WMI Collector and Firewalls

  • 3682567
  • 23-May-2007
  • 26-Apr-2012

Environment


Sentinel 5.1.3
Sentinel 5.1.x
Sentinel 4.2.xx

Situation

How to allow access for the WMI collector through a firewall:

Resolution

The best solution at the time of writing this article would be to restrict the ports that DCOM itself can use. The following URL explains the registry changes necessary to do so:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

Once those settings are in place, the firewall can be configured to allow communication through the ports configured by the registry settings. (135, and any others that have been configured)

Additional Information

When a collector manager is deployed at one location, and the servers being monitored are at remote sites; often times a firewall will separate the two. Since WMI relies on an RPC call to negotiate a DCOM port, opening just port 135 is not sufficient. Port 135 is simply used for the locater service. Once RPC has been located, it switches to a randomly allocated high TCP port. Both port 135 as well as whatever range specified must be allowed through the firewall.