cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

WMI monitoring through firewalls and NAT routers?

Hi clever people...

has anyone managed to solve the problem of monitoring WMI stuff from APM, when the APM poller sits on the remote site of a firewall tot he device being monitored? if i disable all rules, and make it any:any, then it works but if i have a firewall blocking all but the WMI single port, and have NATs in place, then i am scuppered.

any help would be great!

Solarwinds, what i would ideally need is a remote poller for APM, to sit on the remote site of the firewall and router, and report back into my set of ALX pollers in my management network...

any help?

Tags (4)
17 Replies
Level 8

I am sharing what works for us to allow WMI monitoring on servers residing in the DMZ without having to configure any/any in the firewall rule to get it working.

Quick and Dirty - There are 2 parts required:

On DMZ server - configure WMI to communicate only over port 24158. Now just 2 ports are required to be opened on the firewall, port 135 and port 24158.

Reference docs:

SolarWinds Knowledge Base :: Setting a fixed port for WMI

On the firewall - ACL rule should permit  <IP address of SolarWInds server(s)> 192.168.0.0/16 tcp/135,tcp/24158 (your network team should be able to get this implemented)

I should note that the order of the ACL rule is relevant, I believe. Simply adding the new rule to the end of the ACL list might not 'just work'. You may have to move that rule up higher in the order.

Hope this helps someone,

Devon

0 Kudos

I know this is an old thread, but thought I'd put this in it, just in case it helps someone...

I have a number of these situations, and in *most* of the cases, this helps resolve the issue for us.

When we have this situation we do have to do an "allow all" to just the monitoring server, unfortunate but true - however, that is not always the only fix necessary, especially in cases where we don't have name resolution / dns mapping of the server name to the actual server IP (ie: nat IP doesn't match the actual IP on the server).

We create a hosts file record on our APM server, that maps the hostname of the server to the NAT IP (not the actual IP).  WMI responses have the local server IP and hostname in it, so the responses get lost (don't match) when APM receives it back - by putting the hosts file record in place, it ignores the IP in the WMI responses and uses the name to IP map from the hosts file, which finds the right IP address, and immediately starts working for us.

Hope that made sense enough - enjoy!

0 Kudos
Level 8

We had the same issue and used the following as a fix - 

 

1 - run net stop winmgmt

2 - Add the below to the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

"Winmgmt"=hex(7):77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\winmgmt]

"CoInitializeSecurityParam"=dword:00000001

"AuthenticationCapabilities"=dword:00003020

"CoInitializeSecurityAppID"="{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}"

[HKEY_CLASSES_ROOT\AppID\{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}]

@="Svchost_winmgmt"

"EndPoints"=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,69,00,70,00,5f,00,74,00,\

63,00,70,00,2c,00,30,00,2c,00,34,00,33,00,32,00,31,00,00,00,00,00

3 - run sc config winmgmt binPath= "%systemroot%\system32\svchost.exe -k winmgmt"

4 - run net start winmgmt

 

This will have the effect of locking WMI only down to port 4321, we chose this approach as it only limits the WMI port rather than limiting the ports for all DCOM traffic. The port 4321 can be changed by altering the reg file , or through component services (it will be called Svchost_winmgmt).  Source article is here for reference - http://support.microsoft.com/kb/897571/en-us

Hope this helps!

Level 9

This works great, just curious if anyone knows how to back it out once it's in place. I can't think of a good reason to do it right now, but we always like to have a rollback plan.

0 Kudos
Product Manager
Product Manager

Backup the following keys before making the change. Then you can simply double click on the file to restore the machine back to the way it was prior to the modification.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
  • HKEY_CLASSES_ROOT\AppID\{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}
0 Kudos
Level 9

That part seems pretty straight forward. What about breaking WMI out to its own svchost.exe process? Can it be reversed? I can't think of any reason that would cause a problem down the road but you never know.

0 Kudos
Product Manager
Product Manager

WMI already runs in its own dedicated svchost.exe process

WMI Process.png

0 Kudos
Level 7

Thank you for the quick reply.

I think I'm possibly trying to solve a different problem.  I have servers in a DMZ protected by a firewall I don't control.  It would simplify things if I could put an agent on the servers and have SolarWinds communicate with it over a common secure channel like port 443.

-Steve

0 Kudos
Level 13

WMI is rather unfriendly towards firewalls because it uses the DCOM protocol. DCOM allocates ports dynamically, picking a random port from 1024-65535. So unless you do something fancy to restrict the range of DCOM ports, you have to have all ports unblocked to use WMI.

 

Microsoft have an article about restricting the port range of DCOM to make it more firewall friendly. Give that a try.

 

Using distributed COM with firewalls.

http://msdn.microsoft.com/en-us/library/ms809327.aspx

Level 7

Roger that link no longer works. Do you have a different one? I have exhausted my googling.

0 Kudos
Level 13

Wow. It's *gone*.  

Alternate link to a PDF version:

http://filedb.experts-exchange.com/incoming/2008/06_w23/30909/Using-Distributed-COM-with-Firew.pdf

My google-fu technique to locate this:

There were enough links from other web sites pointing to the page that Microsoft removed that I was able to find the author's name, and a google search for the full article name and the author  "Using Distributed COM with Firewalls by Michael Nelson" revealed a PDF version of the original article as the 2nd search result.

0 Kudos
Level 7

Thank you!

0 Kudos
Level 12

hi there,

 

thank you for the reply.  I had read that article, it is one of the only ons on the internet that seem to discuss possible ways around. 

looks like the only way forward would be if we could deploy a poller into this network.  the fact that it would only be for this purpose, and would onyl be for a hundred or so servers, purchasing an SLX poller will not be financially viable

any help solarwinds?  this is a real problem for me on this project...  heeeeelp....

0 Kudos
Level 8

Hi,

We have the same issue. After looking at the MS article and discussing the pro's and con's with our server teams we are worried that restricting the ports will impact on other services in our estates.

We would be happy with a solarwinds agent that could be deployed to these remote servers and poll WMI directly then sending the results via a single port back to the APM poller.  

0 Kudos
Level 12

oooh yeah, that would rock...  but you can expect a fairly exspensive charge for those from SW if they write them  🙂

0 Kudos
Level 18

Just FYI, we're already exploring the concept of a "remote collector" specifically for these types of scenarios, but there's nothing we can share in the short-term.    Please stay tuned for now. 

0 Kudos
Level 7

Hi Chris,

Has there been any progress on the "remote collector"?

Thanks.

Steve

0 Kudos