How to limit dynamic RPC ports used by DPM and protected servers - System Center: Data Protection Manager Engineering Team Blog - Site Home - TechNet Blogs

How to limit dynamic RPC ports used by DPM and protected servers

How to limit dynamic RPC ports used by DPM and protected servers

  • Comments 3
  • Likes

imageThe large range of ports used by dynamic RPC can pose a problem when attempting to allow communication through a firewall. In most cases, opening up 16,000 ports in the firewall to allow some application traffic is not feasible.  So if IPSec is not a possible solution, then the port range may be limited to a much smaller number (e.g. several hundreds as opposed to thousands).

The following information describes the process for restricting the port range used by dynamic RPC. These registry changes must be made on the System Center Data Protection Manager (DPM) server and the protected servers on the other side of the firewall. Limiting the port range affects ALL RPC traffic using dynamic ports. Depending on the applications used, the port range needs may change. It is possible that the port range will become too small as protected servers and other applications are used. This solution is only recommend when others, such as IPsec, are not possible.

More Information

Since Windows Server 2008, the dynamic port range became 49152 – 65535. The way to configure this is to determine the number of ports needed, configure the registry, reboot the machines, and configure the firewall.

First pick the port range
When determining the number of ports to use the recommended formula is as follows:

Start with (minimum of 100 + (number PS * 10)) PS = Protected Servers.

A DPM server protecting 10 servers needs 200 ports at a minimum. Note that all protected servers are included in the port calculation, not just the ones on the other side of the firewall. This configuration limits the ports for all dynamic RPC traffic on the DPM server.

Implement the port range
The example below allocates 200 ports starting at 50100. This is done on the DPM server and protected servers on the other side of the firewall.

Edit the registry

First add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.

In this new key add the following values:

Name: Ports
Type: MULTI_SZ
Value: 50100-50300

Name: PortsInternetAvailable
Type: REG_SZ
Value: Y

Name: UseInternetPorts
Type: REG_SZ
Value: Y

REBOOT

Configure the firewall

Allow all traffic on ports 50100-50300 through the firewall. Do this in addition to the other required ports.

Further details

These registry settings are covered in KB 154596 How to configure RPC dynamic port allocation to work firewalls.
The port ranges for 2008 are in KB 929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008.

Steve Light | Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv

clip_image001 clip_image002

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Excellent reference. I've updated my blog post on configuring SCDPM to protection Forefront TMG 2010 firewalls.

    tmgblog.richardhicks.com/.../configuring-forefront-tmg-for-microsoft-system-center-data-protection-manager-dpm-2010

    Thanks!

  • DPM needs some sort of RPC proxy, like Exchange.  This is such a huge pain to have to configure and deploy to every single server just so that a secondary DPM server in the cloud we have deployed can back up resources from the primary server.

  • Hello,

    Thank you for your help.

    Have you an idea about fixing this RPC port on Hyper-V servers?

    It's dangerous or not.

    Thank you.

    Florent