What firewall ports shall I open for Powershell to perform remote query?

Hi Experts,
I have server that sit behind firewall at DMZ.  What ports shall I open to in order for such cmdlets to make query to DMZ servers remotely.  

I have already opened the following range of ports, but still failed, any idea what ports are still missing?
TCP port: 80,139,443,445,5985,5986
UDP port: 137,138
Ephemeral ports: (TCP 1024-4999,49152-65535)

Some others cmdlets that's failing such as get-WebAppPoolState, Restart-computer etc.
*W3SVC service does exist in target sever, just in case some of you may doubt if service exist.

PS C:\> get-service -name W3SVC -computername DMZServer
get-service : Cannot find any service with service name 'W3SVC'.
At line:1 char:1
+ get-service -name W3SVC -computername DMZServer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (W3SVC:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Thanks.

Regards,
Kung Hui
LVL 2
kunghui80Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
kunghui80Connect With a Mentor Author Commented:
Dear all,
Sorry for late update on this case.  I have find reason for this case.
Firewall has been confirmed open as per port listed above.

However, I'm attempting to PSRemoting between different domain.  Thus the following steps need to be performed.
In a mixed domain environement, I have added the following:-
1. New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

2. Subsequently, I have to set trusted hosts on both client & server to make it work.
Set-item wsman:localhost\client\trustedhosts -value RM-Client1,RM-Client2

Thanks.

Regards,
Kung Hui
0
 
helpfinderIT ConsultantCommented:
try ports TCP/5985 = HTTP and TCP/5986 = HTTPS

based on technet article
0
 
footechConnect With a Mentor Commented:
If you were using PowerShell Remoting, helpfinder's suggestion would be correct (allowing WS-Man), but you already have those listed.  And in fact, if you were to use PS Remoting your firewall configuration would be much simpler.

However, the remoting that is built into most cmdlets like Get-Service uses DCOM to communicate.  I believe the only other port you need to open is TCP 135, which if I understand correctly, is the RPC Endpoint Mapper, which basically decides which ephemeral port should be used for further communication.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
frankhelkConnect With a Mentor Commented:
If any other tips fail, I would recommend some kind of brute force method - form motives out of Watergate movies: "Follow the Data" ...

Install Wireshark, capture the traffic while doing the required actions with all ports open and analyze the traffic. If it's not allowed to open the firewall for that, you'll possibly have to analyze the failing traffic.

Other attempt: Analyze the firewall's logs for dropped packets from/to the involved machines.
0
 
kunghui80Author Commented:
To close this request.
0
 
kunghui80Author Commented:
I have found this solutions after several attempt for resolve the issue. Nevertheless I also wish to award other comments which leading me to find out more on this.  Thanks much!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.