When scanning Windows computers without a scanning agent, you may at some point encounter machines that return "firewalled" or "RPC server unavailable" errors. RPC errors are usually caused by an incorrect firewall setup on the client machine or the machine being offline, but can be caused by incorrect DCOM or other settings as well.
Lansweeper pulls most Windows computer data from WMI (Windows Management Instrumentation), a management infrastructure built into Windows operating systems. When scanning without a scanning agent, the initial connection to a Windows computer is set up using DCOM and the Remote Procedure Call (RPC) service on the client machine. The RPC service is built into Windows operating systems and enabled by default.
If a Windows computer is generating a "firewalled" or "RPC server unavailable" error, do the following:
- Look at the Last Tried (= last scan attempt) date in the computer's Summary tab to determine when the scanning error occurred.
- If the scanning error is not recent, rescan the computer first to verify whether the scanning issue is still present. You can rescan one or more machines by clicking the Assets link at the top of the web console, ticking the checkboxes in front of the assets and hitting the Rescan button on the left.
- Make sure the computer is switched on. Computers that are offline will generate RPC errors as well.
- Run the tool below on your Lansweeper server, as it will help in the troubleshooting process.Program Files (x86)\Lansweeper\Actions\testconnection.exeYou must open the test tool on your Lansweeper scanning server, i.e. on the machine that has the Lansweeper Server service installed. Tests initiated from other machines cannot be used for troubleshooting purposes, as they do not replicate the exact network conditions (e.g. firewalls) experienced by Lansweeper.
- Run multiple tests in the test tool, connecting to the problem computer's IP address, NetBIOS name and (in the case of a domain computer) Fully Qualified Domain Name (FQDN).
When running your tests, submit the same credential that was also submitted in Lansweeper for scanning.
- When running tests to NetBIOS name or FQDN of the computer, make sure the DNS section of the tool shows the computer name being resolved to the correct IP address. Based on which scanning method you are using to scan your computer, Lansweeper will try to connect to IP address, NetBIOS name or FQDN. It is important that connecting to either of those properties brings you to the correct client machine. If there is a DNS issue for instance and connecting to your computer's name returns an incorrect IP address as a result, this will lead to scanning issues. Discuss any DNS issues that may be visible in the test tool with your network admin, as they must be resolved in your network itself.
- Look at the Scanning TCP Ports and Scanning WMI sections of the tool to determine whether necessary ports are open for scanning. Lansweeper must have access to TCP port 135 (to set up the initial DCOM connection to the client machine) *and* the random ports that are used by Windows to send WMI data. Our knowledge base contains firewall configuration instructions for Windows Firewall and Symantec Endpoint Protection. For other third-party firewalls, we recommend consulting the vendor's documentation.Opening port 135 is not sufficient to accomplish an agentless scan of a Windows computer. Lansweeper pulls Windows computer data from WMI (Windows Management Instrumentation), a management infrastructure built into Windows operating systems. By default, Windows sends WMI data over random ports. You need to either:
• Configure your firewalls in such a way that *all* WMI traffic (over random ports) is allowed. Windows Firewall includes an exception that you can enable to allow WMI traffic, as explained in this knowledge base article. For third-party firewalls, you'll need to consult your firewall documentation.
• Configure a fixed WMI port and allow traffic through that port. Setting up a fixed port is supported by all recent Windows operating systems starting from Windows Vista.
• If you are unable to allow WMI traffic through your firewalls, scan your computers locally with the LsAgent or LsPush scanning agent instead. This does not require firewall reconfiguration.
- Make sure the RPC service is running on the computer you're trying to scan. By default in Windows, this service is configured to run automatically. It may have been manually stopped, however, resulting in "RPC server unavailable" errors.
- Make sure the computer meets the other Windows domain or workgroup scanning requirements. You can download (right-click and Save Link As) and run this script within an elevated Command Prompt on a problem computer to ensure DCOM, Windows Firewall and some other settings are correct. If you are using third-party firewalls, you will still need to check their configuration separately.
- Make sure the local time is correctly configured on the client computer, the Lansweeper scanning server and your domain controller. A time difference of more than 15 minutes between client and server can cause unexpected results in Active Directory domains.