About discovery Windows servers from MID server through firewall.

Ryota
Tera Guru

Please tell me what to do for discovery when there is a firewall between the MID server and the target windows server.  Firewall has already set the communication permission of port 135 for WMI, but even if discovery is executed, it fails. Is there no choice but to put a new MID server inside the firewall?

1 ACCEPTED SOLUTION

Jim Palmer
ServiceNow Employee
ServiceNow Employee

it really depends on which type of discovery you are using: WMI or WinRM:

Regardless both types require port 135 in Shazzam to determine the target as Windows based but:

As noted by Rahul, WMI access requires port 135 to initiate the connection then allocates a random higher port in the range for the actual work. I think older version of windows had an even bigger range...
Some firewalls can manage this somehow and dynamically open the correct port (I don't know how this is completed, but it does add some extra layer of security by only allowing point to point traffic rather than keeping entire ranges open between subnets).

But if using WinRM (Remote Powershell) you only need 2 ports in addition to 135: 5985 (http) or 5986 (https). You still have to deal with setting the MID server as a trusted host and a raft of other permissions on the target and the MID (like managing TLS certificates, especially if using https) but i find it more reliable than WMI.

View solution in original post

6 REPLIES 6

Rahul Priyadars
Giga Sage
Giga Sage

for windows discovery apart from 135 port you also need to open higher ports for further WMI calls.

heck the WMI port 135 and port ranges 49152 - 65535 are open.

  • Validate the ServiceNow Discovery WMI ports between the MID Server and the Remote Windows host are open (in the Windows Firewall and/or any firewall between the MID Server and the Windows host). ServiceNow Discovery uses WMI for discovery, therefore port 135 from the MID Server to the Remote Windows host must be open for initial communication AND high ports 49152 - 65535 must be open for the remainder of the communication. Even though this is a large range of open ports, only a portion of this range are dynamically allocated.
  • If Steps 1 (validated credential) and 2 (validated WMI ports are open) have been completed successfully, then I suggest troubleshooting the Windows Host itself.

refer this article - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0868224

Regards

RP

 

Thanks for the quick response.

We understand that ports are dynamically assigned from high ports 49152 to 65535, but due to restrictions with customers, it is not allowed to open a wide range of ports for FireWall. By the way, does discovery using Win RM also use dynamic ports?

In case of WIN RM you do not need that big range of Ports.

Regards

RP

chuckm
Giga Guru

Ryota,

Community articles that might be helpful with diagrams (showing ports) and how to validate credential with RDP:

I am getting this error Active Couldn't Classify

Active, couldn't classify: No WMI connec

Want to understand behind the scenes of how 'Credential test' link works for Discovery