The large range of ports used by dynamic RPC can pose a problem when attempting to allow communication through a firewall. In most cases, opening up 16,000 ports in the firewall to allow some application traffic is not feasible. So if IPSec is not a possible solution, then the port range may be limited to a much smaller number (e.g. several hundreds as opposed to thousands).
The following information describes the process for restricting the port range used by dynamic RPC. These registry changes must be made on the System Center Data Protection Manager (DPM) server and the protected servers on the other side of the firewall. Limiting the port range affects ALL RPC traffic using dynamic ports. Depending on the applications used, the port range needs may change. It is possible that the port range will become too small as protected servers and other applications are used. This solution is only recommend when others, such as IPsec, are not possible.
Since Windows Server 2008, the dynamic port range became 49152 – 65535. The way to configure this is to determine the number of ports needed, configure the registry, reboot the machines, and configure the firewall.
First pick the port range When determining the number of ports to use the recommended formula is as follows:
Start with (minimum of 100 + (number PS * 10)) PS = Protected Servers.
A DPM server protecting 10 servers needs 200 ports at a minimum. Note that all protected servers are included in the port calculation, not just the ones on the other side of the firewall. This configuration limits the ports for all dynamic RPC traffic on the DPM server.
Implement the port range The example below allocates 200 ports starting at 50100. This is done on the DPM server and protected servers on the other side of the firewall.
Edit the registry
First add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.
In this new key add the following values:
Name: Ports Type: MULTI_SZ Value: 50100-50300
Name: PortsInternetAvailable Type: REG_SZ Value: Y
Name: UseInternetPorts Type: REG_SZ Value: Y
Configure the firewall
Allow all traffic on ports 50100-50300 through the firewall. Do this in addition to the other required ports.
These registry settings are covered in KB 154596 How to configure RPC dynamic port allocation to work firewalls. The port ranges for 2008 are in KB 929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008.
Steve Light | Senior Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv
Excellent reference. I've updated my blog post on configuring SCDPM to protection Forefront TMG 2010 firewalls.
DPM needs some sort of RPC proxy, like Exchange. This is such a huge pain to have to configure and deploy to every single server just so that a secondary DPM server in the cloud we have deployed can back up resources from the primary server.