How to setup the System Recovery COM (DCOM) services to function through a Windows 2003 / 2008 / 2012 Firewall

Article: 100009191
Last Published: 2013-10-01
Ratings: 0 0
Product(s): System Recovery

Problem

How to setup the System Recovery COM (DCOM) services to function through a Windows 2003 / 2008 / 2012 Firewall

Solution

DCOM requires port 135 for the initial session creation; after which any available port will be used to handle DCOM requests.  In order to allow a firewall to remain in place and allow DCOM requests, the DCOM ports must be restricted to a defined set of port numbers and these additional ports be opened in the firewall.  Microsoft recommends restricting a minimum of 100 DCOM ports. (  https://support.microsoft.com/kb/154596 ) We recommend the same minimum for System Recovery. 

Creating the registry keys:
-- Use regedt32 to create the Reg_Multi_Sz string (note: create a backup of the system system registry before proceeding)

1. Navigate to registry key: (the registry key may need to be created)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

2. Create the following three strings
Ports
REG_MULTI_SZ
Value: (Example: 7001-7200)

PortsInternetAvailable
REG_SZ
Value: Y

UseInternetPorts
REG_SZ
Value: Y

 

To Automate opening of ports in the firewall on Windows Server 2008 / 2012

1. Add the required port range as follows:

  • Click Start, Administrative Tools, Component Services.
  • Expand Component Services, Computers.
  • Right-click My Computer and select Properties.
  • Click the Default Protocols tab.
  • Select Connection-oriented TCP/IP, and click Properties.
  • Use the Add button to add the required port range, for example, "49153-49453".
    You can choose any ports between 49152 - 65535. Ensure that you have at least 300 ports available.
    Leave all other settings with default values.

2. Create the required firewall rules:

  • Click Start, Administrative Tools, Windows Firewall with Advanced Security.
  • Click Inbound Rules, and check that that "COM+ network access (DCOM-In)" is enabled.
  • Create an inbound rule for TCP Port 135, if one does not exist.
  • Create an inbound rule of type Port. Select TCP and specify the port range that you used in step 1.
  • Create another inbound rule of type Port. Select UDP and specify the port range that you used in step 1.

Reboot the server. Configure the firewall for these port settings. System Recovery should now be able to communicate with the firewall turned on.

 

To Automate opening of ports in the firewall on Windows Server 2003:

1. Create a batch file using port 135 and the additional ports created in the registry keys
Format to use:
netsh firewall set portopening TCP 135 "DCOM Port 135"
netsh firewall set portopening TCP 7001 "DCOM Port 7001"
netsh firewall set portopening TCP 7002 "DCOM Port 7002"
netsh firewall set portopening TCP 7003 "DCOM Port 7003"
netsh firewall set portopening TCP 7198 "DCOM Port 7198"
netsh firewall set portopening TCP 7199 "DCOM Port 7199"
netsh firewall set portopening TCP 7200 "DCOM Port 7200"

2. Execute the batch file


To view firewall settings:
1.  open a Command Prompt and enter:
netsh firewall show state verbose=enable

 

 

Was this content helpful?