Port 1270: SCOM Agent — The health monitor for enterprise infrastructure

What Runs on Port 1270

Port 1270 is officially assigned by IANA to Microsoft System Center Operations Manager (SCOM), formerly known as Microsoft Operations Manager (MOM).¹ SCOM is Microsoft's enterprise monitoring solution that watches over Windows servers, Unix/Linux systems, applications, and network devices.

The SCOM agent uses port 1270 for bidirectional communication with the SCOM Management Server or Gateway Server over both TCP and UDP protocols.² This port carries:

Agent registration — New agents announce themselves to the management infrastructure
Health data submission — Performance metrics, event logs, and monitoring data flow continuously
Configuration updates — Management servers push new monitoring rules and settings
Alert notifications — Critical events and failures are reported immediately

All health monitoring for Unix and Linux systems is performed over WS-Management (WS-MAN) on port 1270.³

The Registered Port Range

Port 1270 belongs to the registered ports range (1024-49151). These ports are assigned by the Internet Assigned Numbers Authority (IANA) to specific services upon application by a requesting entity.⁴ Unlike well-known ports (0-1023) which require root privileges, registered ports can be bound by regular user applications.

While port 1270 has an official IANA assignment to Microsoft SCOM, organizations can configure SCOM to use different ports if needed. The default is 1270, but it's customizable during installation.⁵

Why This Port Matters

Port 1270 is how enterprise IT teams know their infrastructure is healthy—or dying.

Without monitoring, administrators discover problems when users call to complain. The database is slow. The web server crashed. The backup failed last night and nobody noticed. By the time humans notice, the damage is done.

SCOM agents running on every server act as constant watchdogs. They measure CPU usage, memory consumption, disk space, service availability, application performance. When thresholds are crossed, they send alerts through port 1270 before users are affected.

This is preventive care for machines. The port exists so IT teams can fix problems that haven't quite become disasters yet.

Security Considerations

Port 1270 should only be accessible within your management network. This port carries detailed information about your infrastructure's health, configuration, and vulnerabilities—exactly the kind of intelligence an attacker would find valuable.

Firewall rules:

Allow port 1270 TCP/UDP from monitored servers to SCOM Management Servers
Allow port 1270 TCP/UDP from SCOM Management Servers to monitored Unix/Linux systems
Block port 1270 from untrusted networks and the Internet

SCOM supports certificate-based authentication and encrypted communications. Always enable these features in production environments.⁶

Checking What's Listening

To see if SCOM or another service is using port 1270 on your system:

On Windows:

netstat -ano | findstr :1270

On Linux/Unix:

sudo lsof -i :1270
sudo netstat -tulpn | grep 1270

If you see a process bound to port 1270 and you're not running SCOM, investigate. It could be legitimate (some organizations use this port for custom monitoring solutions) or it could be malware mimicking legitimate infrastructure.

SCOM's monitoring infrastructure uses several ports:

Port 5723 — SCOM agent communication (alternative/older configuration)
Port 5724 — SCOM Management Server to Management Server communication
Port 51905 — SCOM gateway communication
Port 1433 — SQL Server (SCOM database backend)

Frequently Asked Questions About Port 1270

Προηγούμενο

Port 1269: WATiLaPP — The registered port that malware made infamous

Επόμενο

Port 1271 — A registered port waiting in the wings

Ήταν χρήσιμη αυτή η σελίδα;

😔

🤨

😃