If you implement security policies that restrict computers in your corporate network (corpnet) from connecting to the internet, OMS has an HTTP forward proxy feature called the OMS Gateway that will enable you to still connect computers in your corpnet to OMS.

While the computers in your corpnet will have no connectivity to the internet, the OMS Gateway must have access to the internet, or be connected to a proxy server that does, so as to be able to forward data to the OMS service endpoints. The OMS Gateway supports HTTP tunneling using the HTTP CONNECT command. It collects data on behalf of the OMS agents deployed to the computers in your corpnet, and sends the data to OMS.

The following information will help you understand how to connect sources to OMS that have no connectivity to the internet.

At this time, the OMS Gateway supports the following connected sources scenarios:

• Windows computers directly connected to an OMS workspace with the MMA
• Linux computers directly connected to an OMS workspace with the OMS agent for Linux
• SCOM agent-managed computers reporting to a management group that is integrated with OMS. The following SCOM versions are supported:
  • SCOM 2016
  • SCOM 2012 R2 with update rollup 3
  • SCOM 2012 SP1 with update rollup 7
• Azure Automation Hybrid Runbook Workers

The OMS Gateway feature can also be made highly available using your existing enterprise hardware-based load balancers. To begin, you will need to download and install the OMS Gateway.

You will need to download the OMS Gateway setup file and use the file to install and configure the OMS Gateway. You can also configure high availability for the OMS Gateway using load balancing, if you wish.

You can download the latest version of the OMS Gateway setup file in one of three ways:

1. Navigate to the following URI (https://www.microsoft.com/en-us/download/details.aspx?id=54443) to obtain the setup file from the Microsoft Download Center
2. Obtain the setup file from the OMS Portal:
   1. Sign into your OMS workspace
   2. Navigate to Settings | Connected Sources | Windows Servers
   3. In the resulting blade, click Download OMS Gateway:

3. You can download the OMS Gateway setup file from the Azure portal
   1. Sign in to the Azure portal
   2. Select Log Analytics from the list of services
   3. Select a workspace
   4. Under the General section in your workspace blade, click Quick Start.
   5. Under the Choose a data source to Connect to the Workspace, click Computers
   6. In the Direct Agent blade, click Download OMS Gateway
   7. Save the OMS Gateway.msi file:

Use the following steps to install the OMS Gateway:

1. Locate the OMS Gateway.msi file downloaded in the previous section
2. Right-click the file and select Install
3. Click Run on the security warning prompt, if any appear

4. Click Next on the Welcome page:

5. Select I accept the terms in the License Agreement in the End-user License Agreement page and click Next
6. On the OMS Gateway Configurations page, do the following:
   1. Enter the port to be used for the server. The default port is 8080. You can enter any values that range from 1 through to 65535.
   2. Optionally, if the OMS Gateway server needs to communicate through a proxy to get to the internet, check the radio box to Use a proxy server and enter the proxy server information. If the proxy requires authentication, check the My proxy requires authentication radio box and enter the username and password information as well.

1. 3. Click Next to proceed:

7. On the Destination Folder page, leave the default folder settings as C:/Program Files/OMS Gateway, or choose another folder to install the OMS Gateway on, and click Next.
8. Click Install on the Ready to Install OMS Gateway page and select Yes if you receive a User Account Control (UAC) prompt.
9. Click Finish after the setup has completed.

Check the list of services or use PowerShell to verify that the OMS Gateway service is installed and running:

Get-Service OMSGatewayService 

The OMS Gateway is simply an HTTP forward proxy that makes connections on behalf of clients through HTTP CONNECT tunneling. In this case, the OMS agent computer forwards its TCP connection to the OMS Gateway, which tunnels the TCP connection to the OMS service endpoints. This tunneling mechanism means that the data is sent directly from the OMS Gateway to the OMS endpoints without being analyzed.

The OMS Gateway can be used with both OMS agents that are configured to directly connect to an OMS workspace, and an Operations Manager (SCOM) management group that is integrated with OMS. With directly connected OMS agents, the data is sent to the OMS Gateway, which then transfers the data directly to OMS in the manner previously described. When configured for use with an SCOM management group, the proxy information defined for the management group is distributed automatically to every agent-managed computer that is configured as an OMS-managed computer, even if that setting isn't defined.

Depending on the solution(s) configured in OMS, the agent will then collect the relevant data and either send it to the management server or, in the case of high-volume data, such as performance metrics and security events, directly to the OMS endpoints via the OMS Gateway.

You can configure the OMS Gateway for high availability through network load balancing (NLB). This will enable you to use the TCP/IP networking protocol to distribute traffic across two or more OMS Gateway servers. Using an NLB configuration will provide you with some measure of high availability and scalability for your OMS Gateway configuration. You can make use of any existing hardware-based load balancers that you use within your infrastructure, and the OMS Gateways configured as NLB hosts should support common NLB configurations, such as your preferred load-balancing algorithms (least sessions, round robin, fastest, and so on), persistence methods, and so on.

You can also install the OMS agent on the computer configured as the OMS Gateway. This configuration will enable the following:

• The OMS Gateway can identify the service endpoints that it needs to communicate with
• The OMS agent can monitor and collect event and performance data from the OMS Gateway

Additionally, Operations Manager Gateway servers deployed in untrusted networks cannot communicate with the OMS Gateway. They can only report to an Operations Manager management server, and would therefore be subject to the proxy server settings (if any) configured for the management group to which the SCOM management server belongs.

For directly connected computers to send data to the OMS Gateway, they must have network connectivity to the OMS Gateway, and the agents' proxy configuration should be set to the same port used by the OMS Gateway to communicate with OMS service endpoints.

Perform the following steps:

1. Open the SCOM console and navigate to the Administration workspace

2. Navigate to Operations Management Suite, click Connection, and then click Configure Proxy Server:

3. Select the option to Use a proxy server to access the Operations Management Suite and type either the IP address of the standalone OMS Gateway server or the virtual IP address of the array of load-balanced OMS Gateway servers

You can make use of PowerShell to review and modify the OMS Gateway configuration settings. The OMS Gateway PowerShell module should get imported in the OMS Gateway server(s) upon installation of the OMS Gateway feature. You can always verify this by importing the module to confirm:

Import-Module OMSGateway

Once you confirm that the OMS Gateway has been imported, you can also verify your OMS Gateway configuration for the listening port, log level, and other settings:

Get-OMSGatewayConfig

To make changes to the OMS Gateway configuration using PowerShell, you can make use of the Set-OMSGatewayConfig cmdlet. For instance, to change the port on which the OMS Gateway is listening, you can execute the following command:

 Set-OMSGatewayConfig -Name ListenPort -Value [port]   

In the preceding command, [port] is the integer value of your desired port on which the OMS Gateway listens.

At this time, the Set-OMSGatewayConfig cmdlet supports the following configuration names:

• ListenPort
• LogLevel
• IncirporatedOMSSolution
• UseIpv6
• IncorporatedScomSupport

The following links also provide some useful guidance on troubleshooting tips relating to the OMS Gateway:

• Microsoft TechNet: Troubleshooting OMS Gateway event IDs: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway
• Microsoft TechNet: OMS connectivity resources: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents