Sophos Firewall: Troubleshoot WMI connectivity issue with Sophos STAS

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended Read goes over how to troubleshoot WMI connectivity issues with Sophos STAS.

WMI Method

STAS uses WMI method for polling requests and Log off detection by default. STAS advance tab has the option to test WMI connectivity test for end-user IP.

STAS uses setup credentials (provided during installation) to connect a remote computer for WMI. 

Manually run WMI verification:

In some troubleshooting scenarios, the admin considers that the built-in WMI verification tool built-in on the STAS suite may not work as intended when the test returns with a fail status, which most of the case this isn't true.

The best way to take out of the way any chance of issue with the build-in WMI verification tool on the STAS is by running a manual WMI verification from the AD server itself using the native windows tool for testing WMI connectivity called "wbemtest".

Note: The admin has to recheck the STAS user access rights and password if the WMI query passes when the admin tries the manual test and fails when the admin makes the test connection from the advance tab.

Step to manually run WMI

Start wbemtest: 

  • select Windows -> Run 

  • When prompted for the Command to run, enter wbemtest

  • Type wbemtest  in Start -> RUN which will open WMI tester window. 




  • Click Connect and type \\<Clinet IP>\root\cimv2 in namespace and type the domain administrator username and password to connect to the remote system over WMI. 

     


  • Click connect, if the remote device can connect over WMI it will show the tester screen  




    NOTE: in a Non-working condition the test results will look like this:




    Click Query and type “select username from win32_computersystem” 

  • Click Apply; it'll give you a query result, double-click on the result and it’ll open up a new window that shows the remote system username currently logged in.
       

WMI Failure Reason and some hit to make it work: 

  • Windows firewall and desktop antivirus need to be disabled for successful polling methods. Or need to add exceptions for ports 445 and 135. 
  • RPC, RPC locator, DCOM,WMI, remote admin services are enable 
  • The client device should resolve AD FQDN, if it isn’t able to resolve the FQDN add the following FQDN entry in the host file (C:\WINDOWS\system32\drivers\etc\hosts). Or Add AD IP as DNS and WINS in the client. 
  • If there’s any router in the path, make sure that ports 135 and 445 are open. 
  • AD can telnet on port 135 of the client device. If the firewall is turned on type this command to open 135 
    port : netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135. 
  • Ensure that the admin account used in the Collector has the correct admin permissions on the client's system 
  • Ensure DCOM remote launch permission is allowed. To check the permission Run 
    DCOMCNFG.exe 
    Click to Expand  the Component Services folder and navigate to My Computer
    Select My Computer and Right Click, the My Computer Properties window will open, click the COM Security tab and check the Launch and Activation Permissions

  • In order to avoid any WMI connectivity issues from the user computers, due to a Windows Firewall policy, Windows Administrators might configure a GPO policy to allow all connections from the AD servers to bypass any policy or setting that can compromise the AD server do WMI verification.



Added horizontal line under Disclaimer, Added entry on Table of Contents
[edited by: Raphael Alganes at 2:48 PM (GMT -8) on 23 Nov 2023]
Parents
  • thank you for the guide. I can use wbemtest to run the query without any error. However my STAS is still not showing the live user. Can anyone point me to the correct direction to troubleshoot this issue? thanks.

  • FormerMember
    FormerMember in reply to rblc

    Hi ,

    Thanks for reaching out to the Community! 

    Does the STAS  collector show live users? 

    Could you please double-check the Windows Firewall and/or 3rd party firewall software to allow communication over the following ports:

    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (communication between agents and collectors), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

    Note: RPC, RPC locator, DCOM, and WMI services should be turned on on workstations for WMI/Registry Read Access.

    Thanks,

Reply
  • FormerMember
    FormerMember in reply to rblc

    Hi ,

    Thanks for reaching out to the Community! 

    Does the STAS  collector show live users? 

    Could you please double-check the Windows Firewall and/or 3rd party firewall software to allow communication over the following ports:

    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (communication between agents and collectors), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

    Note: RPC, RPC locator, DCOM, and WMI services should be turned on on workstations for WMI/Registry Read Access.

    Thanks,

Children
  • Hi, STAS collectors only shows 3 users while I have more than 20 users in office currently.

    There is a troubleshooting tool in STAS

    When I use the WMI verification test to test my IP, the operation completed successfully but still my laptop IP doesn't show in STAS Live Users.

    I turned off the windows firewall and we do not use third party firewall. However, the problem still persists.

    thanks.