Tips and Tricks: OpsMgr 2012 SP1- What Web Service URL, IP and Ports does the Management Pack Catalog web service call | Quisitive

A client was curious how to connect to the MP Catalog if the Server did not have Firewall ports opened for MP Catalog communication.

Connectivity Summary:

  1. When performing an MP Import via the Operations Manager Console, the web services uses a certificate to Connect to
  2. The Network sees an anonymous POST to the URL Above
  3. The request is directed over port 49204 to the IP over https using the certificate
  4. The MP catalog is displayed

I was able to get to the Summary above by running ProcessMonitor during a call to the webservice (clicked on import MP from Catalog from Console) and saw this IP for the MP Catalog webservice ( ):

Microsoft.EnterpriseManagement.Monitoring.Console.exe 18136 TCP Send Receive :49204 –>

Note: The IP found in whois sees this as a Microsoft “Hotmail” IP, but it is Microsoft nonetheless…

# The following results may also be obtained via:



NetRange: –




NetHandle: NET-64-4-0-0-1

Parent: NET-64-0-0-0-0

NetType: Direct Assignment

Comment: Abuse complaints will only be responded to if sent to

Comment: [email protected] and [email protected].

RegDate: 1999-11-24

Updated: 2006-01-23


OrgName: MS Hotmail


Address: One Microsoft Way

City: Redmond

StateProv: WA

PostalCode: 98052

Country: US

RegDate: 1999-11-24

Updated: 2004-01-14

Comment: Please contact [email protected] for all spam

Comment: issues.


OrgTechHandle: MSFTP-ARIN

OrgTechName: MSFT-POC

OrgTechPhone: +1-425-882-8080

OrgTechEmail: [email protected]


OrgAbuseHandle: ABUSE231-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-425-882-8080

OrgAbuseEmail: [email protected]




RTechPhone: +1-425-882-8080

RTechEmail: [email protected]



# ARIN WHOIS data and services are subject to the Terms of Use

# available at:


​While pushing an Agent out from the Console, I noticed a failure with ErrorCode 80070643 and 2147944003 noted below.

The fix was easy:

  1. Ensure that the remote computer has permissions for the following location, then repush the Agent:
    • C:WINDOWSwinsxsInstalltemp
      • Full Control – Administrators
      • Full Control – System
Task Output:
<DataItem type=” MOM.MOMAgentManagementData “time=” 2012-08-26T13:51:49.3564866-05:00 “sourceHealthServiceId=” AA7DE142-13D5-99B4-06DC-E554C1578A8F “> <ErrorCode> 2147944003 </ErrorCode> <Operation> 1 </Operation> <Description> The Agent Management Operation Agent Install failed for remote computer SVR01.domain.local. Install account: DOMAINSCOM_ACTION Error Code: 80070643 Error Description: Fatal error during installation. Microsoft Installer Error Description: For more information, see Windows Installer log file “C:Program FilesSystem Center 2012Operations ManagerServerAgentManagementAgentLogsSVR01AgentInstall.LOG C:Program FilesSystem Center 2012Operations ManagerServerAgentManagementAgentLogsSVR01MOMAgentMgmt.log” on the Management Server. </Description> <AgentName> SVR01.domain.local </AgentName> <PrincipalName> SVR01.domain.local </PrincipalName> <SoftwareUpdateResult> 0 </SoftwareUpdateResult> <SoftwareUpdateInstalled/> <SoftwareUpdateNotInstalled/> <SoftwareUpdateFailureDesc/> </DataItem>

Operations Manager (SCOM, OpsMgr) has the ability to monitor an untrusted domains as well as highly segmented\firewalled networks. 

Gateways can be within the trusted domain as well, but are highly segmented by Firewalled VLANs.  The Gateways that are installed in the trusted domain do not actually utilize certificates, as the untrusted domain computers do.  In this case, the trusted computers utilize Kerberos (SPNs must be registered) and they may also require a Trusted Internal CA Root Cert.

The untrusted Gateway cannot properly communicate to the MS’s (EVENT ID 220071, 21016)

OpsManager Unable to set up a communication channel with MS

I validate the following:

  1. Verify Manual Agent Installs show in Pending Actions for approval
    • In the Operations Console, Administration>Settings>Security
      • Ensure ‘Review new manual agent installations in pending managmeent view’ is checked
  2. Recycle the HealthService (System Center Management Service)
  3. SPN’s registered for DB\DW and MS’s
    • Restart of Servers in this order may be necessary
      1. DB\DW Instances
      2. RMSe Management Server
      3. Other MS’s
  4. Install GW as local Administrator
    • GW Approval tool run using an account with SysAdmin privileges to SQL DB
  5. Certificates are OK
    • Trusted Root Certificates on All GW and MS
    • Ensure Full Name of Computer is used as the Friendly name and name of the certificate
    • OpsMgr Cert unique to each computer and imported
    • Using 1024 or 2048 key size (2048 adds slight CPU overhead)
      • MOMCertImport changes this to 1024
    • Expiration OK
      • MOMCertImport changes this to 1 year in the Registry
    • If you cannot request the certificate from the GW or Agent:
      • Use the web site on the MS to request a server cert
  6. Gateway approval tool is OK
    • Ensure the following files exist on the Management Server:
      • Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
      • Microsoft.EnterpriseManagement.GatewayApprovalTool.config
    • Command Run successfully:
      • Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
  7. Port 5723 has been validated as Open
    • I haven’t seen the need for 5724 in the past, although mentioned in the MS documentation
  8. Telnet to 5723 to the MS succeeds
  9. Check DNS
    • Mgmt Server name resolves to IP
    • Potential Hosts file edit or DNS entry
  10. Try re-copying the certificate out of the OperationsManager Folder into the Trusted Root store and restarting HealthService
  11. Flushing Health Service Cache
  12. Reinstalling GW and pointing to different MS
  13. Reissuing Certificates and reimporting, then running MOMCertImport
  14. Recycle the HealthService (System Center Management Service)