Hi,

thank you for your contribution, I have added these TCP ports to the windows firewall exception list and the problem perisists. As I understand it , the initial connection is based on a dynamic port range, i.e. random.

I am in correspondance with my local VMware Rep, hopefully he can come up with a game plan.

Hello,

Does the Clients/Servers which you are trying to convert having a Firewall Enabled? If Yes, add those ports to the target machine or try to disable it for the time the conversion is going-on and once it's converted, you can trun on your Firewall back to ON.

If you are worried of trneds or something, remove the Default-Gateway if its not being used to access off-subnet network.

Best Regards,

Hussain Al Sayed

Hi there,

Yes the clients have a firewall up, Iw ould need a really good reason to take it down for the several weeks of data collection. I have added those ports to the machines but the WMI test still fails. When I take dowh the firewall, I can see the process that is being invoked on the client side. it is the file C:\WINDOWS\system32\wbe\wmiprvse.exe

I thought if I add that exe as an exception, that it would work, but no go there either.

thanks for any assistance

If you go into the firewall configuraiton and turn on logging (Windows Firewall, Advanced Tab, Security Logging Settings button, Log dropped and successful connections) what ports are specifically being attempted and blocked? It would be worthwhile to see if you're getting a consistent "random" port number when you connect.

may also help in controlling what "random" ports are used...

Ok sorry about the placment of this paragraph, i don't seem to be able to get the caret above or below the tables. I applied the registry key to narrow the range of ports (TCP 5000 - 5005) on the server with the Collection software on it. Above is the before WFL (windows firewall log) and below is the after WFL both from the client machine. This is weird as the destination port has changed but not the source port. This is confusing the heck out of me now, because looking at the top table, all the ports in the dest-port column (135,445,139) are in the exception list on the windows firewall on the client, the machine being tested. The other port range for the source port (2191-2195) don't seem to be affected by the registry modification... Any thoughts?

Be worth having another look at the firewall rules that are active. Rather than mucking with the UI I find using "netsh" gives a much better view. is the reference with all of the available commands. I'd start with a

• netsh firewall show state

• netsh firewall show portopening

• netsh firewall show allowedprogram

and see what is open. Then try using (where xxx is the port number and portdescription is a text description of the port)

• netsh firewall add portopening ALL xxx PortDescription ENABLE ALL

for the ports that you need open and see if that gets rid of the drops (it needs to be done on the server that you're trying to run capacity planner against, not the capacity planner server itself; the firewall in W2K3 is inbound only so there isn't anything to set on the capacity planner server itself). Once you get that working then you can change the first "ALL" to TCP or UDP, and the last ALL to SUBNET (if the capacity planner server and the server you're trying to collect information on are on the same subnet) or CUSTOM xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the IP address of the capacity planner server