I'd shy away from restricting the RPC port range. We tested that a while back and ended up rolling it all back. If you have quite a few machines, you will end up running out of ports on your domain controllers and other servers talk a lot.
One other option is to have them open a unused port and run an IPSec tunnel between the two systems. Some security folks don't like IPSec as it completely negates the firewall that sits between the two systems and they can't inspect any of the traffic in the tunnel. It does, however, serve a purpose in certain scenarios. Thanks, James Massardo From: [email protected] [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, November 26, 2013 10:39 AM To: [email protected] Subject: [mssms] RE: Dynamic port config You have two paths here: - Restrict the RPC ports on the servers. - Get some intelligent security people or send them to training. The number of ports open is irrelevant - port numbers are simply metadata associated with a stream and imply *nothing* about the traffic itself. As long as the traffic is locked down to the two endpoints, who cares what metadata is associated with the stream? These aren't physical holes and opening one is no different than opening many. Traffic is traffic is traffic - either it's allowed or it's not. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Frederic Le Royer Sent: Tuesday, November 26, 2013 7:13 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Dynamic port config Hello, I am currently struggling getting some Windows 2003 std DP's to work and was wondering if anyone could give me some good pointers. We have our primary site running Windows 2008 R2 and there is no actual firewall at the OS level but at the infrastructure. When we did our first DP install on a remote Windows 2003 R2 Std server, I was having some denied on the firewall for a RPC port (2842), I then asked to get the port open and everything was installed successfully, yesterday I was transferring some packages on the DP and noticed the Error = 0x800706BA in the distmgr.log, after investigation with the network guys, the denied was then on port 2450. My question is I can't have all low range port 1025-5000 open on the firewall, the security team will not allow this, so my best option is to specified a port range (1025-1125), how can I have this implemented as a permanent fix? Also I read that went you force a port range you might be experiencing some issue with other application that use RPC ports. If anyone has dealt with this kind of issue please share your step by step approach taken. Thanks NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies.
