I exported all the firewall rules implemented on both, the server that shutdowns remotely has more rules compared to the one that does not shutdown. I have 2 servers with same configurations, and settings, however, only 1 shuts down and the other doesn't. I disabled the firewall completely and the script works fine, and the server shuts down. After some digging I found out some of the things to look for, one of them being the inbuilt firewall. So, yeah, I'm reversing my opinion that this is an ESET issue, and thinking it's more of a DCOM/WMI issue on my end.I'm facing this issue of being unable to shutdown a server remotely, the error is RPC servier is unavailable. When I get more time, I may try to limit the DCOM port range on the server I'm using for tasklist, if I can figure out how to do that. Fortunately, it's a sandbox server, so anything I do there won't affect anyone else. I have a suspicion that this is more of a DCOM/WMI issue than an RPC issue, and perhaps previously, we just got lucky that the DCOM port was randomly assigned into the normal RPC range. DCOM uses RPC as a transport, so starts out on port 135. However, DCOM, which WMI uses, can have pretty much any port between 105. What's strange is that's not in the normal dynamic port range, either low or high. In my case, it appears for tasklist, the port is 11146. My understanding of RPC is that first port 135 is connected, and the portmapper gives the calling app the real port number, which is randomized to some large range.
In the troubleshooter, it shows TCP in on port 11146. Is there anything else I should be looking at? I will put it in as a last resort, but I think with the Trusted Zone and Allow incoming RPC, it should be working. I'm more concerned that it WAS working a few weeks ago, but now it's not. However, if I do that from ECA, then Firewall rules are locked (which is not a bad thing, except I don't want to do that at this moment.) Right now, I don't have this rule in place. The only way I've gotten it to work is by adding a specific firewall rule for Winmgmt as a local service. Today, I added our IP range as the Trusted Zone and locked the filtering mode to Automatic (policy-based cut off all network connection, so that was bad) and confirmed that Allow incoming RPC communication in the Trusted Zone is enabled under Allowed Services. Then suddenly, it started giving that RPC unavailable error. I confirmed the ESET firewall is the culprit. I have used tasklist from time to time over the past couple of months for remote troubleshooting with no trouble. Prior to today, I was using the base "Antivirus - Balanced" policy with no modifications. I can view services on a remote computer, and view event logs. I spent the better part of the day trying to figure out why only some RPC is blocked and some is not.
0 kommentar(er)
