Establish communication between the Solarwinds Automation server in the DMZ and the clients in the DMZ

If you have installed an Automation Server in the DMZ and need to communicate directly with the clients in the DMZ, the configuration is exactly the same as it would be for an Automation Server and clients on the internal network:

- File Sharing must be enabled to deploy the WMI Providers

- Windows Management Instrumentation rules on the host firewall must be enable to allow inbound communications on port 135 and the dynamic WMI ports.

I don't doubt your security team freaked out when you asked them to open 135/445 on the perimeter firewall.. and so they should! :-)

The communication from the Primary Application Server to the DMZ Automation Server all occurs on a single port 4092 -- that is the only port that needs to be opened in the perimeter firewall separating the internal network from the DMZ network.

It is exactly this reason that the Automation Server is deployed in the DMZ -- so that you do NOT have to open ports 135/445 and the WMI dynamic ports across the perimeter firewall.

Thank You. So based on your response, we need to open the following ports:

Between Primary Application Server and DMZ automation server –

4092 – This port is currently opened

Between DMZ automation server  and DMZ client servers –

135 -

445 - for Print & File Sharing

Dynamic ports 1024-65536

Is it correct?

To add further, since the Automation server and the Clients in the DMZ belong to the same DMZ domain, I am assuming the above ports are accessible between them. Not sure if my assumption is right since  I am seeing the following error message on the Patch Manager console (accessing the console from PAS)  for the DMZ clients.. can you please explain what's going on here ..

Name:  
Operating System:  
Type:  
Last Contact Time:   8/21/2013 1:33:36 AM
Last Inventory Attempt Time:   9/20/2013 1:31:46 AM
Failed Inventory Attempts:   30
IP Address:   xxx.xxx.xxx.xx

  Computer SID:  
SUS Client ID:  
Domain/Workgroup:  

Management Group:  
Device ID:   47781f0c-aea0-4b46-931e-e0e9e7d34dd4
Site:  
Providers Installed:   DontKnow
Extension Provider Version:   N/A
Windows Update Provider Version:   N/A
Last DNS resolution attempt:   Success
Last ARP resolution attempt:   Failed
Last Endpoint Mapper connect attempt:   Failed
Last File and Printer Sharing connect attempt:   Failed
Last WMI connect attempt:   Failed

The following errors were detected or one or more datasources have exceptions:  
Exception occurred at 9/20/2013 1:34:04 AM: Unable to resolve the MAC address. Message:
ICMP Ping succeeded.
Unable to retrieve MAC address of  xxx.xxx.xxx.xx. Error Code: 0x80004005 Message: GetMACAddress()::Error retrieving MAC address for xxx.xxx.xxx.xx. Error Code: 67
Unable to resolve NetBIOS information on target. Message:
Unable to retrieve NetBIOS domain name and computer name.
Unable to connect to the endpoint mapper. Message: Unable to establish a TCP connection to the Microsoft Endpoint Mapper (Port 135)
Unable to connect to the File and Print port . Message: Unable to connect to the NetBIOS (139) or NetBIOS over TCP/IP direct hosting (445) ports on xxx.xxx.xxx.xx and provisioning of the EminentWare provider requires the 'File and Print Sharing' exception to be enabled.

Between DMZ automation server  and DMZ client servers – 135 - 445 - for Print & File Sharing Dynamic ports 1024-65536 Is it correct?

It is technically correct, but you're much better off to use the native Windows configuration tools than trying to custom configure the Windows Firewall.

On the client system:

- Enable file sharing in the Network and Sharing Center

- Open Windows Firewall with Advanced Security and enable the three rules for "Windows Management Instrumentation"

Thank You for your earlier response.

Our security team is questioning opening over 65000 ports, they want to know if the application can grab a few specific ports versus a huge dynamic range.  Would using the native Windows configuration tools provide more security/benefit than the configuring the windows firewall?

Also, can you provide any info on the previous error message that I posted? I would like to know what the message is indicating.

Thanks

I'm not quite understanding the issue over "opening 65000" ports.

First, as noted, there is no requirement to open any ports in the perimeter firewall, other than port 4092 which allows the Patch Manager PAS to communicate with the Patch Manager Automation Role server in the DMZ.

Second, there is no need to configure ports on the Windows Firewall of the individual machines. The only thing you need to do is enable the correct PRE-DEFINED Windows Firewall rules for Windows Management Instrumentation (as previously show), and enable File Sharing. Both of these changes can be implemented via Group Policy.

The RPC PortMapper (accessed via port 135) assigns a random port PER SESSION, and the Windows Firewall opens that port dynamically AS NEEDED when assigned by the RPC PortMapper.

A full tutorial on how WMI and the RPC PortMapper works is really beyond the scope of this thread,  You  may find these resources helpful:

Patch Manager Administrator Guide - Chapter 10: Manging WMI Client Connectivity

How it Works (Troubleshooting RPC Errors) - a great overview on how the RPC Port Mapper works

In some cases, it is desirable to limit the range of dynamic ports used by the RPC PortMapper for WMI.
This article Setting Up a Fixed Port for WMI describes how to achieve that objective; however, I would suggest reviewing that entire chapter:

Connecting to WMI on a Remote Computer

Thank You so much for taking the time to provide detailed answers. I really appreciate it. It's been quite a challenge to understand and setup the DMZ environment.

First, as noted, there is no requirement to open any ports in the perimeter firewall, other than port 4092 which allows the Patch Manager PAS to communicate with the Patch Manager Automation Role server in the DMZ.

We understand the above and have opened the port 4092.

Second, there is no need to configure ports on the Windows Firewall of the individual machines. The only thing you need to do is enable the correct PRE-DEFINED Windows Firewall rules for Windows Management Instrumentation (as previously show), and enable File Sharing. Both of these changes can be implemented via Group Policy. In some cases, it is desirable to limit the range of dynamic ports used by the RPC PortMapper for WMI. This article Setting Up a Fixed Port for WMI describes how to achieve that objective; however, I would suggest reviewing that entire chapter: Connecting to WMI on a Remote Computer

To clarify about our DMZ environment -  By default, all client systems in the DMZ are standalone machines that do not communicate with each other. All ports on the network are blocked unless specified in our corporate firewall. The windows firewall is turned off. So, with this kind of DMZ setup, it is essential to specify the ports that need to be opened for communication between the DMZ automation server and DMZ clients. Thereby the Security team is concerned when we provide them the dynamic port range.. Hope this helps to answer the issue over opening 65000 ports. It would be great if we can specify 1 port that will be used for WMI. I would like to know if the above option ( Setting Up a Fixed Port for WMI ) would solve our purpose?

THANKS

It would be great if we can specify 1 port that will be used for WMI. I would like to know if the above option ( Setting Up a Fixed Port for WMI ) would solve our purpose?

That is the intent of that article.

Thanks for the confirmation. This is very helpful and hopefully, Security team will approve and have no issues. I would suggest that this option should be part of the Admin doc where it talks about dynamic ports.

lalitha wrote: By default, all client systems in the DMZ are standalone machines that do not communicate with each other. All ports on the network are blocked unless specified in our corporate firewall. The windows firewall is turned off.

Okay.. second part of this response....

If the Windows Firewall is turned off, then there's nothing to configure on the clients:

• By definition any machine on a *LAN* can communicate with any other machine on the *LAN* -- UNLESS there are firewalls implemented on those machines. So I'm not quite grasping this premise of "standalone machines that do not communicate with each other". Yes, it's likely that they don't actually do that, because they have no need to; but that does not mean that such capabilities are impossible.
• Furthermore, there are certain network services that must require those machines communicate with something... for starters I would imagine every one of them needs to communicate with a DNS Resolver of some sort, and of course, each of those machines are communicating with the perimeter firewall.
• If the Windows Firewall is off on all of the clients, then the RPC EndPoint Mapper is already available to the Automation Role server AND any one of those WMI Dynamic Ports can already be assigned without further consideration and there is nothing to be done by the security team other than opening port 4092 between the DMZ and the Internal LAN.