cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Windows Service Monitoring for server in DMZ

Jump to solution

I am throwing this out there and I know others have had the issue, but according to my Google search, it hasn't been answered yet. So, I'm trying to figure out the best and most secure way to set up Windows service monitoring on a server that sits in our DMZ? I don't want to open up a bunch of ports in the firewall so it can be reached by WMI. I've considered using the agent, but I didn't know if that's what was recommended, or if that would even work? If someone has been able to successfully do this, I would love to hear how you did it. Thank you in advance for any input.

Thanks,

Matt

1 Solution

Hi there.  Although I have not implemented this, I was advised from our Solarwinds provider yesterday that the use of an agent deployed into the DMZ is the best way.  We are in the same situation and deploying the agent requires a single port port to be opened on the firewall (according to them)

We also plan to deploy a simular method for our Azure VMs where access is only via the internet.

I hope this helps.

View solution in original post

10 Replies
Level 8

Thank you for your reply. I've been using the agent as well for the last two years and it works great. I'm monitoring between 20-30 vms now that run in our DMZ. Hope our success helps others who might be experiencing this same thing.

0 Kudos
Level 8

Since no one has tried this in there environment.  I don't see this answer as correct.

i am still working on getting our servers in the DMZ to be monitored by SolarWinds.

Steps taken:

  1. On DMZ servers (DMZ.local) - SNMP services, go to security tab, added accepted community string
  2. traps tab, community name should be the same as community string
  3. firewall should have TCP ports 135, 161, 17777, 17778. UDP ports 162, 17778

AD domain side:

  1. from Orion primary server, use WireShark to check traffic from primary server to DMZ server. you can use this as an example

(ip.addr== 10.10.10.1 && tcp.port == 17777) or 161 or 135 or try all of them.

  • if you get traffic, firewall is letting traffic through.
  • now, if you are using SNMPWalk, which is a 3rd party software in your SolarWinds folder, try to add server ipaddress, port and

community string and see if you get a reply.

SNMPWalk.png

  • i am currently working with Jen from SolarWinds.  i will update you guys with the resolution.
  • CHEERS
0 Kudos

UPDATE 1/15/2019

DMZ servers DNS should have a reference in yourdomain.com DNS (CNAME), such as, server01.dmz.local = server01.yourdomain.com

  1. In the SNMP service under Traps tab = your community string
  2. on server in DMZ
  • Or use the ip.addr == XX.XXX.XX.XXX && udp.port == 135

I have successfully added DMZ servers to Solarwinds monitoring. Without using agent, but using SNMP and ICMP.

Hello jqualls,

This all looks correct to me with one minor edit. The port 161 is UDP for SNMP.

I do think the agent (TCP 17777,17778) will be a better solution long term though, it will allow far more data types to be collected on Windows than SNMP will.

The agent install will be easiest if you can copy the installer to the server and run it locally. The deployment push of the agent would require additional firewall ports to be opened during install.

Hope that helps.

You’re on the right path and I expect you’ll have this working soon.

Thank you,

BillFitz

Level 9

You can also configure monitored windows server to use only a selected few ports for WMI.

https://thwack.solarwinds.com/community/solarwinds-community/product-blog/blog/2013/01/08/wmi-portap...

0 Kudos

Hi there.  Although I have not implemented this, I was advised from our Solarwinds provider yesterday that the use of an agent deployed into the DMZ is the best way.  We are in the same situation and deploying the agent requires a single port port to be opened on the firewall (according to them)

We also plan to deploy a simular method for our Azure VMs where access is only via the internet.

I hope this helps.

View solution in original post

using the Agent will help you solve your problem as designerfx​ stated. You can choose betw server or client initiated communication so you can even let Orion poll the Agent on a single port.

However in this scenario I 'd use the client initiated communication

Thank you for your response, it is very much appreciated! I got the same information you did, that we need to open up :17790 in order for the agent to talk to Orion. I'm currently waiting on our Security team to make the firewall mod. I can let you know if it was successful once it is done if you'd like?

It doesn't *have* to be port 17790, you can pick a port and/or configure the agent locally to use a particular proxy. I've done this exactly as duncan.murray@capita.co.uk​ mentions for the same purpose - to monitor azure VM's. However, in my case I wanted a single IP and a single port - so I had one of the VM's in each cloud serve as a proxy - and all the other agents were configured to use said VM as a proxy in order to send data back to onsite.

Brilliant, please let me know.  Its going to be the new year before we implement.

Duncan

0 Kudos