I always try not to have to do too much repeat work, so when I have some extra time I like to make some stuff easier. This time I threw together a quick and easy way of adding the needed firewall openings to servers for SCOM Agent push installs.
One little note; the commands used here are only present on 2012 R2 with PS 4.0 and newer servers.
$SCOMmgmtServers = @("IPscommgmtserver1","IPscommgmtserver2")
New-NetFirewallRule -DisplayName "SCOM Agent TCP" -Direction Inbound –Protocol TCP –LocalPort "5723" -Action allow -RemoteAddress $SCOMmgmtServers
New-NetFirewallRule -DisplayName "SCOM Agent Push Install TCP" -Direction Inbound –Protocol TCP –LocalPort @("135","139","445") -Action allow -RemoteAddress $SCOMmgmtServers
New-NetFirewallRule -DisplayName "SCOM Agent Push Install UDP" -Direction Inbound –Protocol UDP –LocalPort @("137","138") -Action allow -RemoteAddress $SCOMmgmtServers
New-NetFirewallRule -DisplayName "SCOM Agent Push Install RPC" -Direction Inbound -Program "%SystemRoot%\system32\svchost.exe" -RemoteAddress $SCOMmgmtServers -Protocol TCP -LocalPort RPC
I recently did some work with WAP 2012R2 (Web Application Proxy) and ADFS 3.0 (Active Directory Federation Services) looking into how the different timeout values work in conjunction with publishing internal legacy applications to the intrawebz. This using IWA (Integrated Windows Authentication) for the backend, and that meant setting up KCD (Kerberos Constrained Delegation) between WAP and the application servers. I will not focus on that configuration here. I am more interested in how the security mechanisms work, and how that impacts how to configure the different time constraint values for logon and session related parameters.