Previous Topic: Firewall Configuration on Windows Agentless EndpointsNext Topic: Remote Connections with User Account Control


How to Configure a Windows Firewall for SAM

Valid on Windows Agentless endpoints

The SAM Windows Agentless connector uses port 135 (the DCOM port) to connect to Windows Agentless endpoints. After the connector connects to the endpoint, it uses a dynamic port (above 1000) for communication with the WMI (Windows Management Instrumentation) service.

If the Windows firewall is enabled, you must configure the firewall so that the SAM Windows Agentless connector can connect to the endpoint. If you do not configure the firewall, the Enterprise Management Server cannot communicate with the endpoint.

To configure a Windows firewall for SAM, do as follows:

  1. Open port 135.
  2. Create a firewall rule so that the firewall permits any traffic arriving to the WMI service from dynamic RPC ports.

    Use the information in the following examples to help you configure the Windows firewall.

Example: Open Port 135

The following example shows you how to open port 135 on a Windows Server 2008 computer.

  1. Click Start, Control Panel, Windows Firewall.

    The Windows Firewall dialog appears.

  2. Click Change Settings.

    The Windows Firewall Settings dialog appears.

  3. Click the Exceptions tab, and click Add port.

    The Add a Port dialog appears.

  4. Complete the dialog, as follows:

    Click OK.

    The DCOM_TCP135 rule appears in the Exceptions tab.

  5. Click OK.

    The Windows Firewall Settings dialog closes. You have opened port 135.

Example: Create a Firewall Rule That Permits Traffic Arriving to the WMI Service from Dynamic RPC Ports

The following example shows you how to create a firewall rule on a Windows Server 2008 computer. The firewall rule permits traffic arriving to the WMI service from dynamic RPC ports.

  1. Click Start, Administrative Tools, Windows Firewall with Advanced Security.

    The Windows Firewall with Advanced Security dialog opens.

  2. Right-click Inbound Rules in the left pane and click New Rule.

    The New Inbound Rule Wizard appears.

  3. Complete the New Inbound Rule Wizard. Accept the default settings on all pages except the following:
    1. On the Rule Type page, select Custom.
    2. On the Program page, do as follows:
      • Select All programs.
      • Click Customize.

        The Customize Service Settings dialog opens.

      • Select Apply to this Service, select Windows Management Instrumentation, and click OK.
    3. On the Scope page, do as follows in the Which remote IP addresses does this rule match section:
      • Select These IP addresses and click Add.

        The IP Address dialog appears.

      • Enter the IP address of the Distribution Server in the This IP address or subnet, and click OK.
    4. On the Name page, type a name for the new rule in the Name field.

    After complete the wizard, you have created a firewall rule so that the firewall permits any traffic arriving to the WMI service from dynamic RPC ports.