I'm trying to set up a monitoring lab using PRTG as the manager with two agents: a Windows virtual machine and a physical host. One of the requirements is to change the default SNMP ports (161/162) because only ports 20000 and above are allowed. However, I'm having trouble getting the Windows SNMP Service to listen on a custom port, like 20000. I've attempted a few things on the Windows agents:
1. I added TrapListenPort and TrapPort in the registry but the service keeps defaulting to port 161 after reboot.
2. I also tried changing the service configuration using sc config to include a -p 20000 parameter, but this caused the service to break.
The PRTG setup is ready, but I'm stuck on getting the Windows agents to listen on the required port. How can I definitively change the listening port for the built-in Windows SNMP Service? Is using a third-party SNMP agent the only solution?
5 Answers
Actually, changing SNMP listening ports for Windows isn't as straightforward as you might think. There is a knowledge base article from Paessler that outlines a method that involves modifying a specific file in the system32 directory instead of just reg hacks. You may want to check that out!
Honestly, using custom ports for SNMP can just complicate things without offering much security. A good sniffer will find those SNMP services in no time regardless of the port, so it may be worth reconsidering that requirement!
I’d question the need for changing those ports in the first place. It sounds like a new security policy that’s more of a hassle than anything. Maybe you could discuss this with whoever set those requirements?
I think it’s just a new security engineer trying to enforce stricter rules. Definitely complicates things!
If you need custom ports, using third-party options like SNMP Informant or similar tools might be your best bet. The built-in service is quite limited, and you won't have much luck with port changes.
Some folks argue there’s really no point in changing the SNMP ports for Windows, as the default port (161) is hardcoded and most people end up using third-party SNMP agents when they need a different port. It might save you some headaches in the long run.
Yeah, it seems a bit extreme for little gain. Thanks for pointing that out!