How to configure RPC dynamic port allocation to work with firewalls (154596)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0
This article was previously published under Q154596
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

Remote Procedure Call (RPC) dynamic port allocation is used by remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port above 1024.

Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (TCP) ports.

The following registry entries apply to Windows NT 4.0 and above. They do not apply to previous versions of Windows NT. Even though you can configure the port used by the client to communicate with the server, the client must be able to reach the server by its actual IP address. You cannot use DCOM through firewalls that do address translation (e.g. where a client connects to virtual address 198.252.145.1, which the firewall maps transparently to the server's actual address of, say, 192.100.81.101). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.

For more information, see the Microsoft white paper Using Distributed COM with Firewalls. To do this, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

MORE INFORMATION

The values (and Internet key) discussed below do not appear in the registry; they must be added manually using the Registry Editor. Also, note that you must use Regedt32.exe instead of Regedit.exe to add the REG_MULTI_SZ value.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Key Data Type

Ports REG_MULTI_SZ

Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by 5984, and a set of ports may be represented by 5000-5100. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid.

PortsInternetAvailable REG_SZ Y or N (not case-sensitive)

If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.

UseInternetPorts REG_SZ ) Y or N (not case-sensitive

Specifies the system default policy.

If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously.

If N, the processes using the default will be assigned ports from the set of intranet-only ports.

Example:
  1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).

    In this example ports 5000 through 5100 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. For example, the new registry key appears as follows:

    Ports: REG_MULTI_SZ: 5000-5100
    PortsInternetAvailable: REG_SZ: Y
    UseInternetPorts: REG_SZ: Y

  3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 5100, inclusive. In most environments, a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.

Note The minimum number of ports may differ from computer to computer and depends on the configuration of the computer.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

167128 Network ports used by remote helpdesk functions

179442 How to configure a firewall for domains and trusts

263293 Windows 2000 NAT does not translate Netlogon traffic

172227 Network Address Translators (NATs) can block Netlogon traffic

319553 How to restrict FRS replication traffic to a specific static port

If you use Windows Server 2003, you can use the RPC Configuration Tool (RPCCfg.exe) from the Windows Server 2003 Resource Kit to complete the process that is described in this article. To obtain the RPC Configuration Tool, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/rpccfg-o.asp

Modification Type:MinorLast Reviewed:5/23/2006
Keywords:kbDCOM kbhowto kbnetwork KB154596 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.