Announcement

Collapse
No announcement yet.

Executing windows commands remotely through a firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Executing windows commands remotely through a firewall

    Good day,

    Let's get right down to it, shall we? I have two servers, A and B, separated by a firewall. Both servers have nightly batch jobs. When the batch job finishes on server A, I want the batch job on server B to start--that is to say, the job on B cannot start until the job on server A is finished. So I need a way for server A to inform server B that its job is finished so that server B can get on with it.

    The obvious solution to the above problem is to have server A actively initiate the batch job on server B, or do something passively (e.g. create an event in the event log) that allows B to know that it can run its batch job. The problems is that both the servers are Windows 2K3, and so in order to allow remote execution of commands you need to open a ridiculous number of ports in the firewall.

    I can only open one port in the firewall. How can I configure my environment so that server A can execute the batch job remotely, or can remotely inform server B that it is safe to execute the batch job itself? Or is there another way?

    Thank you in advance for your help.

  • #2
    Re: Executing windows commands remotely through a firewall

    make a small script, that listens on a specific, non-standard port. let's call it port 17843.

    All your little program does, it listen for a connection, and a word, say, start. Once it receives that, it knwos to kick off BatchB on ServerB.

    So when BatchA finalises on ServerA, it opens a co0nnection to port 17843 on ServerB, and sends just the word start

    you'd probably need to be able to code the sockets though

    another option would be to have a script on serverb running every 15 minutes, checking a specific folder for the existance of a specific file.
    when script A finishes, it FTPs the file "AllFinished" to serverB. ServerB, at the next 15 minute interval, sees that file, kicks off SCriptB.
    ScriptB, when it finishes, deletes the AllFinished file.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Executing windows commands remotely through a firewall

      Thank you for your reply.

      > make a small script, that listens on a specific, non-standard port. let's call it port 17843.
      > All your little program does, it listen for a connection, and a word, say, start. Once it receives that, it knwos to kick off BatchB on ServerB.
      > So when BatchA finalises on ServerA, it opens a co0nnection to port 17843 on ServerB, and sends just the word start

      This sounds interesting, but not necessarily ideal (i.e. the socket programming part). A quick web search reveals that powershell seems to offer some socket bind/listening functionality, which means that I wouldn't need to do something silly like install the entire Java framework on the server. I will look into this a little bit more.

      > another option would be to have a script on serverb running every 15 minutes, checking a specific folder for the existance of a specific file.
      > when script A finishes, it FTPs the file "AllFinished" to serverB. ServerB, at the next 15 minute interval, sees that file, kicks off SCriptB.
      > ScriptB, when it finishes, deletes the AllFinished file.

      I thought about this idea before, but the drawback is that I would need to install IIS, which I don't think would be allowed.

      Very cool suggestions. I'm going to examine the powershell socket programming idea, but in the meanwhile if anybody has any _easier_ ideas please let me know!

      Comment


      • #4
        Re: Executing windows commands remotely through a firewall

        Originally posted by grittyminder View Post
        The problems is that both the servers are Windows 2K3, and so in order to allow remote execution of commands you need to open a ridiculous number of ports in the firewall.
        Do you refere to series of Dynamic_RPC ports?


        Originally posted by grittyminder View Post
        I can only open one port in the firewall. How can I configure my environment so that server A can execute the batch job remotely, or can remotely inform server B that it is safe to execute the batch job itself?
        Is the Windows Firewall used?
        Use WMI. Therefore on the remote computer you should just enable the exception: Allow remote administration ,

        netsh.exe firewall set service type = REMOTEADMIN mode = ENABLE

        (Windows xp and windows server 2003 : http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx)
        (It is different with Vista and newer : http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx)

        WSH scripts, WMIC command's and Powershell can be used to make calls to WMI classes.


        Remote execute a batch vbs script sample:
        Code:
        Const wbemConnectFlagUseMaxWait = 128
        
        :: remote computer
        strComputer = "192.168.100.150"
        strExecFile  = "c:\scripts\test.cmd"
        
        Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
        
        :: The sample below is using alternate credentials, but you can delete the name and password incl the quotes but leave the commas, when you can also use the credentials of the current user (should be a local admin on the remote machine!)
        
        Set objSWbemServices = objSWbemLocator.ConnectServer _
            (strComputer, "root\cimv2","locAdmin","[email protected]",,,wbemConnectFlagUseMaxWait)
        
        objSWbemServices.Security_.ImpersonationLevel = 3
        
        
        Set objProcess = objSWbemServices.Get("Win32_Process")
        
        intReturn = objProcess.Create _
           (strExecFile, Null, Null, intProcessID)
        You can use "Win32_ProcessStopTrace" http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx to monitor the first batch. (additionall you can set the parameter for colProcessStopTrace.NextEvent() to set a timeout (to use with error capturing) for the monitoring script)

        The vbs script can launch the local bach, and use the PID (intProcessID) to trace the process. After the batch is finished it launches the batch on the remote server.

        Of course you could also initiate this from the other server.


        /Rems
        Last edited by Rems; 3rd April 2012, 13:55.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Executing windows commands remotely through a firewall

          Hello, sorry about the late reply, I just saw your post.

          > Do you refere to series of Dynamic_RPC ports?

          Yes. A long while ago I performed some simple tests in my environment to try and determine which ports would need to be opened in a firewall in order to allow file sharing between Windows hosts (or it may have been between a Windows host and a Samba server?). In any case, if I open the following ports I am able to allow file sharing between both Windows and Linux hosts:

          udp 135,137~139,445, 1024~65535
          tcp 111,135,139,445

          Anyhow, I assumed that in order to use WMI one would need to open up the same port ranges, or at least something very similar. Looking at your above post, you are saying that I only need to open TCP/UDP 135 and UDP 5001-5021 _if_ I restrict the RPC dynamic port using the registry settings that you describe, for a total of 21 ports to open? This is what you are saying, right? I just need to make sure that I understand, because that doesn't sound too bad.

          By the way, I was able to use powershell to create a socket listener, use telnet to connect to the socket via a single port through the firewall, and then have powershell execute a script once the connection was established. Very cool! I'm not sure how easy it will be for me to receive permission to run this script in production though.

          Comment

          Working...
          X