You are on page 1of 3

Is My Firewall Software Getting In The Way?

Personal Firewalls can potentially block most or all of the remote communication to and from a computer. As a result, the Spiceworks Desktop may not be able to contact various devices (or any device), for that matter. There are two levels that might be causing problems. The first, is that the firewall installed locally on the machine where Spiceworks is installed is locked down and not allowing remote communication. The second, is that a remote computer you are trying to scan/discover from the Spiceworks Desktop is locked down; resulting in either it being missing or lacking data within the Spiceworks Desktop. There are a couple of basic things that need to be enabled for Spiceworks to work properly.

Ability to ping a Computer/Device Ability to access WMI on a Computer

Ping
There are a number of types of ping commands that can be permitted or blocked by various Firewalls. Generally, you will want to permit (commands 0, 3 8 and 11). Some Firewalls don't distinguish between these, so you will need to just check the settings on your specific firewall. Many firewalls will already be configured for (0,3,8), so you will need to make sure the (command 11 (echo)) is allowed through the firewall.

WMI Access
WMI is the Microsoft Windows Management Instrumentation subsystem. For more information on WMI, see Microsoft WMI. WMI comes installed with XP, SP2 but requires that (EPMAP) port 135 be open. This port is used by the Windows Endpoint Mapper and is required for WMI to work properly. Many firewalls have this port blocked by default. You will want to verify that this port is allowed through your firewall. If you believe the firewall is allowing WMI access, but are not sure if WMI is configured properly on the machine in question, try the following (from Microsoft): Microsoft WMI Diagnostic & Repair Utility.

Additional Port Information


We have found the following ports will need to be open in order for Spiceworks to gather useful information from your remote systems.

ICMPv4 Inbound/Outbound - for Spiceworks Discovery TCP Ports 135 and 445 Inbound - for WMI UDP Port 137 Inbound - for Registry Information TCP 1024 - 2000 Inbound - Dynamic Ports for WMI

AntiVirus And Firewall Settings In A Domain


AntiVirus and Personal Firewalls can block most or all of the communication to and from a computer. As a result, Spiceworks may not be able to communicate with your devices. We will address the two AntiVirus and Personal Firewall scenarios that could cause problems.

The first scenario: the AntiVirus software on the Spiceworks computer is preventing Spiceworks from running correctly, or the firewall is locked down and preventing communication with the remote computers, or both. The second scenario: the remote computers you are trying to scan or discover from Spiceworks have the firewall locked down, resulting in either missing computers, or Spiceworks inventory lacking sufficient data.

Spiceworks Computer
AntiVirus Settings The following exceptions need to be setup in the AntiVirus program so that Spiceworks can run unrestricted.

Add the C:\Program Files\Spiceworks directory and all subdirectories to the AntiVirus' exclusions list for real time scanning, this should prevent the AntiVirus software from slowing down or stopping Spiceworks from running. The following executable files may also need to be excluded.

Firewall Settings The following Spiceworks executable files need to be added to the list of programs that are allowed through the firewall.

C:\Program Files\Spiceworks\httpd\bin\spiceworks-httpd.exe C:\Program Files\Spiceworks\bin\spiceworks.exe C:\Program Files\Spiceworks\bin\spicetray.exe C:\Program Files\Spiceworks\bin\spiceworks-finder.exe C:\Program Files\Spiceworks\pkg\gems\spiceworks_common-x.x.xxxxx\nbtscan\nbtscan.exe Note: - The x.x.xxxxx above is the Spiceworks version number which can be found at the bottom of any Spiceworks page.

The following ports and protocols will need to be opened so that Spiceworks can communicate with your remote computers.

ICMPv4 Inbound and Outbound - This is needed so that Spiceworks can discover the devices on your network; it is more commonly known as the PING command. There are a number of types of ping commands that can be permitted or blocked by various firewalls. Generally, you will want to permit (commands 0, 3 8 and 11). Some firewalls don't distinguish between these, so you will need to check the settings on your specific firewall. Many firewalls will already be configured for (0,3,8), so you will need to make sure the (command 11 (echo)) is allowed through the firewall. TCP Ports 135 and 445 Inbound - This is needed for Windows Management Instrumentation (WMI) which Spiceworks uses to get detailed information about Windows computers. UDP Port 137 Inbound - This is needed so that Spiceworks can gather information in the Windows Registry. TCP 1024 - 2000 Inbound - Dynamic Ports for Windows Management Instrumentation (WMI). UDP Port 69 Inbound - This allows Spiceworks to communicate with your networking hardware to backup/restore configurations via TFTP.

Remote Computers
Firewall Settings The following ports and protocols will need to be opened before Spiceworks can collect information from your remote computers.

ICMPv4 Inbound and Outbound - This is needed so that Spiceworks can discover the devices on your network; it is more commenly known as the PING command. There are a number of types of ping commands that can be permitted or blocked by various firewalls. Generally, you will want to permit (commands 0, 3 8 and 11). Some firewalls don't distinguish between these, so you will need to check the settings on your specific firewall. Many firewalls will already be configured for (0,3,8), so you will need to make sure the (command 11 (echo)) is allowed through the firewall. TCP Ports 135 and 445 Inbound - This is needed for Windows Management Instrumentation (WMI) which Spiceworks uses to get detailed information about Windows computers. UDP Port 137 Inbound - This is needed so that Spiceworks can gather information in the Windows Registry. TCP 1024 - 2000 Inbound - Dynamic Ports for Windows Management Instrumentation (WMI).