How to limit dynamic RPC ports used by DPM and protected servers

imageThe large range of ports used by dynamic RPC can pose a problem when attempting to allow communication through a firewall. In most cases, opening up 16,000 ports in the firewall to allow some application traffic is not feasible.  So if IPSec is not a possible solution, then the port range may be limited to a much smaller number (e.g. several hundreds as opposed to thousands).

The following information describes the process for restricting the port range used by dynamic RPC. These registry changes must be made on the System Center Data Protection Manager (DPM) server and the protected servers on the other side of the firewall. Limiting the port range affects ALL RPC traffic using dynamic ports. Depending on the applications used, the port range needs may change. It is possible that the port range will become too small as protected servers and other applications are used. This solution is only recommend when others, such as IPsec, are not possible.

More Information

Since Windows Server 2008, the dynamic port range became 49152 – 65535. The way to configure this is to determine the number of ports needed, configure the registry, reboot the machines, and configure the firewall.

First pick the port range
When determining the number of ports to use the recommended formula is as follows:

Start with (minimum of 100 + (number PS * 10)) PS = Protected Servers.

A DPM server protecting 10 servers needs 200 ports at a minimum. Note that all protected servers are included in the port calculation, not just the ones on the other side of the firewall. This configuration limits the ports for all dynamic RPC traffic on the DPM server.

Implement the port range
The example below allocates 200 ports starting at 50100. This is done on the DPM server and protected servers on the other side of the firewall.

Edit the registry

First add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.

In this new key add the following values:

Name: Ports
Value: 50100-50300

Name: PortsInternetAvailable
Type: REG_SZ
Value: Y

Name: UseInternetPorts
Type: REG_SZ
Value: Y


Configure the firewall

Allow all traffic on ports 50100-50300 through the firewall. Do this in addition to the other required ports.

Further details

These registry settings are covered in KB 154596 How to configure RPC dynamic port allocation to work firewalls.
The port ranges for 2008 are in KB 929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008.

Steve Light | Senior Support Escalation Engineer

The App-V Team blog:
The WSUS Support Team blog:
The SCMDM Support Team blog:
The ConfigMgr Support Team blog:
The SCOM 2007 Support Team blog:
The SCVMM Team blog:
The MED-V Team blog:
The DPM Team blog:
The OOB Support Team blog:
The Opalis Team blog:
The Service Manager Team blog: http:
The AVIcode Team blog: http:
The System Center Essentials Team blog: http:
The Server App-V Team blog: http:

clip_image001 clip_image002