Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Troubleshoot WMI connectivity issue with Sophos STAS

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended Read goes over how to troubleshoot WMI connectivity issues with Sophos STAS.

WMI Method

STAS uses the WMI method for polling requests and Log off detection by default. STAS advance tab can test WMI connectivity test for user IP.

STAS uses setup credentials (provided during installation) to connect a remote computer for WMI. 

Manually run WMI verification:

In some troubleshooting scenarios, the admin considers that the built-in WMI verification tool built-in on the STAS suite may not work as intended when the test returns with a fail status, which, in most cases isn't true.

The best way to take out of the way any chance of an issue with the built-in WMI verification tool on the STAS is by running a manual WMI verification from the AD server itself using the native Windows tool for testing WMI connectivity called "wbemtest".

Note: The admin must recheck the STAS user access rights and password if the WMI query passes when the admin tries the manual test and fails when the admin makes the test connection from the advanced tab.

Step to manually run WMI

Start wbemtest: 

  • select Windows -> Run 

  • When prompted for the Command to run, enter wbemtest

  • Type wbemtest  in Start -> RUN which will open WMI tester window. 




  • Click Connect and type \\<Clinet IP>\root\cimv2 in the namespace and type the domain administrator username and password to connect to the remote system over WMI. 

     


  • Click connect. If the remote device can connect over WMI it’ll show the tester screen.  




    NOTE: in a Non-working condition, the test results will look like this:




    Click Query and type “select username from win32_computersystem” 

  • Click Apply; it'll give you a query result, double-click on the result and it’ll open up a new window that shows the remote system username currently logged in.
       

WMI Failure Reason and some hits to make it work: 

  • For successful polling methods, the Windows firewall and desktop antivirus need to be disabled, or exceptions for ports 445 and 135 need to be added. 
  • RPC, RPC locator, DCOM,WMI, and remote admin services are turned on 
  • The client device should resolve AD FQDN, if it’sn’t able to resolve the FQDN add the following FQDN entry in the host file (C:\WINDOWS\system32\drivers\etc\hosts). Or add AD IP as DNS and WINS for the client. 
  • If there’s any router in the path, make sure that ports 135 and 445 are open. 
  • AD can telnet on port 135 of the client device. If the firewall is turned on, type this command to open 135 
    port: netsh firewall add port-opening protocol=tcp port=135 name=DCOM_TCP135. 
  • Ensure that the admin account used in the Collector has the correct admin permissions on the client's system. 
  • Ensure DCOM remote run permission is allowed. To check the permission, Run 
    DCOMCNFG.exe 
    Click to Expand  the Component Services folder and go to My Computer
    Select My Computer, right-click, and the My Computer Properties window will open. Click the COM Security tab and check the Launch and Activation Permissions

  • To avoid any WMI connectivity issues from the user computers due to a Windows Firewall policy, Windows Administrators might configure a GPO policy to allow all connections from the AD servers to bypass any policy or setting that can compromise the AD server to do WMI verification.



Revamped RR
[edited by: Erick Jan at 9:21 AM (GMT -7) on 17 Sep 2024]
Parents Reply Children
  • FormerMember
    FormerMember in reply to rblc

    Hi ,

    Thanks for reaching out to the Community! 

    Does the STAS  collector show live users? 

    Could you please double-check the Windows Firewall and/or 3rd party firewall software to allow communication over the following ports:

    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (communication between agents and collectors), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

    Note: RPC, RPC locator, DCOM, and WMI services should be turned on on workstations for WMI/Registry Read Access.

    Thanks,

  • Hi, STAS collectors only shows 3 users while I have more than 20 users in office currently.

    There is a troubleshooting tool in STAS

    When I use the WMI verification test to test my IP, the operation completed successfully but still my laptop IP doesn't show in STAS Live Users.

    I turned off the windows firewall and we do not use third party firewall. However, the problem still persists.

    thanks.