none
WMI Ports

    Question

  • I know that WMI calls uses port 135 and then chooses a random port, what I would like to know is if WMI can be set for a static port?  , Yes I have already looked at this but it doesn't work: http://msdn.microsoft.com/en-us/library/bb219447(VS.85).aspx even with the correction, my understanding is this command is good if you are trying to make an exception in firewall am i correct on that? if so, we don't use firewalls. 

    The end goal being we want to use static ports for WMI because we need to open it in the physical firewall between subnets.  So I tell the firewall to make an exception for 135, but then what? have the firewall open up all the ports from 1024 to 65 thousand? Doesn't seem very secure.  Please advice.


    Adam
    Monday, February 21, 2011 5:46 PM

All replies

  • This is for windows Vista/2008 We have a mix of 2003 and 2008 servers.  UAC is off on the servers in quesiton and so is firewall, my question to sum it up is, is there a way to set WMI on a static port? not RPC , not dcom, but WMI.  I know they are all related to each other.
    Adam
    Monday, February 21, 2011 6:09 PM
  • I doubt that this is possible.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Monday, February 21, 2011 6:30 PM
  • ok, so if i have a wmi based monitoring solution that monitors thosands of servers across different subnets and physical firewalls, what ports do we open up on the firewalls to communicate back and forth with the monitoring servers and clients?  Port 135...and what else?
    Adam
    Monday, February 21, 2011 6:40 PM
  • What application is it?

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Monday, February 21, 2011 6:45 PM
  • its HP software that uses WMI.  Lots of monitoring software uses WMI hence I posted the question in Microsoft forums. So to get it straight, there is no way to set WMI on  a static port?
    Adam
    Monday, February 21, 2011 8:16 PM
  • Are you talking about HP System Management / Systems Insight Manager?

     

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Monday, February 21, 2011 10:26 PM
  • No SiteScope
    Adam
    Tuesday, February 22, 2011 3:21 PM
  • Not familiar with that one. Are you sure it requires WMI direct connections? They may know more here.

    http://forums11.itrc.hp.com/service/forums/familyhome.do?familyId=121

     

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Wednesday, February 23, 2011 4:08 AM
  • I kinda figured that was coming and hence I was hesistant about giving the application name.  To clarify, this is a WMI question in general and Yes, I am sure it requires a WMI direct connections.

    Thank you for your help however.


    Adam
    Wednesday, February 23, 2011 2:19 PM
  • I still think it is not possible to set everything WMI to some static port. I'd think HP would be in the best position to describe a typical implementation of SiteScope.

     

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    • Marked as answer by Tim QuanModerator Tuesday, March 01, 2011 7:05 AM
    • Unmarked as answer by Adamster Tuesday, March 01, 2011 3:56 PM
    Wednesday, February 23, 2011 6:24 PM
  • I would like a confirmation of this rather than I think, before I mark it as an answer.  Can you confirm that this is not possible?
    Adam
    Tuesday, March 01, 2011 3:57 PM
  • I would also like to see confirmation on this. I have another product that monitors via WMI, and opening all these ports seems silly.
    Friday, June 03, 2011 9:31 PM
  • yes tht would be nice, just out of curiousity what product?


    Adam
    Friday, June 03, 2011 10:34 PM
  • HP Systems Insight Manager, and i believe Microsofts DPM and SCOM require these ports to be open
    Monday, June 06, 2011 3:48 PM
  • On the *responding* machine...

    Step one:  Set the DCOM config to use a static port....

    Basically, run "dcomcnfg" from command prompt. Navigate the tree to My Computer > DCOM Config > Windows Management and Instrumentation, select properties of that folder.

    Go to the Endpoints tab

    Select Properties button for Connection-oriented TCP/IP

    Use static endpoint, set the port.

    Step 2:  Configure WMI to use a fixed port

    http://msdn.microsoft.com/en-us/library/bb219447(v=VS.85).aspx

    1. At the command prompt, type winmgmt -standalonehost
    2. Stop the WMI service by typing the command net stop "Windows Management Instrumentation"
    3. Restart the WMI service again in a new service host by typing net start "Windows Management Instrumentation"
    4. Establish a new port number for the WMI service by typing netsh firewall add portopening TCP 24158 WMIFixedPort

    Still testing this myself, so not 100% certain it works.

    Tuesday, August 09, 2011 9:19 PM
  • I tried this without step 2.4 Establish a new port number for the WMI service by typing netsh firewall add portopening TCP 24158 WMIFixedPort  (The firewall service isn't active) and it didn't worked, the port to connect through WMI was random and not fixed with 24158.

    Any suggestion?

    Wednesday, September 21, 2011 6:47 PM
  • On the *responding* machine...

    Step one:  Set the DCOM config to use a static port....

    Basically, run "dcomcnfg" from command prompt. Navigate the tree to My Computer > DCOM Config > Windows Management and Instrumentation, select properties of that folder.

    Go to the Endpoints tab

    Select Properties button for Connection-oriented TCP/IP

    Use static endpoint, set the port.

    Step 2:  Configure WMI to use a fixed port

    http://msdn.microsoft.com/en-us/library/bb219447(v=VS.85).aspx

    1. At the command prompt, type winmgmt -standalonehost
    2. Stop the WMI service by typing the command net stop "Windows Management Instrumentation"
    3. Restart the WMI service again in a new service host by typing net start "Windows Management Instrumentation"
    4. Establish a new port number for the WMI service by typing netsh firewall add portopening TCP 24158 WMIFixedPort

    Still testing this myself, so not 100% certain it works.


    Nice job on the walk-through :) although a couple of questions... first: shouldn't the first static endpoint port number be similar to the firewall exeption mentioned last (pt. 4) or have I misunderstood something? Second: if I'm not using the built-in windows firewall (disabled) is the last step nescessary? Shouldn't I add the newly configured static endpoint port number to the physical firewall exceptions list instead?

    I'm experiencing a similar problem here and am also looking for confirmation... anyone found a working solution?

    Monday, October 10, 2011 11:46 AM
  • Hi,

    I have a requirement to monitor some HP servers using SIM via WMI (WBEM) which are firewalled from the central SIM server.  I have used the procedure above to configure my monitored servers with a static port for WMI and can confirm all works great.

    I am not using the windows firewall but if you were then you would need to specify the port that you configured WMI to use in step 2.4 (above).  You may also need to add 'protocol=tcp' to end netsh command.

    As far as I am concerned (for Server 2008 at least) the above is a viable solution if you need to configure WMI to use a static port.  I am however still testing and would be interested to hear if anyone has expereicned any adverse effects with using WMI over a static port assignment?

    Phil

    Tuesday, November 01, 2011 5:03 PM
  • use the Component Services Manager to set the range that the random port is allocated from to something small and then manually open each one.
    To do this you start the Component Services Manager again and right click on My Computer and select Properties.
    Click the Default Protocols tab and double click on the entry “Connection oriented TCP/IP”.
    Use the Add button to add a suitable range of ports say 5000-5010 and click OK. After this all COM+/DCOM services will select a port in this range.
    To open the ports open the Windows Firewall from the Control Panel, and add one entry for each port in the range 5000 to 5010 and one for port 135 random ports only need to be open on the remote machine.
    After a restart, which is the only way to reinitialise the RPC service, you should find it all works


    MCITP SA - MCP Active Directory - MCP Infrastructure - MCP Server Virtualization www.it101.eu

    Thursday, October 18, 2012 1:31 PM
  • Would like to test this but need to know how do I revert WMI/DCOM back to default after applying the static port changes above? Thanks in advance.
    Tuesday, December 11, 2012 3:18 PM
  • Hello,

    If you want just to test settings and to revert to default settings you just need to delete Reg key you have created for DCOM.

    But, I have found interesting KB http://support.microsoft.com/kb/832017. It says WMI ports are

    In Windows Server 2008 and later versions, and in Windows Vista and later versions, the default dynamic port range changed to the following range:
    • Start port: 49152
    • End port: 65535
    Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of

    • Start port: 1025
    • End port: 5000

    And this works for me.  On FW open two range of ports 1025-5000 and 49152-65535.

    Regards,
    Mladen


    Thursday, February 28, 2013 10:20 AM