Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

What firewall ports shall I open for Powershell to perform remote query?

Posted on 2015-02-04
6
Medium Priority
?
1,877 Views
Last Modified: 2015-02-13
Hi Experts,
I have server that sit behind firewall at DMZ.  What ports shall I open to in order for such cmdlets to make query to DMZ servers remotely.  

I have already opened the following range of ports, but still failed, any idea what ports are still missing?
TCP port: 80,139,443,445,5985,5986
UDP port: 137,138
Ephemeral ports: (TCP 1024-4999,49152-65535)

Some others cmdlets that's failing such as get-WebAppPoolState, Restart-computer etc.
*W3SVC service does exist in target sever, just in case some of you may doubt if service exist.

PS C:\> get-service -name W3SVC -computername DMZServer
get-service : Cannot find any service with service name 'W3SVC'.
At line:1 char:1
+ get-service -name W3SVC -computername DMZServer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (W3SVC:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Thanks.

Regards,
Kung Hui
0
Comment
Question by:kunghui80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 19

Expert Comment

by:helpfinder
ID: 40590488
try ports TCP/5985 = HTTP and TCP/5986 = HTTPS

based on technet article
0
 
LVL 41

Assisted Solution

by:footech
footech earned 600 total points
ID: 40590567
If you were using PowerShell Remoting, helpfinder's suggestion would be correct (allowing WS-Man), but you already have those listed.  And in fact, if you were to use PS Remoting your firewall configuration would be much simpler.

However, the remoting that is built into most cmdlets like Get-Service uses DCOM to communicate.  I believe the only other port you need to open is TCP 135, which if I understand correctly, is the RPC Endpoint Mapper, which basically decides which ephemeral port should be used for further communication.
0
 
LVL 14

Assisted Solution

by:frankhelk
frankhelk earned 600 total points
ID: 40590586
If any other tips fail, I would recommend some kind of brute force method - form motives out of Watergate movies: "Follow the Data" ...

Install Wireshark, capture the traffic while doing the required actions with all ports open and analyze the traffic. If it's not allowed to open the firewall for that, you'll possibly have to analyze the failing traffic.

Other attempt: Analyze the firewall's logs for dropped packets from/to the involved machines.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Accepted Solution

by:
kunghui80 earned 0 total points
ID: 40597488
Dear all,
Sorry for late update on this case.  I have find reason for this case.
Firewall has been confirmed open as per port listed above.

However, I'm attempting to PSRemoting between different domain.  Thus the following steps need to be performed.
In a mixed domain environement, I have added the following:-
1. New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

2. Subsequently, I have to set trusted hosts on both client & server to make it work.
Set-item wsman:localhost\client\trustedhosts -value RM-Client1,RM-Client2

Thanks.

Regards,
Kung Hui
0
 
LVL 2

Author Comment

by:kunghui80
ID: 40597496
To close this request.
0
 
LVL 2

Author Closing Comment

by:kunghui80
ID: 40607544
I have found this solutions after several attempt for resolve the issue. Nevertheless I also wish to award other comments which leading me to find out more on this.  Thanks much!
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question