console browser 80,443 --->80,443 ---> Web 主控台伺服器web console server 是 (IIS 管理)Yes (IIS Admin) 已啟用 HTTP 或 SSL 的預設連接埠。Default ports for HTTP or SSL enabled.
適用於 Application Diagnostics 的 Web 主控台Web console for Application Diagnostics 1433/TCP --->1433/TCP --->
1434 --->1434 --->
Operations Manager 資料庫Operations Manager database 是 (安裝) 2Yes (Setup) 2
適用於 Application Advisor 的 Web 主控台Web console for Application Advisor 1433/TCP --->1433/TCP --->
1434 --->1434 --->
報表資料倉儲Reporting data warehouse 是 (安裝) 2Yes (Setup) 2
已連線的管理伺服器 (本機)Connected management server (Local) 5724 --->5724 ---> 連線的管理伺服器 (已連線)connected management server (Connected) No
使用 MOMAgent.msi 安裝的 Windows 代理程式Windows agent installed using MOMAgent.msi 5723 --->5723 ---> 管理伺服器management server 是 (安裝)Yes (Setup)
使用 MOMAgent.msi 安裝的 Windows 代理程式Windows agent installed using MOMAgent.msi 5723 --->5723 ---> 閘道伺服器gateway server 是 (安裝)Yes (Setup)
Windows 代理程式推入安裝、擱置修復、擱置更新Windows agent push installation, pending repair, pending update 5723/TCP、135/TCP、137/UDP、138/UDP、139/TCP、445/TCP5723/TCP, 135/TCP, 137/UDP, 138/UDP, 139/TCP, 445/TCP
* RPC/DCOM 高連接埠 (2008 作業系統和更新版本) 連接埠 49152-65535 TCP*RPC/DCOM High ports (2008 OS and later) Ports 49152-65535 TCP
會起始從 MS/GW 到 Active Directory 網域控制站和目標電腦的通訊。Communication is initiated from MS/GW to an Active Directory domain controller and the target computer.
UNIX/Linux 代理程式探索及代理程式監視UNIX/Linux agent discovery and monitoring of agent TCP 1270 <---TCP 1270 <--- 管理伺服器或閘道伺服器management server or gateway server No
用於使用 SSH 安裝、升級和移除代理程式的 UNIX/Linux 代理程式UNIX/Linux agent for installing, upgrading, and removing agent using SSH TCP 22 <---TCP 22 <--- 管理伺服器或閘道伺服器management server or gateway server Yes
OMED 服務OMED Service TCP 8886 <---TCP 8886 <--- 管理伺服器或閘道伺服器management server or gateway server Yes
閘道伺服器Gateway server 5723 --->5723 ---> 管理伺服器management server 是 (安裝)Yes (Setup)
代理程式 (稽核收集服務轉寄站)Agent (Audit Collection Services forwarder) 51909 --->51909 ---> 管理伺服器稽核收集服務收集器management server Audit Collection Services collector 是 (登錄)Yes (Registry)
來自用戶端的無代理程式例外監控資料Agentless Exception Monitoring data from client 51906 --->51906 ---> 管理伺服器無代理程式例外監控檔案共用management server Agentless Exception Monitoring file share 是 (用戶端監視精靈)Yes (Client Monitoring Wizard)
來自用戶端的客戶經驗改進計畫資料Customer Experience Improvement Program data from client 51907 --->51907 ---> 管理伺服器 (客戶經驗改進計畫結束) 點management server (Customer Experience Improvement Program End) Point 是 (用戶端監視精靈)Yes (Client Monitoring Wizard)
Operations 主控台 (報表)Operations console (reports) 80 --->80 ---> SQL 報表服務SQL Reporting Services No Operations 主控台可使用連接埠 80 來連線至 SQL Reporting Services 網站。The Operations console uses Port 80 to connect to the SQL Reporting Services web site.
報表伺服器Reporting server 1433/TCP --->1433/TCP --->
1434/UDP --->1434/UDP --->
報表資料倉儲Reporting data warehouse 2Yes 2
管理伺服器 (稽核收集服務收集器)Management server (Audit Collection Services collector) 1433/TCP <---1433/TCP <---
1434/UDP <---1434/UDP <---
稽核收集服務資料庫Audit Collection Services database 2Yes 2
  • 此外,您的防火牆必須允許下列 URL - https://www.microsoft.com/mpdownload/ManagementPackCatalogWebService.asmxAdditionally, the following URL must be allowed by your firewall - https://www.microsoft.com/mpdownload/ManagementPackCatalogWebService.asmx.

  • 若以預設執行個體安裝 SQL Server 或 SQL Server 2016,則連接埠號碼為 1433。If SQL Server is installed with a default instance, the port number is 1433. 若是以具名執行個體安裝 SQL Server,則預設是使用動態連接埠設定。If SQL Server is installed with a named instance, by default it is configured with a dynamic port. 若要識別連接埠,請執行下列步驟︰To identify the port, do the following:

    1. 在 SQL Server Configuration Manager 的主控台窗格中,依序展開 [SQL Server 網路組態] 和 的 [通訊協定],然後按兩下 [TCP/IP]。In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for , and then double-click TCP/IP.
    2. 在 [TCP/IP 內容] 對話方塊的 [IP 位址] 索引標籤上,記下 IPAall 的連接埠值。In the TCP/IP Properties dialog box, on the IP Addresses tab, note the port value for IPAall.
  • 如果您打算在使用 Always On 可用性群組設定的 SQL Server 上部署 Operations Manager 資料庫,或在安裝後移轉,請執行下列操作來找出連接埠︰If you plan on deploying the Operations Manager databases on a SQL Server configured with an Always On Availability Group or migrate after installation, do the following to identify the port:

    1. 在 [物件總管] 中,連接到裝載您想要檢視其接聽程式之可用性群組的任何可用性複本的伺服器執行個體。In Object Explorer, connect to a server instance that hosts any availability replica of the availability group whose listener you want to view. 按一下伺服器名稱展開伺服器樹狀目錄。Click the server name to expand the server tree.
    2. 依序展開 [Always On 高可用性] 節點和 [可用性群組] 節點。Expand the Always On High Availability node and the Availability Groups node.
    3. 展開可用性群組的節點,然後展開 [可用性群組接聽程式] 節點。Expand the node of the availability group, and expand the Availability Groups Listeners node.
    4. 以滑鼠右鍵按一下您想要檢視的接聽程式,然後選取 [屬性] 命令。Right-click the listener that you want to view, and select the Properties command. 這樣就會開啟 [可用性群組接聽項屬性] 對話方塊。This opens the Availability Group Listener Properties dialog box.