How to configure RPC dynamic port allocation to work with firewalls

DTC에서 RPC를 이용하는데...

 

방화벽 사이에서의 RPC를 위한 setup 방법이 나온 MS 문서

 

 

참조 : http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154596

참고 : http://support.microsoft.com/kb/250367/EN-US/

 

..more

>접기

How to configure RPC dynamic port allocation to work with firewalls

Article ID	:	154596
Last Review	:	February 8, 2005
Revision	:	5.1

This article was previously published under Q154596

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

On this page

	SUMMARY
	MORE INFORMATION

SUMMARY

Remote Procedure Call (RPC) dynamic port allocation is used by remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port above 1024.

Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (TCP) ports.

The following registry entries apply to Windows NT 4.0 and above. They do not apply to previous versions of Windows NT. Even though you can configure the port used by the client to communicate with the server, the client must be able to reach the server by its actual IP address. You cannot use DCOM through firewalls that do address translation (e.g. where a client connects to virtual address 198.252.145.1, which the firewall maps transparently to the server's actual address of, say, 192.100.81.101). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.

For more information see the following Microsoft white paper, "Using Distributed COM with Firewalls":

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

MORE INFORMATION

The values (and Internet key) discussed below do not appear in the registry; they must be added manually using the Registry Editor. Also, note that you must use Regedt32.exe instead of Regedit.exe to add the REG_MULTI_SZ value.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Key Data Type

Ports REG_MULTI_SZ

Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports (for example, "5000-5050" "5984"). If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC run-time treats the entire configuration as invalid.

PortsInternetAvailable REG_SZ Y or N (not case-sensitive)

If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.

UseInternetPorts REG_SZ ) Y or N (not case-sensitive

Specifies the system default policy.

If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously.

If N, the processes using the default will be assigned ports from the set of intranet-only ports.

Example:

1.	Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
2.	Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). In this example, use ports 5000 through 5020 inclusive, so the new registry key appears as follows: Ports: REG_MULTI_SZ: 5000-5020 PortsInternetAvailable: REG_SZ: Y UseInternetPorts: REG_SZ: Y
3.	Restart the server. All applications that use RPC dynamic port allocation uses ports 5000 through 5020, inclusive. In most environments, a minimum of 20 ports should be opened, because several system services rely on these RPC ports to communicate with each other.

You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.

Note The minimum number of ports may differ from computer to computer and depends on the configuration of the computer. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

167128 Network ports used by remote helpdesk functions

179442 How to configure a firewall for domains and trusts

263293 Windows 2000 NAT does not translate Netlogon traffic

172227 Network Address Translators (NATs) can block Netlogon traffic

If you use Windows Server 2003, you can use the Rpccfg utility from the Windows Server 2003 Resource Kit to complete the process that is described in this article.