How to setup the System Recovery COM (DCOM) services to function through a Windows Firewall

book

Article ID: 100009191

calendar_today

Updated On:

Resolution

DCOM requires port 135 for the initial session creation; after which any available port will be used to handle DCOM requests.  In order to allow a firewall to remain in place and allow DCOM requests, the DCOM ports must be restricted to a defined set of port numbers and these additional ports be opened in the firewall.  Microsoft recommends restricting a minimum of 100 DCOM ports. (  https://support.microsoft.com/kb/154596 ) We recommend the same minimum for System Recovery. 

Creating the registry keys:
-- Use regedt32 to create the Reg_Multi_Sz string (note: create a backup of the system system registry before proceeding)

1. Navigate to registry key: (the registry key may need to be created)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

2. Create the following three strings
Ports
REG_MULTI_SZ
Value: (Example: 7001-7200)

PortsInternetAvailable
REG_SZ
Value: Y

UseInternetPorts
REG_SZ
Value: Y

 

To Automate opening of ports in the firewall on Windows Server/Client

1. Add the required port range as follows:

  • Click Start, Administrative Tools, Component Services.
  • Expand Component Services, Computers.
  • Right-click My Computer and select Properties.
  • Click the Default Protocols tab.
  • Select Connection-oriented TCP/IP, and click Properties.
  • Use the Add button to add the required port range, for example, "49153-49453".
    You can choose any ports between 49152 - 65535. Ensure that you have at least 300 ports available.
    Leave all other settings with default values.

2. Create the required firewall rules:

  • Click Start, Administrative Tools, Windows Firewall with Advanced Security.
  • Click Inbound Rules, and check that that "COM+ network access (DCOM-In)" is enabled.
  • Create an inbound rule for TCP Port 135, if one does not exist.
  • Create an inbound rule of type Port. Select TCP and specify the port range that you used in step 1.
  • Create another inbound rule of type Port. Select UDP and specify the port range that you used in step 1.

Reboot the server. Configure the firewall for these port settings. System Recovery should now be able to communicate with the firewall turned on.


To view firewall settings:
1.  open a Command Prompt and enter:
netsh firewall show state verbose=enable

 

 

Issue/Introduction

How to setup the System Recovery COM (DCOM) services to function through a Windows Firewall
Powered by Wolken Software