About discovery Windows servers from MID server through firewall.

Ryota
Tera Guru

Please tell me what to do for discovery when there is a firewall between the MID server and the target windows server.  Firewall has already set the communication permission of port 135 for WMI, but even if discovery is executed, it fails. Is there no choice but to put a new MID server inside the firewall?

1 ACCEPTED SOLUTION

Jim Palmer
ServiceNow Employee
ServiceNow Employee

it really depends on which type of discovery you are using: WMI or WinRM:

Regardless both types require port 135 in Shazzam to determine the target as Windows based but:

As noted by Rahul, WMI access requires port 135 to initiate the connection then allocates a random higher port in the range for the actual work. I think older version of windows had an even bigger range...
Some firewalls can manage this somehow and dynamically open the correct port (I don't know how this is completed, but it does add some extra layer of security by only allowing point to point traffic rather than keeping entire ranges open between subnets).

But if using WinRM (Remote Powershell) you only need 2 ports in addition to 135: 5985 (http) or 5986 (https). You still have to deal with setting the MID server as a trusted host and a raft of other permissions on the target and the MID (like managing TLS certificates, especially if using https) but i find it more reliable than WMI.

View solution in original post

6 REPLIES 6

Jim Palmer
ServiceNow Employee
ServiceNow Employee

it really depends on which type of discovery you are using: WMI or WinRM:

Regardless both types require port 135 in Shazzam to determine the target as Windows based but:

As noted by Rahul, WMI access requires port 135 to initiate the connection then allocates a random higher port in the range for the actual work. I think older version of windows had an even bigger range...
Some firewalls can manage this somehow and dynamically open the correct port (I don't know how this is completed, but it does add some extra layer of security by only allowing point to point traffic rather than keeping entire ranges open between subnets).

But if using WinRM (Remote Powershell) you only need 2 ports in addition to 135: 5985 (http) or 5986 (https). You still have to deal with setting the MID server as a trusted host and a raft of other permissions on the target and the MID (like managing TLS certificates, especially if using https) but i find it more reliable than WMI.

+1