How to configure RPC dynamic port allocation to work with firewalls
Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports.
Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner.
As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of Server ports that are used in Windows and major Microsoft products can be found in Microsoft Knowledge Base article 832017.
For more information, click the following article number to view the article in the Microsoft Knowledge Base: 832017 Service overview and network port requirements for the Windows Server system.
The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers.
Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass.
IMPORTANT-: Use the method that is described in this article only if the RPC server does not offer a way to define the server port.
The following registry entries apply to Windows NT 4.0 and above. They do not apply to previous versions of Windows NT. Even though you can configure the port used by the client to communicate with the server, the client must be able to reach the server by its actual IP address. You cannot use DCOM through firewalls that do address translation (e.g. where a client connects to virtual address 22.214.171.124, which the firewall maps transparently to the server's actual address of, say, 126.96.36.199). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.
For more information, see the Microsoft white paper Using Distributed COM with Firewalls. To do this, visit the following Microsoft Web site:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
With Registry Editor, you can modify the following parameters for RPC. TheRPC Port key values discussed below are all located in the following key inthe registry:
For example, a single port may be represented by 5984, and a set of ports may be represented by 5000-5100. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid.
In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.
- Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
- Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
For example, the new registry key appears as follows:Ports: REG_MULTI_SZ: 5000-6000
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y
- Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive.
Note The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into a port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port range.
WARNING:If there is an error in the port configuration or there are insufficient ports in the pool, the Endpoint Mapper Service will not be able to register RPC servers with dynamic endpoints. When there is a configuration error, the error code will be 87 (0x57) ERROR_INVALID_PARAMETER. This can affect Windows RPC servers as well, such as Netlogon. It will log event 5820 in this case:
Log Name: System
Event ID: 5820
The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.'
Article ID: 154596 - Last Review: 08/21/2014 06:45:00 - Revision: 21.0
- kbproductlink kbdcom kbhowto kbnetwork KB154596