Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6333
Views
0
Helpful
3
Replies

WMI query through ASA Firewall

richard.daldy
Level 1
Level 1

‎03-29-2012 08:51 PM - edited ‎03-11-2019 03:48 PM

I'm a newbie - please be patient

We have an ASA firewall that has several DMZ VLANs.

A support company that responsible for the SQL Servers wants to use WMI to query server health.

Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.

Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition

The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135

What are everyone’s thoughts on opening up such a large range?

Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux

Thanks

PS - if this has already been asked can someone point me to the discussions

Labels:
0 Helpful
3 Replies 3

hobbe
Level 7
Level 7

‎03-30-2012 01:22 AM

Hi

I would say that that is a No No

But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.

WMI is a bit tough on firewalls.

But there are ways to limit the ports used by WMI

fx you can set it to use Fixed ports. and so on.

Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.

Here is a link to solarwinds for people with the same problem.and an answer that seems to work

(i have not tested this) from ASH J Kent. (almost at the bottom)

http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/

Here is one from MSDN

http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx

Good luck

HTH

0 Helpful

richard.daldy
Level 1
Level 1
In response to hobbe

‎04-02-2012 04:03 AM

I was looking at fixing the ports for WMI but I needed it to come from an independent source.

There’s a whole pile of politics involved but if it comes for an independent source it gives it more credence.

As much as I would like to use Solar Winds the support company is a software development house believes that if it needs software the they can write it better than anyone else…

Thanks

Rgds

Richard Daldy (MF IT)

0 Helpful

Ge Qu
Level 1
Level 1
In response to hobbe

‎02-20-2018 10:22 AM

Hi,

 

I have the same issue as well.

 

In this case, can we use the inspect engine on firewall to resolve this issue instead of limit the ports on the windows server?

 

Thank you

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card