It is becoming more common place to see requests from customers who need to place a firewall between Lync Pools. Maybe the servers are separated by large geography or in different datacenters or the InfoSec team requires firewalls between applications (zoning). Now Microsoft has published very good information on what ports are needed for the different roles and services in Lync Server and Client. However, what about other Windows services that Lync uses? Troubleshooting firewalls and ports is a pain and can lead to extra work when something doesn’t work as expected. One of those key services in particular is DCOM.
The DCOM ports are used in conjunction with RPC (135) for moving users, user replication synchronization and address book synchronization. Now Microsoft does states that you need port 135 in their TechNet article and the protocol does say DCOM and RPC. However, most people will assume that 135 is all you need. That’s where the mistake happens. Now most Network and InfoSec teams are not going to be too happy when you call them up and say that you need port 1024-65535 opened up between your two pools. In fact, we know what they will say.
Let’s take a typical move-csuser request. A NetMon trace will show that their is an initial RPC request occurs on behalf of the svchost.exe process over port 135 however the actual “work” will occur over DCOM and utilize the high port range. If this port range is blocked due to a firewall you’ll get an error from the PowerShell command saying that DCOM isn’t available.
To address the large number of ports DCOM uses by default, Microsoft has published a procedure to configure DCOM to work with firewalls. Leveraging the procedure found here one can modify the registry and restrict DCOM to use a specific port range. Microsoft recommends a minimum of 100 ports for this protocol. That’s much less than what we started out with. You can get the articles below along with some of my favorite tools for network troubleshooting.
In this example ports 5000 through 5100 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.
- Add the Internet key under:
- Under the Internet key, add the values “Ports” (MULTI_SZ), “PortsInternetAvailable” (REG_SZ), and “UseInternetPorts” (REG_SZ).
For example, the new registry key appears as follows:
Ports: REG_MULTI_SZ: 5000-5100
PortsInternetAvailable: REG_SZ: Y
- Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 5100, inclusive. In most environments, a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
Articles & Tools
- Ports for Lync Server
- Configuring DCOM to work with your firewall
- Ports used by Windows Services
- PSPing: Works with both TCP and UDP protocols and is a great way to test your firewall ports before going production. Seriously…USE THIS!
- NetMon with Lync Parsers: Just what is going on at the network layer? You configured Lync to work on port X but it’s actually talking on port Y.
- Fiddler: A must have tool for every Lync professional. Great for troubleshooting browsers.
- Lync Firewall Testing Script: A great PowerShell script complete with GUI for testing ports on Lync servers.