How to setup the Enterprise Vault Distributed COM (DCOM) services to function through a Windows 2003 / 2008 / 2012 Firewall

Problem

How to setup the Enterprise Vault Distributed COM (DCOM) services to function through a Windows 2003 / 2008 / 2012 Firewall

Solution

DCOM requires port 135 for the initial session creation; after which any available port will be used to handle DCOM requests.  In order to allow a firewall to remain in place and allow DCOM requests, the DCOM ports must be restricted to a defined set of port numbers and these additional ports be opened in the firewall.  Microsoft recommends restricting a minimum of 100 DCOM ports. (  https://support.microsoft.com/kb/154596 )  Veritas recommends a minimum of 300 DCOM ports for the Enterprise Vault environment. (Check below for File Server Archiving Configuration with Windows Server 2008 / 2012)

Creating the registry keys:
- Use regedt32 in order to create the Reg_Multi_Sz string
1. Navigate to registry key: (the registry key may need to be created)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

2. Create the following three strings
Ports
REG_MULTI_SZ
Value: (Example: 7001-7200)

PortsInternetAvailable
REG_SZ
Value: Y

UseInternetPorts
REG_SZ
Value: Y

To Automate opening of ports in the firewall on Windows Server 2008 / 2012

1. Add the required port range as follows:

• Click Start, Administrative Tools, Component Services.
• Expand Component Services, Computers.
• Right-click My Computer and select Properties.
• Click the Default Protocols tab.
• Select Connection-oriented TCP/IP, and click Properties.
• Use the Add button to add the required port range, for example, "49153-49453".
  You can choose any ports between 49152 - 65535. Ensure that you have at least 300 ports available.
  Leave all other settings with default values.
• Apply the changes.

2. Create the required firewall rules:

• Click Start, Administrative Tools, Windows Firewall with Advanced Security.
• Click Inbound Rules, and check that that "COM+ Network Access (DCOM-In)" is enabled.
• Create an inbound rule for TCP Port 135, if one does not exist.
• Create an inbound rule of type "Port". Select TCP and specify the port range that you used in step 1.
• Create another inbound rule of type "Port". Select UDP and specify the port range that you used in step 1.

3. Reboot the server. Your Enterprise Vault servers should now be able to communicate with the firewall turned on.

To Automate opening of ports in the firewall on Windows Server 2003:

1. Create a batch file using port 135 and the additional ports created in the registry keys
Format to use:
netsh firewall set portopening TCP 135 "DCOM Port 135"
netsh firewall set portopening TCP 7001 "DCOM Port 7001"
netsh firewall set portopening TCP 7002 "DCOM Port 7002"
netsh firewall set portopening TCP 7003 "DCOM Port 7003"

Administrators_Guide.pdf - Ports used by Enterprise Vault

[Notes on configuring dynamic RPC ports]

The Windows version running on Enterprise Vault Server determines which dynamic RPC ports you should configure, as follows:
■ On Windows Server 2008 / 2012 the default range of dynamic RPC is 49152 through 65535.
For information on how to configure Windows Server 2008 dynamic RPC ports
see the following Microsoft article:
https://support.microsoft.com/kb/929851/

https://support.microsoft.com/kb/832017/

■ Windows versions earlier than Windows Server 2008 used a default port range
of 1025 through 5000 for dynamic RPC.
- Windows 2008 is configurable to open Windows firewall RPC ports dynamically.  Using this setting eliminates the need to open a port range for dynamic RPC.
(This method will not function for use by SQL)
The following Microsoft article discusses how to configure dynamic RPC ports on the different versions of Windows:
technet.microsoft.com/en-us/library/cc732839(WS.10).aspx