Enterprise Administration Guide › Implementing Shared Accounts › SAM Endpoint and Shared Account Creation › Create an Endpoint › Windows Agentless Connection Information › Configure Windows Agentless Endpoints for SAM › Firewall Configuration on Windows Agentless Endpoints

Firewall Configuration on Windows Agentless Endpoints

Valid on Windows Server 2008 and Windows 7 Enterprise

The SAM Windows Agentless connector uses port 135 (the DCOM port) to connect to Windows Agentless endpoints. After the connector connects to the endpoint, it uses a dynamic port (above 1000) for communication with the WMI (Windows Management Instrumentation) service.

If the Windows firewall is enabled on a Windows Agentless endpoint, the firewall can block both the connection to port 135 and the dynamic port. If the Windows firewall blocks these connections, the Enterprise Management Server cannot communicate with the endpoint. Therefore, you cannot create Windows Agentless endpoints or cannot discover service accounts and scheduled tasks on the endpoint.

Configure the firewall so that the SAM Windows Agentless connector can connect to the endpoint. When you configure the firewall, open port 135 and specify that the firewall permits any traffic arriving to the WMI service from dynamic RPC ports.

Allow the following applications or features through the Windows firewall in the Control Panel:

• Windows Management Instrumentation (WMI)
• Remote Service Management
• Remote Scheduled Tasks Management
• Netlogon Service

Enable the following inbound firewall rules in the Advanced Configuration:

• Windows Management Instrumentation (WMI-In)
• Windows Management Instrumentation (DCOM-In)
• Windows Management Instrumentation (ASync-In)

More information:

How to Configure a Windows Firewall for SAM