How do I discover (horizontal) a windows server behind a NAT?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2022 04:56 PM
I am attempting to discover a windows server which is behind a NAT. I get a message "(IP) is not a reachable host (no response to target ports scanned by MID)." Firewall rules are open to allow discovery.
Any guidance or suggestion would be appreciated.
Thanks. Tammy
- Labels:
-
Discovery
-
Orchestration (ITOM)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2025 03:58 AM
Hi @tammykuhns ,
As per my understanding why this happens
* The Discovery MID Server always scans the target by its IP address.
* If the target is behind a NAT (e.g., private network), the IP it sees internally is not routable from the MID Server.
* Even if firewall rules are open, if the MID can’t see the private IP directly (no route), it can’t scan it — leading to:
"(IP) is not a reachable host (no response to target ports scanned by MID)"
Solution / options
1. Place the MID Server inside the NATed network
* Easiest and most reliable.
* Install a MID Server on a VM or server inside the private network (same VLAN / subnet or routable).
* Discovery will then be able to reach the private IP directly.
2. Configure NAT to forward ports to the target server
* If placing MID Server inside isn’t possible:
* Configure the firewall / NAT device to port-forward the required Discovery ports to the private IP.
* Example: port 135 (WMI), 445 (SMB), 3389 (RDP) for Windows Discovery.
* BUT this approach only helps if there’s one server behind NAT per external IP:
* Because multiple servers can’t share the same external port.
This is rarely scalable — only works for very few servers.
3. Use Agent Client Collector (ACC) / Agent-based discovery
* If you cannot deploy a MID Server inside and NATing isn’t practical:
* Use ServiceNow Agent Client Collector on the target Windows server.
* ACC sends data outbound → no need for MID Server to connect directly.
* Ideal for:
* Servers behind NAT
* Servers in DMZ
* Cloud instances without direct access
4. Double-check MID Server connectivity
Even with NAT, make sure:
* MID Server has route to the external NAT IP.
* NAT is correctly forwarding required ports.
* The firewall allows incoming connections on discovery ports from the MID.
Recommended (ServiceNow best practice):
Deploy a dedicated MID Server inside the NATed / private network —
or use ACC if MID Server cannot be placed.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
