03-29-2012 08:51 PM - edited 03-11-2019 03:48 PM
I'm a newbie - please be patient
We have an ASA firewall that has several DMZ VLANs.
A support company that responsible for the SQL Servers wants to use WMI to query server health.
Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
What are everyone’s thoughts on opening up such a large range?
Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
Thanks
PS - if this has already been asked can someone point me to the discussions
03-30-2012 01:22 AM
Hi
I would say that that is a No No
But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
WMI is a bit tough on firewalls.
But there are ways to limit the ports used by WMI
fx you can set it to use Fixed ports. and so on.
Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
Here is a link to solarwinds for people with the same problem.and an answer that seems to work
(i have not tested this) from ASH J Kent. (almost at the bottom)
Here is one from MSDN
http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
Good luck
HTH
04-02-2012 04:03 AM
I was looking at fixing the ports for WMI but I needed it to come from an independent source.
There’s a whole pile of politics involved but if it comes for an independent source it gives it more credence.
As much as I would like to use Solar Winds the support company is a software development house believes that if it needs software the they can write it better than anyone else…
Thanks
Rgds
Richard Daldy (MF IT)
02-20-2018 10:22 AM
Hi,
I have the same issue as well.
In this case, can we use the inspect engine on firewall to resolve this issue instead of limit the ports on the windows server?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide