Performing WMI application queries on clients connected via the IAG Network Connector

  • Article

Scenario

Client computers connected via the IAG network connector (NC) to the LAN could access its network resources normally but failed to run WMI application queries against other computers.

Windows Management Instrumentation (WMI) is implemented using the Distributed Component Object Model (DCOM). This requires proper configuration of the firewall device(s) between the computer performing the WMI query and the destination computer.

In the ISA firewall running on the IAG server, DCOM communication is allowed when strict RPC compliance is not required for the applicable rule that handles this traffic. To resolve this problem I looked to see if Strict RPC compliance was enforced. It was. Turning off the strict RPC compliance for the Network Connector Access rule resolved the issue in this scenario.

Steps to check for and disable strict RPC compliance option

1) In the ISA server management console select the Firewall Policy on the left pane. Scroll down to the Whale::NetworkConnectorAccessRule under Firewall Policy Rules and right-click on that line, selecting the Configure RPC protocol option.

 

2) Ensure that the Enforce strict RPC compliance option is not checked for this rule, and click OK.

3) Click Apply to save changes and update the configuration.

If another custom NC rule was created, ensure that the same is true for that rule.

For testing purposes, one other option could be to disable the RPC Filter globally. Care must be exercised as this might affect other rules on the system. If you have determined that it is safe to do so, this can be accomplished by selecting Add-ins on the left pane, selecting the Application Filters tab and right-clicking the RPC Filter. Select the Disable option:

Check the Apply option to save changes and update the configuration.

For more details on WMI and configuration in different scenarios, please check the following link: https://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx

Author

Renato Menezes

Security Support Engineer – IAG Team

Microsoft – North Carolina

Tech Reviewer

Vic Singh Shahid

Escalation Engineer – ISA /IAG Team

Microsoft – North Carolina