- ICMPv4 Inbound and Outbound - This is needed so that Octopus Scan Engine can discover the devices on your network. It is more commonly known as the PING command. There are a number of types of ping commands that can be permitted or blocked by various firewalls. Generally, you will want to permit commands 0, 3, 8 and 11.
The following ports and protocols should be opened only on the machine where the scanner is installed before Octopus Scan Engine can collect information from your remote computers:
- TCP Ports 135, 139 and 445 Inbound - This is needed for Windows Management Instrumentation (WMI) which Octopus Scan Engine uses to get detailed information about Windows computers.
- UDP Port 137 Inbound - This is needed so that Octopus Scan Engine can gather information from the Windows Registry.
- TCP Ports 5985 and 5986 Inbound - This is needed for Windows Remote Management Service (WinRM) which Octopus Scan Engine uses to get detailed information about software users.
Additionally, WMI is using random ports from higher ranges:
- Windows Server 2008 and later versions, and Windows Vista and later versions, the default dynamic ports range are from 49152 to 65535.
- Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range from 1025 to: 5000
Usually, RPC port mapper is allowed to open required ports from those ranges dynamically and user should not worry about it. If RPC port mapper is not allowed to dynamically open and close ports within the firewall, then, you should consider manually opening those ranges of ports.
Windows Firewall Troubleshooting
If the devices you are trying to scan with Octopus Scan Engine are using Windows Firewall, you will need to configure the firewall to allow Windows Remote Administration. If you are on a domain, you should use Group Policy.
Manage Windows Firewall via Group Policy
Group Policy is an extremely efficient, centralized way to set and enforce settings across all Windows devices on your network. With a single change on your Domain Controller, you can reconfigure the Windows Firewall settings for all the devices you want to be scanned in your inventory with Octopus Scan Engine.
- On your Domain Controller, open the Group Policy Management Console (GPMC). You can use gpmc.msc from a command prompt, or find it in Start > Administrative Tools.
- Edit or create a new Group Policy Object (GPO) and apply it to the appropriate OU. The GPO should enforce these two settings: Windows Firewall: Allow remote administration exception Windows Firewall: Allow ICMP exceptions
- The setting path in Group Policy is: Computer Configuration/Administrative Templates/Network/ Network Connections/Windows Firewall/Domain Profile