Video Screencast Help

SEPM 11.0 Firewall policy

Created: 29 Dec 2011 | 8 comments
Sagar Pandav's picture

Dear friends,

                  I need to enable "WMI" service from SEPM 11.0 firewall police for one of my client, but i am not able to enable this,

It is posible to enable WMI throught SEPM 11.0 firewall policy?

If yes then please somebody provide me steps to enable this.

 

Thanks

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

is the WMI service been blocked by firewall?

Sagar Pandav's picture

Yes, When i stop/remove SEPM 11.0 there is nothing wrong with the WMI,

 

WMI service is under "Remote Administration"?

pete_4u2002's picture

Thank you for reply, if it is being bloicked, it should be logged. Can you check the firewall rule number? Once you get to know the firewall rule number go to firewall policy and edit the rule to meet your requirement.

Sagar Pandav's picture

Hi.

I want to make sure that SEPM 11.0 firewall policy will allow to WMI service.

 

so please tell me that how can i do this?

Simpson Homer's picture

 

To allow WMI through the Firewall in SEPM, perform the following (assuming you have the default SEPM policy still in place):

  1. Open Symantec Endpoint Protection Manager Console
  2. Click Clients
  3. Choose appropriate OU (Default: My Company)
  4. Click the Policies Tab
  5. Double Click Firewall Policy
  6. (If prompted, choose the Edit Shared option)
  7. Click Rules
  8. Find "Block Remote Administration"
  9. Uncheck the box in the "Enabled" column.
  10. Hit OK

Note that this disables SEPM from blocking any remote administration requests, which would not be the best practice. Ideally, you could create rules to restrict it to allow only the local subnet or only your SW server to access port 135.

Sagar Pandav's picture

I tried to do this but the "Block Remote Administration" was already unchecked,

 

Thank you.

Simpson Homer's picture

If the rule doesn't already exist, create a rule allowing traffic for WMI. The "block all other traffic" rule would be affecting WMI. Again, best practice would be to restrict the rule to only allow the hosts that need it.

Mithun Sanghavi's picture

Hello,

What Version of SEP are you carrying??

What exactly is it that you want to do?

 

WMI is a very broad term.  

Whenever a WMI RPC is called, depending on the application and the way it was coded, the call will go to the appropriate port.  Generally ports 135, 137 and 445 need to remain open.  From there, your WMI RPC can use any port in the range of 1024 to 65535.  Obviously leaving every port open defeats the purpose of the firewall itself.

Start by identifying the following:

- When connecting are you receiving an error message?  What is it?
- What error messages (numbers/codes) are you receiving in the "CCM.log" ?
- Have you enabled "Distributed COM on this computer"?  (Admin. Tools -> Comp. Serv. -> Computers (right click) -> Properties) 
- Have you ever been able to connect before?
- Have you tried to identify the ports you might need to open? 
Step 1. Shut down/uninstall/disable the firewall and test internally and identify ports
Step 2.  Shut down all unnecessary applications
Step 3. Start -> Run -> "netstat -a > c:\first.txt"
Step 4. Establish your WBEMTEST session (successfully, no errors)
Step 5. Start -> Run -> "netstat -a > c:\second.txt"
Step 6. Identify the differences between the 2 output files.  The difference will indicate to you the ports in use for the session(s) you are trying to establish and open your Hardware (if applicable) and Software (if applicable) firewall ports as necessary and as identified. 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.