• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2830
  • Last Modified:

What firewall ports shall I open for Powershell to perform remote query?

Hi Experts,
I have server that sit behind firewall at DMZ.  What ports shall I open to in order for such cmdlets to make query to DMZ servers remotely.  

I have already opened the following range of ports, but still failed, any idea what ports are still missing?
TCP port: 80,139,443,445,5985,5986
UDP port: 137,138
Ephemeral ports: (TCP 1024-4999,49152-65535)

Some others cmdlets that's failing such as get-WebAppPoolState, Restart-computer etc.
*W3SVC service does exist in target sever, just in case some of you may doubt if service exist.

PS C:\> get-service -name W3SVC -computername DMZServer
get-service : Cannot find any service with service name 'W3SVC'.
At line:1 char:1
+ get-service -name W3SVC -computername DMZServer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (W3SVC:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Thanks.

Regards,
Kung Hui
0
kunghui80
Asked:
kunghui80
3 Solutions
 
helpfinderIT ConsultantCommented:
try ports TCP/5985 = HTTP and TCP/5986 = HTTPS

based on technet article
0
 
footechCommented:
If you were using PowerShell Remoting, helpfinder's suggestion would be correct (allowing WS-Man), but you already have those listed.  And in fact, if you were to use PS Remoting your firewall configuration would be much simpler.

However, the remoting that is built into most cmdlets like Get-Service uses DCOM to communicate.  I believe the only other port you need to open is TCP 135, which if I understand correctly, is the RPC Endpoint Mapper, which basically decides which ephemeral port should be used for further communication.
0
 
frankhelkCommented:
If any other tips fail, I would recommend some kind of brute force method - form motives out of Watergate movies: "Follow the Data" ...

Install Wireshark, capture the traffic while doing the required actions with all ports open and analyze the traffic. If it's not allowed to open the firewall for that, you'll possibly have to analyze the failing traffic.

Other attempt: Analyze the firewall's logs for dropped packets from/to the involved machines.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
kunghui80Author Commented:
Dear all,
Sorry for late update on this case.  I have find reason for this case.
Firewall has been confirmed open as per port listed above.

However, I'm attempting to PSRemoting between different domain.  Thus the following steps need to be performed.
In a mixed domain environement, I have added the following:-
1. New-Itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

2. Subsequently, I have to set trusted hosts on both client & server to make it work.
Set-item wsman:localhost\client\trustedhosts -value RM-Client1,RM-Client2

Thanks.

Regards,
Kung Hui
0
 
kunghui80Author Commented:
To close this request.
0
 
kunghui80Author Commented:
I have found this solutions after several attempt for resolve the issue. Nevertheless I also wish to award other comments which leading me to find out more on this.  Thanks much!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now