https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933154#M457577 <HTML><HEAD></HEAD><BODY><P>I was looking at fixing the ports for WMI but I needed it to come from an independent source.</P><P></P><P> </P><P></P><P>There’s a whole pile of politics involved but if it comes for an independent source it gives it more credence. </P><P></P><P> </P><P></P><P>As much as I would like to use Solar Winds the support company is a software development house believes that if it needs software the they can write it better than anyone else…</P><P></P><P> </P><P></P><P>Thanks</P><P></P><P> </P><P></P><P> </P><P></P><P>Rgds</P><P>Richard Daldy (MF IT)</P></BODY></HTML> Mon, 02 Apr 2012 11:03:51 GMT richard.daldy 2012-04-02T11:03:51Z https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933152#M457575 <P style="margin: 0cm; margin-bottom: .0001pt;">I'm a newbie - please be patient</P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">We have an ASA firewall that has several DMZ VLANs.</P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">A support company that responsible for the SQL Servers wants to use WMI to query server health. </P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.</P><P></P><P>Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition</P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135</P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">What are everyone’s thoughts on opening up such a large range?</P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux</P><P></P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">Thanks</P><P></P><P></P><P style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt;">PS - if this has already been asked can someone point me to the discussions</P> Mon, 11 Mar 2019 22:48:54 GMT https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933152#M457575 richard.daldy 2019-03-11T22:48:54Z https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933153#M457576 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>I would say that that is a No No</P><P>But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.</P><P></P><P>WMI is a bit tough on firewalls.</P><P>But there are ways to limit the ports used by WMI</P><P>fx you can set it to use Fixed ports. and so on.</P><P></P><P>Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.</P><P></P><P>Here is a link to solarwinds for people with the same problem.and an answer that seems to work </P><P>(i have not tested this) from ASH J Kent. (almost at the bottom)</P><P><A href="http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/" rel="nofollow">http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/</A></P><P></P><P>Here is one from MSDN</P><P><A href="http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx</A></P><P></P><P></P><P></P><P>Good luck</P><P></P><P>HTH</P></BODY></HTML> Fri, 30 Mar 2012 08:22:53 GMT https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933153#M457576 hobbe 2012-03-30T08:22:53Z https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933154#M457577 <HTML><HEAD></HEAD><BODY><P>I was looking at fixing the ports for WMI but I needed it to come from an independent source.</P><P></P><P> </P><P></P><P>There’s a whole pile of politics involved but if it comes for an independent source it gives it more credence. </P><P></P><P> </P><P></P><P>As much as I would like to use Solar Winds the support company is a software development house believes that if it needs software the they can write it better than anyone else…</P><P></P><P> </P><P></P><P>Thanks</P><P></P><P> </P><P></P><P> </P><P></P><P>Rgds</P><P>Richard Daldy (MF IT)</P></BODY></HTML> Mon, 02 Apr 2012 11:03:51 GMT https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/1933154#M457577 richard.daldy 2012-04-02T11:03:51Z https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/3334504#M457578 <P>Hi,</P> <P>&nbsp;</P> <P>I have the same issue as well.</P> <P>&nbsp;</P> <P>In this case, can we use the inspect engine on firewall to resolve this issue instead of limit the ports on the windows server?</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> Tue, 20 Feb 2018 18:22:05 GMT https://community.cisco.com/t5/network-security/wmi-query-through-asa-firewall/m-p/3334504#M457578 Ge Qu 2018-02-20T18:22:05Z