cancel
Showing results for 
Search instead for 
Did you mean: 

How do I allow WMI traffic to pass through firewall?

Jump to solution

I'm trying to allow WMI traffic to pass through our firewall from our internal network to our DMZ.

However, WMI uses port 135 for calls and then selects a random port. I have created a rule to allow traffic to pass through port 135 but am not sure how to go about then allowing traffic to pass through that additional random port.

Does anybody have any experience with this that can lend a hand?

Thanks in advance.

1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 8

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

Either set these 'random ports' to a known range via the Registry or open up all the ports that it could use.  That might be 1024-65535.  Look it up online and open that range of ports.

7 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 8

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

Either set these 'random ports' to a known range via the Registry or open up all the ports that it could use.  That might be 1024-65535.  Look it up online and open that range of ports.

Highlighted

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

You may want to limit the dynamic range to the WMI poller's IP address so that you don't open too wide a hole.

Mike

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

Is there a way to setup a proxy for WMI so I don't have to open thousands of ports?

PhilM
Level 14
Report Inappropriate Content
Message 5 of 8

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

I don't believe so. Its a lot like RPC (another Microsoft service, unsurprisingly) which also wants to operate over a large range of seemingly-random ports.

As Sam recommended, and you'll probably find that a Google search with come up with some answers, there is likely to be an option to implement a registry change which will force WMI to use a more firewall-friendly range of static ports. Once you have decided upon the range to use, then creating a rule to allow them to pass shouldn't be too complex.

-Phil.

mcoy
Level 7
Report Inappropriate Content
Message 6 of 8

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

Hi,

Sorry Phil, but Readysetgo has right. Lack of support for MS RPC is a serious problem. But the fact  is (I love MFE), other vendors can deal with Microsoft dce-rpc (Checkpoint).

Regards,

mcoy

(sorry for my english I'm working on it)

PhilM
Level 14
Report Inappropriate Content
Message 7 of 8

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

Don't worry mcoy, your English is OK and I can understand you with no problem.

It may be better for a McAfee prodoct person to answer your point.

But, does the fact that another Firewall vendor is able to handle RPC necessarily make it right, or better - or secure?

Ultimately the smaller the number of ports you have to open through your Firewall the more control you have over your network security. If you consider that protocols such as HTTP, SSH, SMTP etc... can all potentially handle thousands of connections over 1 (maybe 2) ports, why do Microsoft services, such as RPC and WMI require such as large range of (random) ports to be open by default?

The fact that it is possible to change the registry on the server and lock this down to a much smaller range, and the service will still work, suggests that it is possible to do so in the first place - so why don't they operate like this by default?

Also, you will find that for many RFC-compliant protocols, the defined port number is based on the original client-side connection. But with Microsoft services such as RPC and WMI they want server/destination host to be in control of the port number and for that host to then open a random series of ports over 1024.

Much of Firewall Enterprise's security is based on adhering to the agreed RFC standards for its core services. I have just tried to find an RFC for Microsoft RPC and can't seem to find one. The same applied for many years regarding NAT-T for IPSec VPNs. Many other vendors adopted NAT-T long before McAfee did. But I don't believe it was included in MFE until the RFC had been formally agreed. Again, a McAfee guy may be in a better position to confirm this point.

-Phil.

mtuma
Level 13
Report Inappropriate Content
Message 8 of 8

Re: How do I allow WMI traffic to pass through firewall?

Jump to solution

Hello,

I think PhilM has many good points. Microsoft does tend to "do their own thing" without regards to standards or RFCs. It would be difficult for McAfee to identify exactly how Microsoft chooses it's random ports (in order to dynamically open them on the firewall) just to have Microsoft change the behavior of WMI.

Having said all that, I think it would be good for our PM and engineering groups to be aware of this (if they are not already). Please feel free to file an enhancement request at the following URL:

https://mcafee.acceptondemand.com/

-Matt

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community