BatchPatch Ports

Remote connections in BatchPatch are established using a combination of WMI (Windows Management Instrumentation), SMB (Server Message Block) and PsExec. Additionally ICMP (Internet Control Message Protocol) is used for pinging. BatchPatch also needs access to the target computer’s administrative shares: ADMIN$ and IPC$.

In order for PsExec and SMB to work properly…
If you are using Windows Firewall on the target computer, then generally the only thing you need to do is create an exception for “File and Printer sharing.” More details on configuring Windows Firewall can be found here: Using BatchPatch with Windows Firewall. However, if you are *not* using Windows Firewall and instead are using some other firewall, then you would need to explicitly permit traffic to the target computer from the BatchPatch computer on the following ports in order for SMB and PsExec to function properly:

UDP 137
UDP 138
UDP 445
TCP 135
TCP 137
TCP 139
TCP 445

As a test, after you configure the firewall you should try to connect from the BatchPatch computer to the target computer’s ADMIN$ share, which you can do by going to ‘Start > Run’ on the BatchPatch computer, and then type “\\targetComputer\ADMIN$” without the quotes. The ADMIN$ share doesn’t need to be explicitly enabled unless you have previously disabled it through group policy or registry changes.

In order for WMI and ICMP to work properly…
The target computer must be able to receive and process RPC (Remote Procedure Call) requests. Both the WMI and RPC services must be running on the target computer. If you’re using Windows Firewall on the target computer, then please follow the instructions on this page to configure it properly: Using BatchPatch with Windows Firewall. On that page you will be instructed to enable ‘File and Printer Sharing’ along with ‘Windows Management Instrumentation (WMI)’ or ‘Remote Administration’ depending on the target operating system.

To test WMI try executing ‘Get last boot time’ in BatchPatch. If you see an RPC error, then your firewall still needs additional adjustment. If you see an ‘Access Denied’ error, make sure that the account you are using to run BatchPatch (or the account that you specified in the ‘Alternate credentials’ dialog for the target) has local administrator privileges on the target. If you continue to see ‘Access Denied’ have a look at this page.

Additionally, test ICMP by pinging the target computer from the BatchPatch computer. Normally an ICMP exception shouldn’t need to be explicitly enabled in the Windows firewall because it will be included implicitly as part of the ‘Remote Administration’ exception noted above. However, if you find that WMI is working successfully but pinging is still not working, consider enabling ICMP explicitly in the Windows firewall configuration.

WMI and hardware/network firewalls

If there is a hardware firewall involved in addition to or instead of the Windows firewall, the configuration for WMI can potentially be a bit trickier, depending on the particular firewall device. WMI connections, by default, are not established on a static/fixed port. Instead WMI uses dynamic port configuration for its connections, which means that the actual ports used for a given connection are established on-the-fly at the time of connection. Each connection will end up using different ports. In the context of a classic hardware firewall, this used to be a problem because hardware firewalls would typically require any open ports to be configured manually. An enterprise firewall administrator could never know in advance which ports would need to be opened. However, fortunately many modern firewalls now implement DCE/RPC, which solves this problem and allows the use of dynamic ports for WMI/RPC. If you have a network level hardware firewall in place between the BatchPatch computer and the target computers, you’ll need to configure it to allow DCE/RPC, so that it can open the necessary ports, on-the-fly, for each WMI connection. More info on DCE/RPC can be found at the following two links:

https://en.wikipedia.org/wiki/DCE/RPC
http://wiki.wireshark.org/DCE/RPC

If DCE/RPC is not an option, it’s also possible to configure WMI to operate over a single port: WMI Static Port configuration

This entry was posted in Blog, General, Tutorials and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.