RPC port limitation may break UAG and TMG servers

  • Article

The RPC (Remote Procedure Call) protocol is used by many services and applications, and part of that protocol is known as “dynamic port allocation”. This means that a program that uses RPC will choose a random secondary port above 1024 to be used for the communication (these are also known as “Ephemeral ports”). This rarely is a problem with RPC usage on internal networks, but sometimes, organizations wish to limit the range of ports in use. One such scenario is when a firewall is separating two networks, and the preference is to open the least amount of ports on the firewall.

When there’s a need for such limitations, Windows supports a special registry key that defines the port range that the application can choose. This key is HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ports, and it is discussed here - https://support.microsoft.com/kb/154596.

We have seen a few occasions where users have configured this on a UAG or TMG server, and unfortunately, this can have a detrimental effect on them, as it may block critical communications between the components. If the port range configured is too small, it may cause a failure of critical TMG services to start. If this happens on a UAG server, then the TMG services failure leads, of course, to inability to open the UAG management console. The symptom would appear as a failure of several TMG services, with the Windows system event log showing the error “The Microsoft Forefront TMG Control service terminated with service-specific error %%-2147023175”:

image

Error -2147023175 (0x800706B9) means “Not enough resources are available to complete this operation”, which means that the RPC service did not have the available network resources to work properly. If you implemented this key on your server, increasing the range of available ports may solve the problem. Another option is, of course, to remove this setting altogether, but keep in mind that the key includes several values, so one must be sure to remove the entire “internet” sub key:

image

Also, note that changing this key requires a server reboot to take effect.