References > Aliases > Configuring Hyper-V servers for discovery

Configuring Hyper-V servers for discovery

For data collection and inspection of Microsoft Windows Hyper-V hosts through Windows Management Instrumentation (WMI), each server running Hyper-V requires:

  1. A user account with elevated credentials
  2. Changes to the firewall

The following table lists the discovery requirements in detail.

Item

Need

User Account

Depending on your implementation, supply one of the following as credentials for the credentials database:

  • For domain‑based authentication, a domain account with membership in the Administrators group on the monitored application server.
  • For workgroup authentication, a built-in administrator account on the monitored application server
  • For workgroup authentication, a local user account with membership in the Administrators group and the User Account Control (UAC) setting "Run all administrators in Admin Approval Mode" disabled on the monitored application server.

Windows Firewall

Ensure that core networking, Windows Management Instrumentation (WMI), and RPC traffic can traverse the firewall. 

Modifying the Windows Firewall

You must allow core networking, WMI, and RPC traffic through the firewall of the monitored server. The following procedure walks you through allowing this traffic through the Windows Firewall on Windows 2008 R2.

Notes: 

  • If you have restricted the range of dynamic RPC ports, you must ensure that each host is able to access that port range.
  • If you are connecting to Hyper-V hosts through a DMZ or hardware firewall, you must open the corresponding rules and ports on the hardware.

Allow the correct traffic through the Windows firewall

  1. Ensure the core networking rules are enabled
  2. Enable the Windows Management Instrumentation (DCOM-In) rule
  3. Create a new rule to open the RPC ports

Ensure the Core Networking rules are enabled

You must ensure that the core networking rules are enabled to collect information successfully from Hyper-V hosts.

If the rule has a green icon with a checkmark in front of it, the rule is enabled.

Allow core networking traffic through the Windows Firewall on Windows 2008 R2

  1. Log on to the computer you want to monitor with an administrator account.
  2. Navigate to Start > Administrative Tools >Windows Firewall with Advanced Security.
  3. Click Inbound Rules in the left navigation pane.
  4. Ensure that all Core Networking rules are enabled. If not, select the disabled rule and then click Enable Rule in the Action menu.

Enable the Windows Management Instrumentation (DCOM-In) rule

You must ensure that the Windows Management Instrumentation (DCOM-In) rule is enabled to collect information successfully from Hyper-V hosts.

After enabling the Windows Management Instrumentation (DCOM-In) rule, common WMI checks indicate that WMI is not enabled. This is expected behavior.

To allow WMI traffic through the Windows Firewall on Windows 2008 R2:

  1. Log on to the computer you want to monitor with an administrator account.
  2. Navigate to Start > Administrative Tools >Windows Firewall with Advanced Security.
  3. Click Inbound Rules in the left navigation pane.
  4. Click Windows Management Instrumentation (DCOM-In), and then click Enable Rule in the Action menu.

Create a new firewall rule to open the RPC ports

You must open the RPC ports to collect information successfully from Hyper-V hosts. This is best done by creating a new firewall rule.

  1. Log on to the computer you want to monitor with an administrator account.
  2. Navigate to Start > Administrative Tools > Windows Firewall with Advanced Security.
  3. Click Inbound Rules in the left navigation pane.
  4. Click Actions > New Rule…
  5. In Rule Type, select Custom and click Next.
  6. Select This program path and enter %SystemRoot%\System32\dllhost.exe in the text box.
  7. In Services, click Customize to ensure that Apply to all programs and services is selected, and click OK, and then click Next.
  8. In Protocol type, select TCP.
  9. In Local port, select RPC Dynamic Ports.
  10. In Remote port, select All Ports, and then click Next.
  11. Apply to any local and remote IP addresses and click Next.
  12. In Action, ensure that Allow the connection is selected and click Next.
  13. Select all profiles (Domain, Private, and Public) and click next.
  14. Enter a name, such as SAM WMI Dynamic Ports, and then click Finish.

The new rule now appears in the list of inbound rules.