2

I am having an odd issue. I have a Windows server in Azure which I have installed Splunk on and I can't get to the web UI.

I created it from the default template and I have deleted it and tried to recreate it. I have made an NSG rule to allow port 8000 from my works public IP. I have allowed port 8000 through the windows firewall. I can get to the splunk web ui locally on the VM. It is listening to 0.0.0.0:8000 and the other default splunk ports checked with netstat -ano.

Things I have tried:

  • Allow all traffic from my work IP to the VM.
  • Bind the splunk server only to the 10.0.0.4 address.
  • Disable the splunkd service and run an IIS site on port 8000. IIS works on port 80 but not port 8000.
  • Applied the NSG to the subnet.
  • Checked port with telnet and test-connection which got no response.
  • Removed the IP restriction on the inbound NSG rules.
PS C:\Users\sreadmin> netstat -ant | findstr 80
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       InHost
  TCP    0.0.0.0:8000           0.0.0.0:0              LISTENING       InHost
  TCP    0.0.0.0:8089           0.0.0.0:0              LISTENING       InHost
  TCP    10.0.0.4:49719         168.63.129.16:80       ESTABLISHED     InHost
  TCP    10.0.0.4:49722         168.63.129.16:80       ESTABLISHED     InHost
  TCP    10.0.0.4:50179         168.63.129.16:80       TIME_WAIT       InHost
  TCP    127.0.0.1:8065         0.0.0.0:0              LISTENING       InHost
  TCP    [::]:8000              [::]:0                 LISTENING       InHost
  UDP    [fe80::d481:9b75:f30d:9b31%5]:1900  *:*
  UDP    [fe80::d481:9b75:f30d:9b31%5]:61131  *:*

NSG rules I have done look like this:

100 | Port_8000 | 8000 | Any | 131.203.112.66/32 | Any | Allow | …
110 | Port_8089 | 8089 | Any | 131.203.112.66/32 | Any | Allow | …
150 | http | 80 | Any | 131.203.112.66/32 | Any | Allow | …
1000 | default-allow-rdp | 3389 | TCP | 131.203.112.66/32 | Any | Allow | …

Does anyone have an idea of what I am missing here, what I should look at to troubleshoot or how to test where the issue is?

kasperd
  • 29,894
  • 16
  • 72
  • 122
frpm
  • 23
  • 1
  • 4
  • I have also tried to disable the windows firewall temporarily and it made no difference. – frpm Jan 03 '18 at 00:29

3 Answers3

0

After install splunk on Azure windows VM, we just need add port 8000 to Azure NSG inbound rules and add port 8000 to windows firewall inbound rules, then we can browse it via the internet.

Azure NSG inbound rules:

enter image description here

Azure VM windows firewall inbound rules:

enter image description here

Then we can browse it via the internet:

enter image description here

To troubleshoot this issue, maybe we can follow those steps:
1.Turn off VM windows firewall(for test, after complete, turn it on)
2.Remove the subnet NSG.
3.Make sure your public IP address is 131.203.112.66
4.Make sure your Local network firewall not block the network traffic. Or Change another network to test it.

Also you can create another Azure VM to test it. Browse splunk with public IP address and port 8000.

Jason Ye
  • 2,399
  • 1
  • 8
  • 10
  • Just checking in to see if the information provided was helpful. Please let me know if you need more help, also if it helpful, please don't forget to [accept](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) it as an answer, thanks:) – Jason Ye Jan 04 '18 at 08:51
  • Does that work for you? – Jason Ye Jan 05 '18 at 06:13
0

Thanks for the help Jason. I had done the steps you listed previously, but I must have messed up when setting Splunk to try and run on port 80 to check we were not blocking port 8000 outbound. Your step 4 was the problem.

Answer: Corp firewall must have outbound rules limiting access to non standard ports. I didn't pick up on it before due to not configuring splunk to run on port 80 correctly. With Splunk configured correctly to run on port 80, all is working fine now.

frpm
  • 23
  • 1
  • 4
  • It will be running on port 443 eventually, but port 80 is fine for testing for now. – frpm Jan 03 '18 at 22:29
  • Glad to hear that your issue has been resolved. If my answer is helpful, please don't forget to [accept](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) it as an answer so that other community members will be benefited, thanks:) – Jason Ye Jan 08 '18 at 02:15
0

Beware of default rules in the firewall.

I know this issue is over a year old but I just had a similar problem attempting to open port 443 on a Windows/10 VM running in Azure. I had opened the port to the VM on the virtual network using the Azure portal and there appeared to be a default rule in the Windows Firewall opening port 443 but something was still blocking my connection.

I finally solved the problem by creating an additional rule in the Windows Firewall opening port 443 and everything worked.

djhallx
  • 101
  • 2