Operation and maintenance acquisition technology sharing: Monitoring Nat's Windows system through WMI

1. Introduction to Windows OS and WMI

With the rapid development of Internet technology, we have more and more requirements for the service capability of IT business system. According to Gartner, the global server shipments exceed $12.5 billion in the 1 quarter of 2017, and the number of servers running to support various businesses is even larger. More than 50% of the servers in these servers are using Windows OS. These Windows OS support a variety of large and medium-sized business applications, supporting people's work, life and other activities. So how can we effectively monitor and manage such a huge system? Microsoft provides an effective monitoring tool for Windows OS WMI.

Figure 1-1 Global server operating system occupancy

WMI (Windows Management instrumentation) is Microsoft's implementation of WBEM (Web-based Enterprise Management), and WBEM is a unified standard for industry-developed access to management information in enterprise environments [1 ]。 WMI uses the CIM (Common information Model) industry standard [2] to represent operating systems, applications, networks, devices, and other managed components. CIM and WBEM are developed and maintained by the DMTF (distributed Management Task Force).

In addition to using WMI to obtain local computer information, WMI can also establish remote connections through DCOM (distributed Component OBJECTMODEL[3]) to obtain information about remote computers. So WMI can be a powerful tool for monitoring Windows operating systems.

2. Windows OS Server monitoring in a cross-network environment

As it business systems become increasingly large, IT infrastructure resources are virtualizing network and server resources through a variety of resource pools (1:n and N:1). We isolate different businesses in different virtual networks, while also distributing business applications across geographies. In such an environment, unified monitoring of the Windows OS is required, and it is often necessary to face a problem--nat address translation. NAT can effectively save the IP address and hide the internal network environment, but in the NAT environment, because of the 1-to-many or many-to-many address mapping rules, the monitoring platform is unable to access the Windows OS effectively.

Figure 1-2 Typical business scenarios for large IDC

Qin Chi Yunwi combined with many years of IT operations and maintenance experience, the effective configuration of the host and intelligent IT resource intelligence discovery technology, through the Onecenter unified operation and maintenance platform, effectively solve the cross-NAT Windows OS Server monitoring problems. The following is a detailed analysis of WMI's related characteristics in a NAT environment.

WMI Configuration in 2.1 NAT environment

In a NAT environment, when the monitoring operations platform needs to access the Business Network internal Windows OS server from outside the NAT business network, a static port mapping needs to be configured on the NAT gateway to correctly forward inbound requests on the WAN side to the remote computer being monitored.

2.1.1 Port mapping Configuration

WMI establishes a remote connection through DCOM and therefore initiates a request to remote computer port 135:

Figure 2-1 WMI remote connection in a NAT-free environment

Figure 2-1 shows the Wireshark software capture (filtered) for WMI to establish a remote connection in a NAT-free environment, where the dimensional plane IP address is monitored by the 172.16.30.31,windows OS server with IP addresses of 192.168.1.33. Note that, in addition to initiating a TCP handshake request to the Windows OS Server's port 135, a request is also made to port 1043 when the remotecreateinstance response is received by the Monitoring operations platform. After many experiments, the port is random. This is because the operating system assigns an endpoint (Endpoint) to each DCOM application, and in the default configuration, the WMI endpoint is a random TCP port.

Therefore, to implement Windows OS monitoring across NAT, in addition to completing the 135 port mapping, you need to secure the endpoint for WMI and port mapping. [4] In Windows Vista and the updated operating system, you can restart the WMI service by executing the command winmgmt/standalone. The fixed endpoint defaults to 24158, which is a value that can be set.

Configure Port mappings on the NAT gateway: 135 maps to port 135 on the remote computer, and the endpoint maps to the corresponding port on the remote computer, completing the port mapping configuration on the NAT route.

2.1.2IP address configuration

After configuring port mappings through NAT, the WMI connection still fails, and the WBEMTest test tool will prompt the RPC server to be unavailable:

Figure 2-2 WMI remote connection in a NAT environment

Figure 2-2 shows the Wireshark software capture (filtered) of WMI establishing a remote connection in a NAT environment where the local computer IP is 10.1.103.82,nat gateway with a WAN port address of 10.1.104.68,nat set port mappings. At this point, the TCP handshake request has not been initiated to the Windows OS Server WMI endpoint (Router WAN port 24158) after the monitor dimensional plane server receives remotecreateinstance response.

Given that the WMI endpoint can specify any TCP port and must have the corresponding endpoint port information in the response, it can be assumed that the corresponding IP address information is also available in the response. In-depth analysis of remotecreateinstance Response:

Figure 2-3 Remotecreateinstance Response Analysis

Figure 2-3 shows the address information in the response, where WIN-JO2OB7DN0HG is the host name of the remote computer, 192.168.40.1 is the private IP address that monitors the LAN side of the dimensional plane server and the NAT router on the same subnet. 192.168.40.1 and 192.168.1.200 are the IP addresses of other network adapters that monitor the operations platform, and can grab packets to the local computer to attempt to initiate requests to these addresses.

Based on the above facts, one solution is to resolve the host name of the monitoring operations platform to the WAN-side IP of the NAT router in the locally computed hosts file. The local computer then attempts to make a request to the NAT router's WAN side to complete the WMI connection.

3. Summary

This paper briefly introduces the basic knowledge of WMI, NAT, and explains the configuration method of WMI monitoring remote computer and the network configuration method in NAT environment. By analyzing the WMI packet in the NAT environment, the internal principle of the remote connection of WMI through DCOM is explored preliminarily. It is hoped that this analysis process will help when configuring other protocols in other network environments.

Operation and maintenance acquisition technology sharing: Monitoring Nat's Windows system through WMI