Whitelisting RPC dynamic ports

1

OS: Win Srv 2012 R2 and Win Srv 2016

Hello,

I am quite confounded with the following:

We get the following error when trying to execute certain commands and see the same error in Event Viewer for certain processes:

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

I found these resources from Microsoft:

https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

https://support.microsoft.com/en-gb/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls

As I understand the documentation and basic port behavior and lets exemplify with the following command

Get-WmiObject Win32_ComputerSystem –ComputerName Host-B

and I am on "Host-A" querying Host-B.

Host-A sends the request to Host-B using an ephemeral port ("X") above 1024 and uses TCP 135 as destination port

Host-B then responds to Host-A using another ephemeral port ("Y") to another ephemeral port (which is not the same as the destination) on Host-A ("Z").

I am trying to figure out how to:

1) Get rid of those errors which I've solved by whitelisting TCP 135 and TCP 49152-65535 however that range is huge and I want to reduce the scope of the ports I need to open which leads me to question no 2.

2) In order to reduce the scope I read that you could force RPC to use certain ports using regedit but when I tried it (albeit on Win Srv 2016) it did not work, I still see traffic on other ports then the ones I restricted it to via regedit.

Now I might be quite tired but as long as a session is initiated (lets say on TCP 135) then all the following communication within that session regardless of ephemeral ports should be good to go without any specific firewall rules but I guess that RPC behaves quite differently.

Outgoing firewall rules should be good, Windows Firewall is disabled.

Would be grateful for assistance / TheSwede86

windows-registry
windows-server-2012-r2
windows-server-2016
rpc
asked on Super User May 14, 2018 by TheSwede86

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0