RPC Server Unavailable

mrcraig · ‎05-28-2015

Hi,

This is draining everything I have!

I've been following this resource found here on the community - WMI, PowerShell and Windows Firewalls

We have a MID server on the internal (corporate) network trying to connect to a server in the DMZ.

Both the corporate (checkpoint) and Windows firewall's have been opened with the necessary ports yet we're still not able successfully query the target server using the following WMIC command;

wmic /node:"x.x.x.x" /user:"x.x.x.x/username" /password:"password" path win32_operatingsystem

Has anyone had any experience with MID servers and DMZ target servers? Maybe even checkpoint firewalls and RPC?

Much Appreciated!

Craig

juancarlos_muro · ‎05-28-2015

Hi Craig,

Try to run your test from the MID Server running the next in a PowerShell (as Admin):

gwmi win32_operatingsystem -computer 192.168.200.14 -credential 'LOCALDOMAIN\mid'

Substitute "LOCALDOMAIN\mid" by the credential that you want to test.

The expected is something similar to the next:

SystemDirectory : C:\Windows\system32

Organization :

BuildNumber : 6001

RegisteredUser : Windows User

SerialNumber : 12345-OEM-1234567-12345

Version : 6.0.6001

What are you getting here?

If what you get is something similar to the next:

Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

the issue is caused by some kind of filtering.

If you get something like this:

Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

the issue is caused by a bad credential.

If instead you are getting something like this:

Get-WmiObject : Call was canceled by the message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED))

then the issue could be a bit more difficult to troubleshoot.

I have seen this one in other customers'. One or many of the next items helped to have it fixed (on the remote machine):

Try disabling the Windows Firewall totally on the remote machine (though for the sake of isolating what is causing the issue)? I see you already did that.
Make sure that the user that the MID Server Credential is trying to log in with is able to log on to the remote machine.
For that, try to connect to the remote machine from another computer different that the MID Server using the user account of the credential.
At the same time it is also necessary that WMI is correctly configured in the remote machine.
Here is something that you can try:
- On the remote machine make sure that the service WinRM is up.
- On the remote machine run "winrm quickconfig" in the command line (as Administrator) to open WinRM service.
- On the remote machine run "Enable-PSRemoting -Force" in a Powershell session (as Administrator).
More steps to enable and configure remote PowerShell (on the remote machine):
- Right-click your PowerShell icon and select Run as administrator.
- Check the current script execution policy by using the Get-ExecutionPolicy cmdlet. To do this, input "Get-ExecutionPolicy" (without quotes) and press Enter on your keyboard. PowerShell will return a value of Restricted.
- To change the script execution policy, use the Set-ExecutionPolicy cmdlet. Input "Set-ExecutionPolicy unrestricted" (without quotes) and press Enter on your keyboard.
- To ensure that the script execution policy has been changed, use the Get-ExecutionPolicy cmdlet again. PowerShell should return a value of Unrestricted.
- You should now be able to run your PowerShell scripts.
In the remote machine grant access for the Mid user to WMI:
- Server Manager (mmc.exe) > Configuration > WMI Control >> Properties
- Security: Root > Security > Add.. > add here the mid server account (enable account, remote call enabled)
Is the remote machine a Windows Server 2003? I have seen issues if the account of the mid server is not in the local group "Administrators" of the remote machine.
In addition, Microsoft has a Diagnostic Tool, that may be used to help troubleshoot this:
http://www.microsoft.com/en-us/download/details.aspx?id=7684

I admit that some of the suggestions here are a bit "aggressive". But they have fixed the issue in most of cases. Maybe it was just one of them what fixed. Honestly I haven't had the time to break by test Windows machine so many times to test / fail all these possibilities.

There are three main configuration parameters in the MID Server (see MID Server related list) that are important here:

mid.use_powershell: will make the MID Server to retrieve WMI and Windows registry values running the Powershell probe if it is set to true.
mid.powershell.use_credentials: lets the Powershell probe use credentials defined in the Credentials table.
mid.powershell.local_mid_service_credential_fallback: lets the Powershell probe use the local MID account as a last resort.

What are the values of these parameters in your instance?

Cheers,

Carlos

glennpinto · ‎05-28-2015

Generally that error "RPC Server Unavailable" means that the target windows server's WMI Service is not running? Also would verify that file and print sharing is allowed on the target which is required.

mrcraig · ‎05-29-2015

Hi,

Thank you both for the help.

I actually got this to work eventually. It was all down to the Check point firewall in the end.

Also, file and print sharing was not required. We have a strict policy to not allow file and print sharing on servers in the DMZ. Apparently its a potential route for a virus. Our DMZ servers are very locked down from the internal network. The biggest problem is how we push out the necessary Windows firewall rules to servers that are not managed as part of the domain. Netsh can be used but requires certain services/firewall rules enabling, same for psexec.

saikrishnayanam · ‎11-15-2016

If WMI is not working properly then it shows this type of error....check whether WMI is working properly or not through wbemtest(which is available as one of the application in windows applications).