Anti-virus programs and firewalls can block most or
all of the communication to and from a computer. As a result Spiceworks
may not be able to communicate with and scan devices on your network. We
will separately address the two antivirus and firewall scenarios that
could be causing problems, to prevent confusion.
The following ports and protocols will need to be opened before Spiceworks can collect information from your remote computers:
If the devices you are trying to scan with Spiceworks are using Windows Firewall, you will need to configure the firewall to allow Windows Remote Administration.
If you are on a domain you should use Group Policy. Otherwise, those who are on a workgroup or don't want to use Group Policy can add the firewall rules manually from the command line.
If you are new to Group Policy and need very detailed instructions, please click here. Group Policy is an extremely efficient way to manage your network, so we would encourage you use this how-to to learn to use it.
Group Policy
is an effective, centralized way to set and enforce settings across all
Windows devices on your network. With a single change on your Domain
Controller, you can reconfigure the Windows Firewall settings for all of
the devices you want to inventory with Spiceworks.
The setting path in Group Policy is:
If you are in a Workgroup environment or choose not to use Group Policy, you'll need to either add firewall rules manually from the command line, or use the Spiceworks Unknowns Assistant.
To manually configure the firewall, use these two commands:
Windows XP uses older versions of these commands. If you are using XP, use these two commands instead:
Note to XP users: If all of your devices are located on the same subnet as the Spiceworks computer use the "enable subnet" option to limit admin access to the local subnet.
Alternatively, you can use a script created by a Spiceworks user to automate this. This script has proven to be safe and effective in the past, but it's good practice to check it yourself before running to make sure it's right for your environment. You can find it here.
Occasionally, some Windows 7 machines return an error on the second ("remote administration") command: "No rules match the specified criteria". The cause of the error seems to be that the remote administration group doesn't exist.
To workaround this error, you'll need to use the older "XP" style command to create the missing group for you:
This returns a warning but does succeed (note the Ok at the end):
You can now repeat the second command and it will succeed:
The following exceptions need to be setup in the anti-virus program so that Spiceworks is free to run unrestricted.
The following ports and protocols will need to be opened so that Spiceworks can retrieve the backup information from your network devices:
- Remote computers you are trying to scan or discover from Spiceworks have the firewall locked down, resulting in either missing computers or a lack of complete data in the Spiceworks inventory.
- AV on the Spiceworks host device preventing Spiceworks from running correctly, or the firewall is locked down preventing communication with the remote computers, possibly both.
Remote Computers
Firewall Settings
The following ports and protocols will need to be opened before Spiceworks can collect information from your remote computers:
- ICMPv4 Inbound and Outbound - This is needed so that Spiceworks can discover the devices on your network; it is more commonly known as the PING command. There are a number of types of ping commands that can be permitted or blocked by various firewalls. Generally, you will want to permit commands 0, 3, 8 and 11.
- TCP Ports 135 and 445 Inbound - This is needed for Windows Management Instrumentation (WMI) which Spiceworks uses to get detailed information about Windows computers.
- UDP Port 137 Inbound - This is needed so that Spiceworks can gather information from the Windows Registry.
Windows Firewall
If the devices you are trying to scan with Spiceworks are using Windows Firewall, you will need to configure the firewall to allow Windows Remote Administration.
If you are on a domain you should use Group Policy. Otherwise, those who are on a workgroup or don't want to use Group Policy can add the firewall rules manually from the command line.
Manage Windows Firewall via Group Policy
If you are new to Group Policy and need very detailed instructions, please click here. Group Policy is an extremely efficient way to manage your network, so we would encourage you use this how-to to learn to use it.
Group Policy
is an effective, centralized way to set and enforce settings across all
Windows devices on your network. With a single change on your Domain
Controller, you can reconfigure the Windows Firewall settings for all of
the devices you want to inventory with Spiceworks.
- On your Domain Controller, open the Group Policy Management Console (GPMC). You can use gpmc.msc from a command prompt, or find it in Start > Administrative Tools.
- Edit or create a new Group Policy Object (GPO) and apply it to the appropriate OU. The GPO should enforce these two settings:
Windows Firewall: Allow remote administration exception Windows Firewall: Allow ICMP exceptions
The setting path in Group Policy is:
Computer Configuration/Administrative Templates/Network/ Network Connections/Windows Firewall/Domain Profile
Configuring Windows Firewall via command line
If you are in a Workgroup environment or choose not to use Group Policy, you'll need to either add firewall rules manually from the command line, or use the Spiceworks Unknowns Assistant.
To manually configure the firewall, use these two commands:
c:\> netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes c:\> netsh advfirewall firewall set rule group="remote administration" new enable=yes
Windows XP uses older versions of these commands. If you are using XP, use these two commands instead:
c:\> netsh firewall set service remoteadmin enable c:\> netsh firewall set service remoteadmin enable subnet
Note to XP users: If all of your devices are located on the same subnet as the Spiceworks computer use the "enable subnet" option to limit admin access to the local subnet.
Alternatively, you can use a script created by a Spiceworks user to automate this. This script has proven to be safe and effective in the past, but it's good practice to check it yourself before running to make sure it's right for your environment. You can find it here.
"No rules match the specified criteria" error
Occasionally, some Windows 7 machines return an error on the second ("remote administration") command: "No rules match the specified criteria". The cause of the error seems to be that the remote administration group doesn't exist.
To workaround this error, you'll need to use the older "XP" style command to create the missing group for you:
c:\> netsh firewall set service type=remoteadmin mode=enable
This returns a warning but does succeed (note the Ok at the end):
IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488
You can now repeat the second command and it will succeed:
c:\> netsh advfirewall firewall set rule group="remote administration" new enable=yes
Updated 3 rule(s). Ok.
Spiceworks Host Computer
Anti-Virus Settings
The following exceptions need to be setup in the anti-virus program so that Spiceworks is free to run unrestricted.
- Add the C:\Program Files\Spiceworks directory and all subdirectories to the anti-virus' exclusions list for real-time scanning, this should prevent the anti-virus software from slowing down or stopping Spiceworks from running. The following executable files may also need to be explicitly excluded:
- C:\Program Files\Spiceworks\httpd\bin\spiceworks-httpd.exe
- C:\Program Files\Spiceworks\bin\nmap.exe
- C:\Program Files\Spiceworks\bin\spiceworks.exe
- C:\Program Files\Spiceworks\bin\spicetray.exe
- C:\Program Files\Spiceworks\bin\spiceworks-finder.exe
- C:\Program Files\Spiceworks\pkg\gems\spiceworks_common-x.x.xxxxx\nbtscan\nbtscan.exe
- Note: The x.x.xxxxx above is the Spiceworks version number which can be found at the bottom of any Spiceworks page.
Firewall Settings
The following ports and protocols will need to be opened so that Spiceworks can retrieve the backup information from your network devices:
- UDP Port 69 Inbound - This allows Spiceworks to communicate with your networking hardware to backup/restore configurations via TFTP.
No comments:
Post a Comment