Hi clever people...
has anyone managed to solve the problem of monitoring WMI stuff from APM, when the APM poller sits on the remote site of a firewall tot he device being monitored? if i disable all rules, and make it any:any, then it works but if i have a firewall blocking all but the WMI single port, and have NATs in place, then i am scuppered.
any help would be great!
Solarwinds, what i would ideally need is a remote poller for APM, to sit on the remote site of the firewall and router, and report back into my set of ALX pollers in my management network...
I am sharing what works for us to allow WMI monitoring on servers residing in the DMZ without having to configure any/any in the firewall rule to get it working.
Quick and Dirty - There are 2 parts required:
On DMZ server - configure WMI to communicate only over port 24158. Now just 2 ports are required to be opened on the firewall, port 135 and port 24158.
On the firewall - ACL rule should permit <IP address of SolarWInds server(s)> 192.168.0.0/16 tcp/135,tcp/24158 (your network team should be able to get this implemented)
I should note that the order of the ACL rule is relevant, I believe. Simply adding the new rule to the end of the ACL list might not 'just work'. You may have to move that rule up higher in the order.
Hope this helps someone,
I know this is an old thread, but thought I'd put this in it, just in case it helps someone...
I have a number of these situations, and in *most* of the cases, this helps resolve the issue for us.
When we have this situation we do have to do an "allow all" to just the monitoring server, unfortunate but true - however, that is not always the only fix necessary, especially in cases where we don't have name resolution / dns mapping of the server name to the actual server IP (ie: nat IP doesn't match the actual IP on the server).
We create a hosts file record on our APM server, that maps the hostname of the server to the NAT IP (not the actual IP). WMI responses have the local server IP and hostname in it, so the responses get lost (don't match) when APM receives it back - by putting the hosts file record in place, it ignores the IP in the WMI responses and uses the name to IP map from the hosts file, which finds the right IP address, and immediately starts working for us.
Hope that made sense enough - enjoy!
We had the same issue and used the following as a fix -
1 - run net stop winmgmt
2 - Add the below to the registry
Windows Registry Editor Version 5.00
4 - run net start winmgmt
This will have the effect of locking WMI only down to port 4321, we chose this approach as it only limits the WMI port rather than limiting the ports for all DCOM traffic. The port 4321 can be changed by altering the reg file , or through component services (it will be called Svchost_winmgmt). Source article is here for reference - http://support.microsoft.com/kb/897571/en-us
Hope this helps!
Backup the following keys before making the change. Then you can simply double click on the file to restore the machine back to the way it was prior to the modification.
That part seems pretty straight forward. What about breaking WMI out to its own svchost.exe process? Can it be reversed? I can't think of any reason that would cause a problem down the road but you never know.
Thank you for the quick reply.
I think I'm possibly trying to solve a different problem. I have servers in a DMZ protected by a firewall I don't control. It would simplify things if I could put an agent on the servers and have SolarWinds communicate with it over a common secure channel like port 443.
WMI is rather unfriendly towards firewalls because it uses the DCOM protocol. DCOM allocates ports dynamically, picking a random port from 1024-65535. So unless you do something fancy to restrict the range of DCOM ports, you have to have all ports unblocked to use WMI.
Microsoft have an article about restricting the port range of DCOM to make it more firewall friendly. Give that a try.
Using distributed COM with firewalls.
Wow. It's *gone*.
Alternate link to a PDF version:
My google-fu technique to locate this:
There were enough links from other web sites pointing to the page that Microsoft removed that I was able to find the author's name, and a google search for the full article name and the author "Using Distributed COM with Firewalls by Michael Nelson" revealed a PDF version of the original article as the 2nd search result.
thank you for the reply. I had read that article, it is one of the only ons on the internet that seem to discuss possible ways around.
looks like the only way forward would be if we could deploy a poller into this network. the fact that it would only be for this purpose, and would onyl be for a hundred or so servers, purchasing an SLX poller will not be financially viable
any help solarwinds? this is a real problem for me on this project... heeeeelp....
We have the same issue. After looking at the MS article and discussing the pro's and con's with our server teams we are worried that restricting the ports will impact on other services in our estates.
We would be happy with a solarwinds agent that could be deployed to these remote servers and poll WMI directly then sending the results via a single port back to the APM poller.
Just FYI, we're already exploring the concept of a "remote collector" specifically for these types of scenarios, but there's nothing we can share in the short-term. Please stay tuned for now.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.