BatchPatch Ports

Remote connections in BatchPatch are established using a combination of WMI (Windows Management Instrumentation) and PsExec.

In order for PsExec to work properly…
The target computer has to have ports 135 and 445 open, and the BatchPatch computer must be able to access the admin$ share on the target computer. If you are using Windows Firewall on the target computer, then the only thing you need to do is create an exception for “File and Printer sharing.” More details on configuring Windows Firewall can be found here: Using BatchPatch with Windows Firewall. However, if you are not using Windows Firewall, then you would need to explicitly permit traffic to the target computer from the BatchPatch computer on ports 135 and 445.

As a test, after you configure the firewall you should try to connect from the BatchPatch computer to the target computer’s admin$ share, which you can do by going to ‘Start > Run > \\targetComputer\admin$’ from the BatchPatch computer.

In order for WMI to work properly…
The target computer must be able to receive and process RPC (Remote Procedure Call) requests. Both the WMI and RPC services must be running on the target computer. If you’re using Windows Firewall on the target computer, then please follow the instructions on this page to configure it properly: Using BatchPatch with Windows Firewall.

If you are using a hardware firewall, the configuration for WMI can potentially be a bit trickier, depending on the particular firewall device. WMI connections, by default, are not established on a static/fixed port. Instead WMI uses dynamic port configuration for its connections, which means that the actual ports used for a given connection are established on-the-fly at the time of connection. Each connection will end up using different ports. In the context of a classic hardware firewall, this used to be a problem because hardware firewalls would typically require any open ports to be configured manually. An enterprise firewall administrator could never know in advance which ports would need to be opened. However, fortunately many modern firewalls now implement DCE/RPC, which solves this problem and allows the use of dynamic ports for WMI/RPC. If you have a network level hardware firewall in place between the BatchPatch computer and the target computers, you’ll need to configure it to allow DCE/RPC, so that it can open the necessary ports, on-the-fly, for each WMI connection. More info on DCE/RPC can be found at the following two links:

https://en.wikipedia.org/wiki/DCE/RPC
http://wiki.wireshark.org/DCE/RPC

This entry was posted in Blog, General, Tutorials and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.