Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

WMI query through ASA Firewall

I'm a newbie - please be patient

We have an ASA firewall that has several DMZ VLANs.

A support company that responsible for the SQL Servers wants to use WMI to query server health.

Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.

Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition

The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135

What are everyone’s thoughts on opening up such a large range?

Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux

Thanks

PS - if this has already been asked can someone point me to the discussions

2 REPLIES
Gold

Re: WMI query through ASA Firewall

Hi

I would say that that is a No No

But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.

WMI is a bit tough on firewalls.

But there are ways to limit the ports used by WMI

fx you can set it to use Fixed ports. and so on.

Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.

Here is a link to solarwinds for people with the same problem.and an answer that seems to work

(i have not tested this) from ASH J Kent. (almost at the bottom)

http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/

Here is one from MSDN

http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx

Good luck

HTH

New Member

Re: WMI query through ASA Firewall

I was looking at fixing the ports for WMI but I needed it to come from an independent source.

There’s a whole pile of politics involved but if it comes for an independent source it gives it more credence.

As much as I would like to use Solar Winds the support company is a software development house believes that if it needs software the they can write it better than anyone else…

Thanks

Rgds

Richard Daldy (MF IT)

4239
Views
0
Helpful
2
Replies
CreatePlease to create content