7 Replies Latest reply on Apr 15, 2012 11:32 AM by mtuma

    How do I allow WMI traffic to pass through firewall?

      I'm trying to allow WMI traffic to pass through our firewall from our internal network to our DMZ.

       

      However, WMI uses port 135 for calls and then selects a random port. I have created a rule to allow traffic to pass through port 135 but am not sure how to go about then allowing traffic to pass through that additional random port.

       

       

      Does anybody have any experience with this that can lend a hand?

       

       

       

      Thanks in advance.

        • 1. Re: How do I allow WMI traffic to pass through firewall?
          sliedl

          Either set these 'random ports' to a known range via the Registry or open up all the ports that it could use.  That might be 1024-65535.  Look it up online and open that range of ports.

          • 2. Re: How do I allow WMI traffic to pass through firewall?
            firemtn

            You may want to limit the dynamic range to the WMI poller's IP address so that you don't open too wide a hole.

             

            Mike

            1 of 1 people found this helpful
            • 3. Re: How do I allow WMI traffic to pass through firewall?

              Is there a way to setup a proxy for WMI so I don't have to open thousands of ports?

              • 4. Re: How do I allow WMI traffic to pass through firewall?
                PhilM

                I don't believe so. Its a lot like RPC (another Microsoft service, unsurprisingly) which also wants to operate over a large range of seemingly-random ports.

                 

                As Sam recommended, and you'll probably find that a Google search with come up with some answers, there is likely to be an option to implement a registry change which will force WMI to use a more firewall-friendly range of static ports. Once you have decided upon the range to use, then creating a rule to allow them to pass shouldn't be too complex.

                 

                -Phil.

                1 of 1 people found this helpful
                • 5. Re: How do I allow WMI traffic to pass through firewall?
                  mcoy

                  Hi,

                   

                  Sorry Phil, but Readysetgo has right. Lack of support for MS RPC is a serious problem. But the fact  is (I love MFE), other vendors can deal with Microsoft dce-rpc (Checkpoint).

                   

                  Regards,

                  mcoy

                   

                  (sorry for my english I'm working on it)

                  • 6. Re: How do I allow WMI traffic to pass through firewall?
                    PhilM

                    Don't worry mcoy, your English is OK and I can understand you with no problem.

                     

                    It may be better for a McAfee prodoct person to answer your point.

                     

                    But, does the fact that another Firewall vendor is able to handle RPC necessarily make it right, or better - or secure?

                     

                    Ultimately the smaller the number of ports you have to open through your Firewall the more control you have over your network security. If you consider that protocols such as HTTP, SSH, SMTP etc... can all potentially handle thousands of connections over 1 (maybe 2) ports, why do Microsoft services, such as RPC and WMI require such as large range of (random) ports to be open by default?

                     

                    The fact that it is possible to change the registry on the server and lock this down to a much smaller range, and the service will still work, suggests that it is possible to do so in the first place - so why don't they operate like this by default?

                     

                    Also, you will find that for many RFC-compliant protocols, the defined port number is based on the original client-side connection. But with Microsoft services such as RPC and WMI they want server/destination host to be in control of the port number and for that host to then open a random series of ports over 1024.

                     

                    Much of Firewall Enterprise's security is based on adhering to the agreed RFC standards for its core services. I have just tried to find an RFC for Microsoft RPC and can't seem to find one. The same applied for many years regarding NAT-T for IPSec VPNs. Many other vendors adopted NAT-T long before McAfee did. But I don't believe it was included in MFE until the RFC had been formally agreed. Again, a McAfee guy may be in a better position to confirm this point.

                     

                    -Phil.

                    • 7. Re: How do I allow WMI traffic to pass through firewall?

                      Hello,

                       

                      I think PhilM has many good points. Microsoft does tend to "do their own thing" without regards to standards or RFCs. It would be difficult for McAfee to identify exactly how Microsoft chooses it's random ports (in order to dynamically open them on the firewall) just to have Microsoft change the behavior of WMI.

                       

                      Having said all that, I think it would be good for our PM and engineering groups to be aware of this (if they are not already). Please feel free to file an enhancement request at the following URL:

                       

                      https://mcafee.acceptondemand.com/

                       

                      -Matt