I’m having WMI connections problems. I know its been done to death on the forums but I am yet to find a resolution to my problem. I have followed many of the guides posted on here. The remote computers are being scanned Ok, but out of about 150 devices, 50 are showing ‘WMI timed out’.
(Domain environment - server 2008 with win xp and win 7 clients - working across 3 trusted domains)
After using the https://spicyserver:443/fix to test on a remote computer, I found in the firewall logs that port 1068 was being blocked which is one of the dynamic ones which should be allowed in by REMOTEADMIN.
Now, before everyone calls me ‘noob’ I had set this using Group Policy but it seems the port was still blocked so I tried adding it manually using “netsh set service REMOTEADMIN enable”. I did this on that remote computer logged on with local administrative rights. But despite this, it did not appear in the Windows Firewall list and was still being blocked by the firewall.
I found a DOS command to essentially loop through all of the ports 1024-2000 to add individual entries for each port. It takes a while and makes a mess of the firewall exceptions list but… it worked… which demonstrates that indeed, I am unable to add “REMOTEADMIN” exception to my firewall settings. As windows XP does not offer a way to include a port range, an anyone offer any reason as to why I can not add REMOTEADMIN?
I will be rolling it out to about 900 computers so please bear that in mind when replying thanks? I don’t really want to be working on each for 15mins or so.
3 Spice ups
itslave
(ITSlave)
2
Windows Firewall on on the remote machines? Can you turn it off? You can turn it off via GPO.
I would rather not do that.
I have considered just allowing full access from the IP of the spiceworks server but would prefer to open up just those ports 1024-2000. That would be ideal.
Does your Antivirus Software have a Firewall option?
We use F=secure which comes in 2 types, with or without firewall. We used to use the full version with Firewall but we have long since moved to the AV only version. It caused us no end of headaches.
The only thing I can think is if there is another component that must be installed before I am allowed to add the remoteadmin service on the firewall setting.
I just checked and all of the computers that are causing problems are running WinXP SP3
Update: I have added a program exception for lsass and svchost. I will give an updated after the users have logged on this morning.
Another Update:
I tried running
netsh firewall set service TYPE = RemoteAdmin MODE = enable SCOPE= custom ADDRESSES= (Spiceworks server IP)
on one of the computers that is having the WMI timeout problem. This seemed to work so I used ‘show service’ command and it had indeed been added to the firewall. I could then scan the computer in question. I decided to use a batch file to set this value, I found one on the spiceworks site.
Unfortunately we have since had a lot of complaints about computers hanging when applying computer settings and network drives missing so I had to pull it.
I’ve decided to just roll out Spiceworks to our other offices and manually add the settings on the clients where WMI fails. If in the meantime anyone could suggest why my GPO firewall settings are not being applied I would be very grateful.
Thanks
I’m finding that changing firewall settings via GPO very hit and miss. I have been adding port exceptions for the XP firewall part:
135:TCP:localsubnet:enabled:Spiceworks(TCP-135)
445:TCP:localsubnet:enabled:Spiceworks(TCP-445)
137:UDP:localsubnet:enabled:Spiceworks(UDP-137)
Then allowing the ‘remote admin’ access from local subnet.
I am then using the Adv Firewall settings to set ‘remote admin’ and ‘WMI’ I tried to restrict this to only the Spiceworks server but found that after exiting the GPO editor and going back in, it “loses” the computer name. I had to give up in the end and just open it up which is not ideal.
I’m also finding that of the above firewall settings, only maybe one of those entries will appear in the firewall exception list on the remote machine.
I am however finding that gradually, most of our 600+ computers are being scanned now. If anyone can shed any light on how best to allow Spiceworks but still retain a level of security on our networks, please let me know.
