VMware VCENTER APPLICATION DISCOVERY MANAGER 6.1 - REPOSITORY, Руководство пользователя

Страница: 41 / 74

VMware, Inc. 41
Chapter 5 Discovery
WMI Deployment Recommendations
Creating a User for WMI Detail Discovery
Using WMI to query remote hosts for their configuration details requires appropriate privileges, as described
next. To easily manage these privileges, it is recommended to use a separate domain user for this purpose.
Therefore, the first step in deploying WMI Detail Discovery is to create a domain user account. This user
should not have any special administrative privileges. In fact, there is no reason for it to belong to any groups
at all.
In the event that a local administrator user is used instead of a specially created user, it is important that
DCOM configuration allows remote access and launch for administrator users. Troubleshooting tips regarding
WMI and DCOM permissions is found in the article at:
http://blogs.technet.com/askperf/archive/2007/08/14/wmi-troubleshooting-permissions.aspx
You need to create a profile and temporary folder on all machines where Detail Discovery is to be performed
by logging in to those machines.
If a local user is used rather than a domain user, follow the instructions in “Configuring the Windows Telnet
server” on page 44 regarding local security policy settings.
Firewall Settings
WMI queries involve the Microsoft RPC network protocol that uses dynamically ‐ assigned ports on the server
side, and is therefore quite firewall ‐ unfriendly. To avoid firewall trouble, it is recommended to deploy the
Detail Discovery, Collector appliance in the same network as the managed hosts without a firewall between
them.
If there must be a firewall between the Management, Aggregator appliance and the Detail Discovery, Collector
appliance, it should be configured to allow RPC traffic. This is done in two stages:
1 Configure the managed hosts to use a narrow range of dynamic ports for their RPC. The following URLs
provide further information:
http://msdn2.microsoft.com/en-us/library/ms809327
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewal
l.asp
2 In the firewall settings, open TCP port 135 (the RPC Service Control Manager port), in addition to the full
range of RPC ports specified in Step 1 , for access by the Detail Discovery, Collector appliance.
Disabling Internal Firewall for Windows XP Service Pack 2
The internal firewall should be turned off or partially disabled to allow direct connection to the local network.
To change the firewall configuration
1 Go to Control Panel > Security Center > Windows Firewall .
2 To fully disable the firewall, in the General tab, select Off .
3 If you want to leave the firewall enabled but still allow RPC/DCOM communication, select On in the
General tab, and in the Advanced tab, clear local network.
Setting DCOM Privileges
In the following steps, it is assumed that the domain name is MYDOMAIN and that the user used for WMI
Detail Discovery and that domain is named DOMAINUSER.
Since WMI access to a Windows host involves DCOM technology, the DOMAINUSER needs to be allowed to
perform DCOM operations on each managed host. This is already the default setting in most Windows servers
(Windows 2000 and 2003 server families), but not in Windows XP or in servers that had their defaults changed.
I
MPORTANT
Windows XP with Service Pack 2 has a built ‐ in internal firewall that might block incoming
RPC/DCOM requests.