What Firewall Rules for Audit Collection Service in SCOM 2012

I see three options here:

1. Your firewall is misconfigured. Don't worry, it happens to the best of us. Good on you for testing!
2. One do your network adapters is using a different network profile than your desired firewall profile. Network Location Awareness can sometimes play into this as well.
3. NMap is erroneously detecting open ports. I have seen this happen rarely when testing from behind certain draconian firewall/proxy/IDS implementations.

You should confirm with that services actually are listening on those ports with a netstat -ab and then narrow the scope of your troubleshooting from there. Is it possible that you have additional Windows Features that you need to uninstall?

How does the Event-Forwaring actually work? Is it possible and useful to use Network Load Balancing (NLB)?

Event forwarding depends on WSMan/WinRM (windows remote management service). For domain joined scenarios, this uses Kerberos as a default for authentication and encryption, which requires a service principal name (SPN). SPNs are meant to be unique. Therefore, no two domain joined computers should be permitted to register the same SPN for their computer accounts/identity, which makes load balancing with default setup unworkable. While there are some guides on configuring IIS to use a specific service domain account (instead of computer account), and letting a pool of IIS web servers share that service account, WSMan/WinRM is more of core OS service. It seems to be heavily tied into running as the Network Service account of a machine, which in turn depends on the computer's built-in machine account and SPN. Hence, it's non-trivial to load balance windows event forwarding.

Most references I've seen on the topic suggest a number of work-arrounds, such as:

• Directly use GPO subscription settings to switch/load balance which specific event collector servers are used based on site topology, etc.
• Split subscriptions settings into different roles, e.g. one for System and Application logs, the other for Security, and via GPO, configure clients (log sources) to get subscriptions from both servers.

Neither of the above provide HA, just splitting load. For HA, I've seen a recommendation to set 2 servers with the same subscriptions, but this duplicates the events sent (and wastes bandwidth, etc).