Network Inventory tool will not connect with firewall enabled

mig1980
mig1980 used Ask the Experts™
on
Good day everyone. We are using a network inventory tool called Total network Inventory by Softinventive. It works well when I have gotten it to work. My problem is that if the Windows firewall is enabled, it will give me a

scan failed: SNMP: Incorrect community or SNMP not available

The company states that I should enable SMB protocol to access Windows computers. To do so I should enable "File and Printer Sharing" exception in the Windows Firewall or TCP port 445 in other firewalls. You may also try to enable TCP port 139 (NetBIOS) for older systems.

I have tried enabling both every single inbound and outbound rule available for Windows Server 2008 R2 and nothing. But as soon as I turn off the firewall, I am able to connect no problem.

Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Open the following ports for SNMP to communicate:

161, 162, 10161, 10162
Top Expert 2015

Commented:
Essor message does not say about SMB, it mentions SNMP (which uses 161/UDP for queries as in your error message, and 162/UDP to send Traps back to management workstation)

Note that it uses UDP so that concept of "connection" is not applicable.

Author

Commented:
So I opened up the ports suggested (even tried all four ports suggested) and no luck. Port 162 already had a rule associated with it in Windows Firewall which I just enabled. For the other 3 ports, I created a new rule and added the ports to the remote ports section of the rule.

Any other ideas?

By the way, the primary method of accessing the details of the servers from this software is SMB. When I only select SMB, it gives me an error stating that no open ports are available.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Top Expert 2015

Commented:
162 and 161  UDP or TCP?


Check throughly... UDP is used with DNS, NTP and SNMP, and you do not get connections, just a stream of packets.

Author

Commented:
They were both UDP. Screenshots attached. Both ports were enabled for Inbound traffic...is that correct?
SNMPError.jpg

Commented:
This problem computer, is it an asset you are trying to scan, or your inventory software host/server? Or is this happening on all assets that you try to access?

Try opening port 135.. This software uses WMI in conjunction with RPC as well as SMB.
Top Expert 2015

Commented:
Monitoring / Device
SNMP request
Random port => 161/udp

Trap
162/udp <= random port

WMI uses 135 to negotiate other port to use for session, so firewall needs to decode it just like FTP. OR - if not - you need to allow monitoring station to connect to any port on the device.
Commented:
Well the random port thing is true with most protocols and services behind a stateful firewall. The outside port will hardly ever match the internal port it is listening on. The firewall does the job of keeping a log of what port is being used in it's internal connection tracker. You can however force most protocols and services to communicate over, and listen on specific ports. This configuration only works if both the client and server adhere to the configuration.

Author

Commented:
The serve rin question is a client I am trying to scan. The issue occurs with all servers on our domain but there are two servers that I am using the Windows Firewall for to contain access (both with Windows Server 2008 R2).

i attempted to add both an inbound and outbound rule to allow all ports open for the specific IP address of the host server. That still does not work. Could their be a Group policy that would be blocking this? If so, how do I check on the client server.
Commented:
If the problem is only when the firewall is on, then your problem is the firewall. There must be a port, or possibly a service, that you are missing. Sometimes an IP Protocol must be allowed to pass, not just the port. Like GRE with VPNs.

Author

Commented:
The creators of the software told me all I needed were the ports mentioned in the original post. Any other input?
Commented:
Are you familiar with doing a network packet capture? If you have a mirror port on your switch/router, or from one of the machines involved, do a capture with WireShark, and then filter the results for the protocols in question. You will find out where the problem is, because you will see all the protocols involved, and which are not getting through.
Top Expert 2015
Commented:
Microsoft network monitor does not need reboot... and is on par with wireshark as long as microsoft protocols are involved

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial