Solved

What firewall ports shall I open for Powershell to perform remote query?

Posted on 2015-02-04
6
799 Views
Last Modified: 2015-02-13
Hi Experts,
I have server that sit behind firewall at DMZ.  What ports shall I open to in order for such cmdlets to make query to DMZ servers remotely.  

I have already opened the following range of ports, but still failed, any idea what ports are still missing?
TCP port: 80,139,443,445,5985,5986
UDP port: 137,138
Ephemeral ports: (TCP 1024-4999,49152-65535)

Some others cmdlets that's failing such as get-WebAppPoolState, Restart-computer etc.
*W3SVC service does exist in target sever, just in case some of you may doubt if service exist.

PS C:\> get-service -name W3SVC -computername DMZServer
get-service : Cannot find any service with service name 'W3SVC'.
At line:1 char:1
+ get-service -name W3SVC -computername DMZServer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (W3SVC:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Thanks.

Regards,
Kung Hui
0
Comment
Question by:kunghui80
6 Comments
 
LVL 19

Expert Comment

by:helpfinder
ID: 40590488
try ports TCP/5985 = HTTP and TCP/5986 = HTTPS

based on technet article
0
 
LVL 40

Assisted Solution

by:footech
footech earned 150 total points
ID: 40590567
If you were using PowerShell Remoting, helpfinder's suggestion would be correct (allowing WS-Man), but you already have those listed.  And in fact, if you were to use PS Remoting your firewall configuration would be much simpler.

However, the remoting that is built into most cmdlets like Get-Service uses DCOM to communicate.  I believe the only other port you need to open is TCP 135, which if I understand correctly, is the RPC Endpoint Mapper, which basically decides which ephemeral port should be used for further communication.
0
 
LVL 14

Assisted Solution

by:frankhelk
frankhelk earned 150 total points
ID: 40590586
If any other tips fail, I would recommend some kind of brute force method - form motives out of Watergate movies: "Follow the Data" ...

Install Wireshark, capture the traffic while doing the required actions with all ports open and analyze the traffic. If it's not allowed to open the firewall for that, you'll possibly have to analyze the failing traffic.

Other attempt: Analyze the firewall's logs for dropped packets from/to the involved machines.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 2

Accepted Solution

by:
kunghui80 earned 0 total points
ID: 40597488
Dear all,
Sorry for late update on this case.  I have find reason for this case.
Firewall has been confirmed open as per port listed above.

However, I'm attempting to PSRemoting between different domain.  Thus the following steps need to be performed.
In a mixed domain environement, I have added the following:-
1. New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

2. Subsequently, I have to set trusted hosts on both client & server to make it work.
Set-item wsman:localhost\client\trustedhosts -value RM-Client1,RM-Client2

Thanks.

Regards,
Kung Hui
0
 
LVL 2

Author Comment

by:kunghui80
ID: 40597496
To close this request.
0
 
LVL 2

Author Closing Comment

by:kunghui80
ID: 40607544
I have found this solutions after several attempt for resolve the issue. Nevertheless I also wish to award other comments which leading me to find out more on this.  Thanks much!
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief introduction to what I consider to be the best editor for PowerShell.
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question