Batchpatch ports for enterprise firewall ACLs

BatchPatch Forums Home Forums BatchPatch Support Forum Batchpatch ports for enterprise firewall ACLs

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • October 12, 2012 at 3:18 am #8572
    jagablack
    Participant

    Hi, I am using BatchPatch trial and love it, and am trying to get management to pony up the bucks for the licensed version.

    As a motivation, I would like to get it working more effectively across the network. Right now I use BatchPatch and it runs into firewalls for different networks.

    What ports need to be opened to the destination networks to allow standard BatchPatch operation?

    Right now as a workaround, I copy the BatchPatch files to a machine in the same network and run it from there, but it would be nice to have a central tool server that administers all servers from all networks.

    Right now I have about 200 servers that I personally patch, but my entire team has 2000+ that this could be used for.

    Thanks for this excellent tool!!

    October 12, 2012 at 12:37 pm #9452
    doug
    Moderator

    Hey jagablack – I’m really glad to hear you like the tool!

    BatchPatch port requirements are as follows:

    Remote connections are established in a couple different ways, depending on the action selected in the software. Most of the Windows Update and Remote Patch/Software/Script Deployment actions use PsExec in one way or another plus remote fileshare access. These will generally require ports 135 and 445. The reboot, shutdown, and most “Get Information” actions use WMI, which has different and more complicated port requirements explained below. However, you’ll also notice that there are alternate reboot and shutdown methods in BatchPatch, which use a shutdown.exe instead of WMI. In these cases shutdown.exe is initiated with PsExec and so has the same port requirements of 135 and 445 mentioned above.

    With regard to WMI, it uses dynamic ports, which makes it more difficult to setup proper ACLs in an enterprise firewall. There are lots of articles about WMI ports on the web and Microsoft’s site, so feel free to take a look around at some of those for more info. It is theoretically possible to set static WMI ports, but in practice I’m not sure this is ever really feasible, and we also haven’t tested it at the time of this writing. See here for more info: http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447%28v=vs.85%29.aspx

    Hope this helps.

    -Doug

    October 12, 2012 at 1:29 pm #9453
    jagablack
    Participant

    Thanks Doug! Very timely help. I have forwarded this information on to my network engineer, I hope he is able to accommodate at some point soon.

    In the meantime, I will use my workaround.

    In regards to the WMI port issue, see this article… it suggests that if you use Dynamic RPC filters (stateful management), it can address the issue without reconfiguration of all your endpoints.

    http://pberblog.com/post/2011/05/18/Dynamic-RPC-filters-%28DCERPC%29-and-firewalls.aspx

    October 12, 2012 at 11:58 pm #9454
    doug
    Moderator

    Thanks for sharing. That’s very helpful.

    -Doug

    January 21, 2016 at 5:10 am #9725
    doug
    Moderator

    More on BatchPatch port requirements here: BatchPatch Port Requirements

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.