10 Replies Latest reply on Sep 23, 2013 3:08 PM by Lawrence Garvin

    Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ

    lalitha


      I installed the Solarwinds Automation server in the DMZ. I need to open ports for communication between this Automation server and clients in the DMZ. To facilitate this communication, as per the Admin doc, I requested the Firewall team to open the following ports. Our Security Operations team reviewed the request and have raised the following concerns.


      135
      445 – According to Security team, Netbios is a security risk and should not be open. What functionality will be lost if this port is not opened?
      Dynamic ports 1024-65536 – Security team would like to know the need to open over 65,000 ports in a DMZ. What ports are actually necessary for SolarWinds to patch / collect information from servers.


      It would help if someone can share their setup for the DMZ environment.

       

      THANKS

        • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
          Lawrence Garvin

          If you have installed an Automation Server in the DMZ and need to communicate directly with the clients in the DMZ, the configuration is exactly the same as it would be for an Automation Server and clients on the internal network:

          - File Sharing must be enabled to deploy the WMI Providers

          - Windows Management Instrumentation rules on the host firewall must be enable to allow inbound communications on port 135 and the dynamic WMI ports.

           

          I don't doubt your security team freaked out when you asked them to open 135/445 on the perimeter firewall.. and so they should! :-)

          The communication from the Primary Application Server to the DMZ Automation Server all occurs on a single port 4092 -- that is the only port that needs to be opened in the perimeter firewall separating the internal network from the DMZ network.

          It is exactly this reason that the Automation Server is deployed in the DMZ -- so that you do NOT have to open ports 135/445 and the WMI dynamic ports across the perimeter firewall.

            • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
              lalitha

              Thank You. So based on your response, we need to open the following ports:


              Between Primary Application Server and DMZ automation server

              4092 – This port is currently opened

               

              Between DMZ automation server  and DMZ client servers

              135 -

              445 - for Print & File Sharing

              Dynamic ports 1024-65536


              Is it correct?

                • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
                  lalitha

                  To add further, since the Automation server and the Clients in the DMZ belong to the same DMZ domain, I am assuming the above ports are accessible between them. Not sure if my assumption is right since  I am seeing the following error message on the Patch Manager console (accessing the console from PAS)  for the DMZ clients.. can you please explain what's going on here ..

                   

                  Name:  
                  Operating System:  

                  Type:  

                  Last Contact Time:  
                  8/21/2013 1:33:36 AM
                  Last Inventory Attempt Time:  
                  9/20/2013 1:31:46 AM
                  Failed Inventory Attempts:  
                  30
                  IP Address:  
                  xxx.xxx.xxx.xx

                    Computer SID:  
                  SUS Client ID:  

                  Domain/Workgroup:  

                  Management Group:  
                  Device ID:  
                  47781f0c-aea0-4b46-931e-e0e9e7d34dd4
                  Site:  

                  Providers Installed:  
                  DontKnow
                  Extension Provider Version:  
                  N/A
                  Windows Update Provider Version:  
                  N/A
                  Last DNS resolution attempt:  
                  Success
                  Last ARP resolution attempt:  
                  Failed
                  Last Endpoint Mapper connect attempt:  
                  Failed
                  Last File and Printer Sharing connect attempt:  
                  Failed
                  Last WMI connect attempt:  
                  Failed

                  The following errors were detected or one or more datasources have exceptions:  
                  Exception occurred at 9/20/2013 1:34:04 AM: Unable to resolve the MAC address. Message:
                  ICMP Ping succeeded.
                  Unable to retrieve MAC address of 
                  xxx.xxx.xxx.xx. Error Code: 0x80004005 Message: GetMACAddress()::Error retrieving MAC address for xxx.xxx.xxx.xx. Error Code: 67
                  Unable to resolve NetBIOS information on target. Message:
                  Unable to retrieve NetBIOS domain name and computer name.
                  Unable to connect to the endpoint mapper. Message: Unable to establish a TCP connection to the Microsoft Endpoint Mapper (Port 135)
                  Unable to connect to the File and Print port . Message: Unable to connect to the NetBIOS (139) or NetBIOS over TCP/IP direct hosting (445) ports on
                  xxx.xxx.xxx.xx and provisioning of the EminentWare provider requires the 'File and Print Sharing' exception to be enabled.

                  • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
                    Lawrence Garvin

                    Between DMZ automation server  and DMZ client servers

                    135 -

                    445 - for Print & File Sharing

                    Dynamic ports 1024-65536

                     

                    Is it correct?

                    It is technically correct, but you're much better off to use the native Windows configuration tools than trying to custom configure the Windows Firewall.

                    On the client system:

                    - Enable file sharing in the Network and Sharing Center

                    9-20-2013 3-24-20 PM.png

                    - Open Windows Firewall with Advanced Security and enable the three rules for "Windows Management Instrumentation"

                    9-20-2013 3-27-10 PM.png

                      • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
                        lalitha

                        Thank You for your earlier response.

                         

                        Our security team is questioning opening over 65000 ports, they want to know if the application can grab a few specific ports versus a huge dynamic range.  Would using the native Windows configuration tools provide more security/benefit than the configuring the windows firewall?


                        Also, can you provide any info on the previous error message that I posted? I would like to know what the message is indicating.


                        Thanks

                          • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
                            Lawrence Garvin

                            I'm not quite understanding the issue over "opening 65000" ports.

                             

                            First, as noted, there is no requirement to open any ports in the perimeter firewall, other than port 4092 which allows the Patch Manager PAS to communicate with the Patch Manager Automation Role server in the DMZ.

                             

                            Second, there is no need to configure ports on the Windows Firewall of the individual machines. The only thing you need to do is enable the correct PRE-DEFINED Windows Firewall rules for Windows Management Instrumentation (as previously show), and enable File Sharing. Both of these changes can be implemented via Group Policy.

                             

                            The RPC PortMapper (accessed via port 135) assigns a random port PER SESSION, and the Windows Firewall opens that port dynamically AS NEEDED when assigned by the RPC PortMapper.

                             

                            A full tutorial on how WMI and the RPC PortMapper works is really beyond the scope of this thread,  You  may find these resources helpful:

                            Patch Manager Administrator Guide - Chapter 10: Manging WMI Client Connectivity

                            How it Works (Troubleshooting RPC Errors) - a great overview on how the RPC Port Mapper works

                             

                            In some cases, it is desirable to limit the range of dynamic ports used by the RPC PortMapper for WMI.
                            This article Setting Up a Fixed Port for WMI describes how to achieve that objective; however, I would suggest reviewing that entire chapter:

                            Connecting to WMI on a Remote Computer

                              • Re: Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ
                                lalitha

                                Thank You so much for taking the time to provide detailed answers. I really appreciate it. It's been quite a challenge to understand and setup the DMZ environment.

                                First, as noted, there is no requirement to open any ports in the perimeter firewall, other than port 4092 which allows the Patch Manager PAS to communicate with the Patch Manager Automation Role server in the DMZ.

                                We understand the above and have opened the port 4092.

                                Second, there is no need to configure ports on the Windows Firewall of the individual machines. The only thing you need to do is enable the correct PRE-DEFINED Windows Firewall rules for Windows Management Instrumentation (as previously show), and enable File Sharing. Both of these changes can be implemented via Group Policy.

                                 

                                In some cases, it is desirable to limit the range of dynamic ports used by the RPC PortMapper for WMI.
                                This article Setting Up a Fixed Port for WMI describes how to achieve that objective; however, I would suggest reviewing that entire chapter:

                                Connecting to WMI on a Remote Computer

                                To clarify about our DMZ environment -  By default, all client systems in the DMZ are standalone machines that do not communicate with each other. All ports on the network are blocked unless specified in our corporate firewall. The windows firewall is turned off. So, with this kind of DMZ setup, it is essential to specify the ports that need to be opened for communication between the DMZ automation server and DMZ clients. Thereby the Security team is concerned when we provide them the dynamic port range.. Hope this helps to answer the issue over opening 65000 ports. It would be great if we can specify 1 port that will be used for WMI. I would like to know if the above option ( Setting Up a Fixed Port for WMI ) would solve our purpose?


                                THANKS