Server Management - Systems Insight Manager
1748182 Members
3547 Online
108759 Solutions
New Discussion юеВ

WBEM and ISA 2004 EE

 
SOLVED
Go to solution
Dmitry_70
Frequent Advisor

WBEM and ISA 2004 EE

I have five servers HP ProLiant DL 380 G4 with Windows Server 2003 Enterprise Edition SP1. HP SIM 5.0 is installed on the PDC, Microsoft ISA Server 2004 Enterprise Edition is installed on another server.
WBEM access to four of my servers works fine.
I have not WBEM access to the fifth server, which is Microsoft ISA 2004 Enterprise Edition server computer. For example, if I select Properties link on the System Page of that server I see the message я┐╜Error: Cannot connect to target system using WBEMя┐╜. Two Failure Audit messages appear at the same time in the security event log of the ISA Server Computer with event ID 537 (an error occurred during logon), my user name and correct domain name are indicated in the message body, Logon Process and Authentication Package fields contain Kerberos. No я┐╜denied accessя┐╜ messages appear in the ISA log, I created two я┐╜globalя┐╜ rules for All Outbound Traffic я┐╜ the one from Internal network to LocalHost and another from LocalHost to Internal Network. I guess ISA should pass all traffic between CMS and ISA computer transparently in this case.
Could you suggest something?
8 REPLIES 8
Aravindh Rajaram
Honored Contributor

Re: WBEM and ISA 2004 EE

HPSIM makes use of the port 5989 to communicate to the WBEM service running on the target. Make sure that port is open on the target (Your ISA server).
David Claypool
Honored Contributor

Re: WBEM and ISA 2004 EE

For ProLiant servers using WBEM/WMI is not as feature-rich as using the ProLiant Support Pack. HP SIM does not support WMI Indications so you are missing out on events other than those generated by a status ping.
Dmitry_70
Frequent Advisor

Re: WBEM and ISA 2004 EE

Ok, finally the problem solved.
Dear AMicSys, I wrote in my question that all traffic between ISA and Internal network was enabled. Moreover, no \ denied access\ messages appear in the ISA log. Certainly, the port 5989 was opened. But the most funny and strange fact is that there was no need to open the port. The only messages I found in the ISA log after clicking on the Properties link on the System Page of my ISA Server computer in the SIM was messages for RPC protocol. That is a key fact for solution search.
For those who spent a lot of time to solve the same problem I ll describe the cause. At first, read the FAQ \ I cannot use DCOM from a computer in the Remote Management Computers set to the ISA Server computer. Why not? \ at the following link http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-administering.mspx. My CMS was included in the Remote Management Computers set. The rule No2 of the ISA system policy rules called \ Allow remote management from selected computers using MMC\ enables RPC, but Enforce strict RPC compliance flag can t be cleared for this rule. The flag prevents remote DCOM execution from computers indicated as sources for this rule. I have removed CMS from this rule and have created another Array Access Rule for RPC protocol with CMS as source and with cleared Enforce strict RPC compliance flag.
The strangest thing in this history is that DCOM execution prevention resulted in the \ Cannot connect to target system using WBEM\ message
I can see the system properties in SIM now, but the ISA log doesn t register any traffic on the port 5989.
Dmitry_70
Frequent Advisor

Re: WBEM and ISA 2004 EE

After publication of the last message I found out that URL published in the messge doesn't work. Please remove final dot to open the required page or click here http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-administering.mspx
Morgan Simonsen
Occasional Advisor

Re: WBEM and ISA 2004 EE

I think the reason you are not seeing any traffic on ports 5988/5989 is that Windows WMI/WBEM uses RPC. What you should see in the ISA logs is a connection first to the RPC endpoint mapper, port 135, and later another connection to whatever port the WMI/WBEM service is listening on.

Regards
Morgan
David Claypool
Honored Contributor
Solution

Re: WBEM and ISA 2004 EE

"HPSIM makes use of the port 5989 to communicate to the WBEM service running on the target. Make sure that port is open on the target (Your ISA server)."

AMicSys: Your information is incorrect. This is a Windows machine and Windows uses WMI and NOT WBEM. Port 5989 would be used to communicate to a device talking WBEM (such as the OpenWBEM or OpenPegasus CIMOM on Linux). For devices that speak WMI, HP SIM uses the WMI Mapper service either locally or remotely, to translate back and forth.

"I think the reason you are not seeing any traffic on ports 5988/5989 is that Windows WMI/WBEM uses RPC."

Morgan: WBEM does NOT equal WMI. WMI communications are via DCOM. WBEM communications are via HTTPS on 5989. HP SIM will talk to the WMI Mapper on 5989 and the WMI Mapper will relay that to the WMI device via DCOM.
Morgan Simonsen
Occasional Advisor

Re: WBEM and ISA 2004 EE

Yes, you are correct WMI does not eqaul WBEM. My previous post was not clear enough. However, it is still true that on at system without the WMI<->WBEM translator, HP SIM will contact the machine through RPC to run DCOM and get information from the machine. In this case the ISA server clearly does not have any WBEM-WMI mapper. If you run a network trace when SIM does it's discovery you will se a connection first to 135 (RPC endpoint) and then later a new connection to the WMI endpoint on a high port.
David Claypool
Honored Contributor

Re: WBEM and ISA 2004 EE

You're correct...to a point. The Device Identification Process can be thought of as HP SIM playing 20 questions with a device to see what it supports. While HP SIM does attempt to make a WBEM connection, WINDOWS DOESN'T HAVE WBEM, ONLY WMI. This connection will fail and although HP SIM will list WBEM as a discovered protocol on that device, it's irrelevant because all HP SIM knows about is WBEM and as far as it's concerned it's talking WBEM to the device because the WMI Mapper is handling the translations.