Windows Firewall Issues
IN THIS ARTICLE:
Configuring Windows Firewall to Allow Remote WMI
When obtaining data from a remote computer, WMI must establish a DCOM connection. If a Windows firewall is running with default settings, it will not allow this connection. To allow remote WMI through the firewall, on the computer to be monitored, perform one of the sets of steps outlined next.
Using the Command-Line Shell
To allow remote WMI through the firewall using the command-line shell:
- Enter one of the following commands, depending upon your Windows version:
netsh firewall set service RemoteAdmin enable
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
Using the Group Policy Editor
To allow remote WMI through the firewall using the Group Policy editor, perform the following steps to enable "Allow Remote Administration" on the computer to be monitored:
- Under the Local Computer Policy heading, double-click Computer Configuration.
- Double-click Administrative Templates, Network, Network Connections, and then Windows Firewall.
- If the computer is in the domain, then double-click Domain Profile; otherwise, double-click Standard Profile.
- Click Windows Firewall: Allow remote administration exception.
- On the Action menu, select Properties.
- Click Enable, and then click OK.
- See Connecting Through Windows Firewall
Connecting Through External Firewalls
In the monitoring industry, it is typically not recommended to connect to a remote Windows computer through an external firewall via WMI. Rather, if you have different security zones in your network that are separated by firewalls or NAT devices, and no host is excluded from these restrictions, then simply install multiple Collectors—one on each side of the firewall or NAT devices—to monitor hosts in those zones appropriately.
The reason it is not recommended to connect through external firewalls is because it requires that hosts then be configured to restrict to a port range. In addition to creating an administrative burden, this customization can lead to port exhaustion if other applications rely on WMI but available ports are restricted, which can then subsequently prevent those applications or even LogicMonitor from referencing or collecting data. In addition, because customizations are in place, LogicMonitor's ability to provide troubleshooting support may be limited if issues arise.
With that said, if you wish to try monitoring Windows hosts from a Collector that is firewalled from them, you must ensure that DCOM works, and that no NAT is being performed. While it can be done, you are accepting some risks as this configuration could present many No Data alerts and possibly result in poor monitoring reliability.