Notes on WMI ports & monitoring

Trying to set up monitoring for some of our Windows DMZ servers via SolarWinds and came across a few interesting links. At the same time I noticed that my carefully organized bookmarks folders seem to be corrupt. Many folders are empty. This happened a few days ago too, but that time it was just one folder (well one folder that I knew of, could be more who knows) and so I was able to view and older copy of my bookmarks via Xmarks and add the missing entries back.

But this time it’s a whole bunch of folders and the only option Xmarks has it to either export the older copy or overwrite your current copy with this older set. I don’t want the latter as that would mean losing all my newer bookmarks. Wish there was some way of merging the current and older copies! Anyhow, what’s happened is happened, I think I’ll stick to using this blog for bookmarks. I keep referring to this blog over my bookmarks anyway, so this is a sign to stop with the unnecessary filing.

To start off, this is a must read on WMI ports and how to allow firewall exceptions for WMI. Gist of the matter is that WMI uses dynamic ports via the RPC Portmapper. When the Solarwinds server (for example) wants to talk to WMI on a target server, it contacts the RPC Portmapper service on the target server on port 135 (which is the standard port for the Portmapper service) and gets a dynamic port to use for WMI. This port can be anywhere between 1024 – 65535.

The fix for this is to give the Portmapper service a specific set of ports to use. One method is to use the registry (see the previous link or this KB article). Add a key called Internet under HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc. To this add values  Ports (MULTI_SZ), PortsInternetAvailable (REG_SZ), and UseInternetPorts (REG_SZ). Set a value of Y for the latter two, and a range like 5000-5100 to the former. Restart the server after this.

Although I haven’t tried it, I think a similar effect as the above can be achieved via Component Services (type dcomcnfg.exe in a command prompt). Expand the “Computers” folder here, right click on “My Computer”, go to “Default Protocols”, click “Properties” of “Conenction-oriented TCP/IP”, and add a port range.

dcomcnfg

Another method is to use Group Policies.

Yet another method seems to be to get WMI to not use the RPC Portmapper for dynamic ports. By default WMI runs as a shared service, which is why it uses the RPC Portmapper. It is possible to make it run as a standalone service so it doesn’t use the Portmapper and instead defaults to port 24158. (This port number too can be changed via dcomcnfg.exe but I am not sure how).


These two links didn’t make much sense to me, but I know they are of use so linking them here as a reference to myself for later: