HPE Community
Server Management - Systems Insight Manager
1752569 Members
5274 Online
108788 Solutions
New Discussion

Re: wbem-wmi hp sim port

 
cez
Advisor

‎06-03-2011 06:54 AM

‎06-03-2011 06:54 AM

Re: wbem-wmi hp sim port

To answer David's question, the networking team did open port 5989. I configured the WMI Mapper in SIM.

Below was the log from the firewall.

Apr 21 12:03:24 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2405 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:24 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2406 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:27 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2405 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:27 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2406 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:45 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2411 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:48 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2411 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:48 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2412 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:54 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2411 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:54 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2412 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:37 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2420 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:37 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2421 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:39 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2420 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:39 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2421 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:45 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2420 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:45 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2421 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:57 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2424 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:58 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2425 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:05:06 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2424 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:05:06 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2425 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:07:50 IH-Back %FWSM-6-302013: Built outbound TCP connection 145673097495364418 for inside:192.168.67.214/2275 (192.168.67.214/2275) to web:10.46.200.82/5989 (10.46.200.82/5989)
Apr 21 12:07:56 IH-Back %FWSM-6-302014: Teardown TCP connection 145673097495364418 for inside:192.168.67.214/2275 to web:10.46.200.82/5989 duration 0:00:06 bytes 10424 TCP FINs

10.46.200.82 is the managed node behind the firewall.

192.168.67.214 is the SIM server.

Thanks!
Cez
0 Kudos
Reply
Jeramy
Advisor

‎06-03-2011 10:08 AM

‎06-03-2011 10:08 AM

Re: wbem-wmi hp sim port

OK finally got some answers.
Windows servers will always use WMI (unless you configure SNMP).

The WBEM "Agent / Providers" are not WBEM, they are an extension of the existing WMI CIM Schema.

If they would have just stated that they are extending the WMI CIM Schema, this would have saved allot of time and headachs.

The only way to get this to go through a single port is to change the setting on the windows server to forward WMI Events (NOT WBEM Events, BECAUSE IT DOESN'T EXIST ON WINDOWS) events to the WMI Mapper, so it can turn it into the WBEM protocol that the SIM server understands.

Please people at HP, pull your heads out of your wikipeda, and fix your documentation calling WMI, WBEM, when its clearly NOT WBEM, its WMI.

0 Kudos
Reply
cez
Advisor

‎06-03-2011 10:21 AM

‎06-03-2011 10:21 AM

Re: wbem-wmi hp sim port

Hi Jeremy,

How do we configure Windows to forward WMI events to the WMI Mapper? Do you have any documentation or know how in doing so?

Thanks,
Cez
0 Kudos
Reply
Jeramy
Advisor

‎06-03-2011 10:38 AM

‎06-03-2011 10:38 AM

Re: wbem-wmi hp sim port

I haven't gotten that far yet, here is one doc
http://msdn.microsoft.com/en-us/library/bb219447%28v=vs.85%29.aspx

I believe its going to require port 135 (DCOM) and another port for actual communication.


Ill let you know when i finish testing.
0 Kudos
Reply
David Claypool
Honored Contributor

‎06-03-2011 12:15 PM

‎06-03-2011 12:15 PM

Re: wbem-wmi hp sim port

The model that is used for WMI Indications is the opposite of that for SNMP (where you configure the trap destination on the target's SNMP service). WMI Indications use a subscription model whereby your management application 'subscribes' to the device. This is done through 'Manage Communications' in HP SIM. When you do that, it will establish the path through the requisite WMI Mapper to route communications to the HP SIM CMS.
0 Kudos
Reply
Jeramy
Advisor

‎06-03-2011 01:32 PM

‎06-03-2011 01:32 PM

Re: wbem-wmi hp sim port

its not looking good.

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/c2ca4979-165a-4bb9-903c-e23f6a35dbf1/


if this is correct it means HP's secure sytem requires you to degrade security by opening a crapload of ports.
0 Kudos
Reply
cez
Advisor

‎06-07-2011 07:38 AM

‎06-07-2011 07:38 AM

Re: wbem-wmi hp sim port

I think the commands in "Setting Up a Fixed Port for WMI" document is for Windows firewall. We don't use Windows firewall in our Windows Server 2003 servers and have have disabled it so it doesn't apply here. The Windows servers are behind the Cisco's firewalls.

All we do here is to refer to the HP documentation, and seems like nobody has gotten this to work yet. I wonder if someone from HP can actually do some testing, confirm this actually works and document it instead of just refer to the documentation all the time? Thanks.
0 Kudos
Reply
Rene Nascimento
Frequent Advisor

‎12-11-2012 07:46 AM

‎12-11-2012 07:46 AM

Re: wbem-wmi hp sim port

Do we have a definitive solution to get WBEM functioning through a non-windows firewall? I'm looking to solution this now. Thanks in advance.

0 Kudos
Reply
Tushar Bajpai
Trusted Contributor

‎12-25-2012 07:19 AM

‎12-25-2012 07:19 AM

Re: wbem-wmi hp sim port

That's correct. It depends where is the WMI Mapper is installed.

 

1) If the WMI Mapper is installed on the tagrget node (managed node), then opening of the above ports in the firewall will solve the issue.

 

2) If WMI Mapper acts as an proxy (Remote) or installed on the CMS the communication between the CMS and Target node will be on Dynamic Ports (as that is COM-DCOM call).

 

Thanks 

\Tushar

if it helped, award me Kudos or Points. Thanks :)

\T Bajpai
HP Employee

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.