Configuring Microsoft Distributed Transaction Coordinator (DTC) to work through a firewall

This article describes how to configure Microsoft Distributed Transaction Coordinator (DTC) to work through firewalls.

You can configure DTC to communicate through firewalls, including network address translation firewalls.

DTC uses Remote Procedure Call (RPC) dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers above 1024. By modifying the registry, you can control which ports RPC dynamically allocates for incoming communication. You can then configure your firewall to confine incoming external communication to only those ports and port 135 (the RPC Endpoint Mapper port).

You must provide one incoming dynamic port for DTC. You may need to provide additional incoming dynamic ports for other subsystems that rely on RPC.

The registry keys and values described in this article do not appear in the registry by default; you must add them by using Registry Editor.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Follow these steps to control RPC dynamic port allocation. You will have to do this on both computers. Note also that the firewall mustbe open in both directions for the specified ports:

1. To start Registry Editor, click Start, click Run, type regedt32, and then click OK.
   
   You must use Regedt32.exe, rather than Regedit.exe, because Regedit.exe does not support the REG_MULTI_SZ data type that is required for the Ports value.
2. In Registry Editor, click HKEY_LOCAL_MACHINE in the Local Machine window.
3. Expand the tree by double-clicking the folders named in the following path:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
4. Click the RPC folder, and then click Add Key on the Edit menu.
5. In the Add Key dialog box, in the Key Name box, type Internet, and then click OK.
6. Click the Internet folder, and then click Add Value on the Edit menu.
7. In the Add Value dialog box, in the Value Name box, type Ports.
8. In the Data Type box, select REG_MULTI_SZ, and then click OK.
9. In the Multi-String Editor dialog box, in the Data box, specify the port or ports you want RPC to use for dynamic port allocation, and then click OK.
   
   Each string value you type specifies either a single port or an inclusive range of ports. For example, to open port 5000, specify "5000" without the quotation marks. To open ports 5000 to 5020 inclusive, specify "5000-5020" without the quotation marks. You can specify multiple ports or ports ranges by specifying one port or port range per line. All ports must be in the range of 1024 to 65535. If any port is outside this range or if any string is invalid, RPC will treat the entire configuration as invalid.
   
   Microsoft recommends that you open up ports from 5000 and up, and that you open a minimum of 15 to 20 ports.
10. Follow steps 6 through 9 to add another key for Internet, by using the following values:
    Value: PortsInternetAvailable
    Data Type: REG_SZ
    Data: Y
    This signifies that the ports listed under the Ports value are to be made Internet-available.
11. Follow steps 6 through 9 to add another key for Internet, by using the following values:
    Value: UseInternetPorts
    Data Type: REG_SZ
    Data: Y
    This signifies that RPC should dynamically assign ports from the list of Internet ports.
12. Configure your firewall to allow incoming access to the specified dynamic ports and to port 135 (the RPC Endpoint Mapper port).
13. Restart the computer. When RPC restarts, it will assign incoming ports dynamically, based on the registry values that you have specified. For example, to open ports 5000 through 5020 inclusive, create the following named values:
    Ports : REG_MULTI-SZ : 5000-5020
    PortsInternetAvailable : REG_SZ : Y
    UseInternetPorts : REG_SZ : Y

DTC also requires that you are able to resolve computer names by way of NetBIOS or DNS. You can test whether or not NetBIOS can resolve the names by using ping and the server name. The client computer must be able to resolve the name of the server, and the server must be be able to resolve the name of the client. If NetBIOS cannot resolve the names, you can add entries to the LMHOSTS files on the computers.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: For more information about LMHOSTS files, click the following article number to view the article in the Microsoft Knowledge Base:

For more information concerning using DCOM and RPC with firewalls, consult the white paper by Michael Nelson, "Using Distributed COM with Firewalls," which is available at the following Microsoft Web site: