HP Systems Insight Manager Firewall Rules

As part of a deployment of HP Systems Insight Manager (HP SIM) onto Windows Server 2012, it was necessary to allow the required ports through the Windows Firewall to pass the pre-requisites check.

Unfortunately, HP SIM seems to be somewhat annoying and has a list of 52 (yes, you read that right!) ports that need opening. What’s more, you can’t use ranges as this causes the pre-requisites checker to fail. HP’s solution is to disable the firewall (they also tell you to disable UAC – which is similarly mad but that’s another rant) but obviously this isn’t good enough for any half-way secure infrastructure.

The solution is to use netsh to create the required rules. With a bit of magic, here are the commands you need to run to add all 52 rules in one easy copy and paste:

netsh advfirewall firewall add rule name="HP SIM - FTP (TCP 21)" dir=in protocol=tcp localport=21 action=allow
netsh advfirewall firewall add rule name="HP SIM - SSH (TCP 22)" dir=in protocol=tcp localport=22 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 67)" dir=in protocol=tcp localport=67 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 68)" dir=in protocol=tcp localport=68 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 69)" dir=in protocol=tcp localport=69 action=allow
netsh advfirewall firewall add rule name="HP SIM - HTTP (TCP 80)" dir=in protocol=tcp localport=80 action=allow
netsh advfirewall firewall add rule name="HP SIM - SNMP (TCP 161)" dir=in protocol=tcp localport=161 action=allow
netsh advfirewall firewall add rule name="HP SIM - SNMP Trap (TCP 162)" dir=in protocol=tcp localport=162 action=allow
netsh advfirewall firewall add rule name="HP SIM - Web server for HP Systems Insight Manager; Web agent auto-start port (TCP 280)" dir=in protocol=tcp localport=280 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 401)" dir=in protocol=tcp localport=401 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 402)" dir=in protocol=tcp localport=402 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 405)" dir=in protocol=tcp localport=405 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 406)" dir=in protocol=tcp localport=406 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 407)" dir=in protocol=tcp localport=407 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 415)" dir=in protocol=tcp localport=415 action=allow
netsh advfirewall firewall add rule name="HP SIM - Harris Stat Scanner Engine (TCP 443)" dir=in protocol=tcp localport=443 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 505)" dir=in protocol=tcp localport=505 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 1080)" dir=in protocol=tcp localport=1080 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Control (TCP 1124)" dir=in protocol=tcp localport=1124 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Agent (TCP 1125)" dir=in protocol=tcp localport=1125 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Agent (TCP 1126)" dir=in protocol=tcp localport=1126 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 1758)" dir=in protocol=tcp localport=1758 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 1759)" dir=in protocol=tcp localport=1759 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Migration (TCP 1779)" dir=in protocol=tcp localport=1779 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP ProLiant agents (TCP 2301)" dir=in protocol=tcp localport=2301 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP SIM RMI connection (TCP 2367)" dir=in protocol=tcp localport=2367 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP ProLiant agents (TCP 2381)" dir=in protocol=tcp localport=2381 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 4011)" dir=in protocol=tcp localport=4011 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 5001)" dir=in protocol=tcp localport=5001 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 5002)" dir=in protocol=tcp localport=5002 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM Service (TCP 5988)" dir=in protocol=tcp localport=5988 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM Service (TCP 5989)" dir=in protocol=tcp localport=5989 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 8080)" dir=in protocol=tcp localport=8080 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 8081)" dir=in protocol=tcp localport=8081 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 9143)" dir=in protocol=tcp localport=9143 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 9617)" dir=in protocol=tcp localport=9617 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 9618)" dir=in protocol=tcp localport=9618 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Matrix infrastructure orchestration (TCP 16443)" dir=in protocol=tcp localport=16443 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Virtual Machine Management (TCP 40420)" dir=in protocol=tcp localport=40420 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP ProLiant agents (TCP 49400)" dir=in protocol=tcp localport=49400 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager web server (TCP 50000)" dir=in protocol=tcp localport=50000 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager SOAP (TCP 50001)" dir=in protocol=tcp localport=50001 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager SOAP with client certificate authentication (TCP 50002)" dir=in protocol=tcp localport=50002 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager SOAP (TCP 50003)" dir=in protocol=tcp localport=50003 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM event receiver (configurable) (TCP 50004)" dir=in protocol=tcp localport=50004 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM Events (TCP 50005)" dir=in protocol=tcp localport=50005 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Web Service (TCP 50010)" dir=in protocol=tcp localport=50010 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 51001)" dir=in protocol=tcp localport=51001 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 51124)" dir=in protocol=tcp localport=51124 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 51125)" dir=in protocol=tcp localport=51125 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 51126)" dir=in protocol=tcp localport=51126 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Matrix infrastructure orchestration (TCP 51443)" dir=in protocol=tcp localport=51443 action=allow

Add those and the pre-requisites checker should no longer fail on the firewall step.

SCVMM 2012 R2 Bare Metal Deploy WinRM Error

I’ve been getting to know SCVMM much better, in particular the ability to provision new hosts using the iLO port on a fresh HP server and I found this problem that the search engines don’t seem to have an answer for.

Towards the end of the deploy process, after the OS is installed, joined to the domain and the agent is installed, it stops with this error:

VMM Bare Metal Deploy Error

Error (20552)
VMM does not have appropriate permissions to access the resource C:\Windows\system32\qmgr.dll on the server.domain.com server.

Recommended Action
Ensure that Virtual Machine Manager has the appropriate rights to perform this action.

Also, verify that CredSSP authentication is currently enabled on the service configuration of the target computer server.domain.com. To enable the CredSSP on the service configuration of the target computer, run the following command from an elevated command line: winrm set winrm/config/service/auth @{CredSSP=”true”}

As a result the network connections and a few other bits don’t correctly apply but the host does appear in VMM.

Looking at the host properties, you can see it’s a WinRM issue:

VMM Bare Metal Deploy Error 2

Error (20506)
Virtual Machine Manager cannot complete the Windows Remote Management (WinRM) request on the computer server.domain.com.

Recommended Action
Ensure that the Windows Remote Management (WinRM) service and the Virtual Machine Manager Agent service are installed and running. If a firewall is enabled on the computer, ensure that the following firewall exceptions have been added: a) Port exceptions for HTTP/HTTPS; b) A program exception for scvmmagent.

Having checked all of the obvious, including that WinRM is enabled as it should be, GPOs aren’t getting in the way and firewall rules are set up to allow the traffic, I took a look at the security log on the new host:

VMM Bare Metal Deploy Error 3

In the Microsoft Documentation, it says very specifically that when creating a Host Profile for the deployment, the Run As account that you use to join the host to the domain should have “very limited privileges” and “should be used only to join computers to the domain”. Hence the dedicated Domain Join account I used.

So why is this account logging into the server after deployment? A quick trip to the host properties reveals the answer:

VMM Bare Metal Deploy Host Properties

D’oh! Nicely done SCVMM.

Go back into the Host Profile:

VMM Bare Metal Deploy Host Profile

And there is our Domain Join account. Create a new Run As account with the appropriate permissions to administer newly created hosts (unfortunately this is possibly Domain Admins, depending on your environment), update the Host Profile and redeploy the host and you should be good. Please note that you cannot use the SCVMM service account for this task, it has to be separate account.