Configuring MSDTC to Work Through a Firewall

This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. 

 

SUMMARY

This article describes how to configure Microsoft Distributed Transaction Coordinator (DTC) to work through firewalls.

MORE INFORMATION

You can configure DTC to communicate through firewalls, including network address translation firewalls.

DTC uses Remote Procedure Call (RPC) dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers above 1024. By modifying the registry, you can control which ports RPC dynamically allocates for incoming communication. You can then configure your firewall to confine incoming external communication to only those ports and port 135 (the RPC Endpoint Mapper port).

You must provide one incoming dynamic port for DTC. You may need to provide additional incoming dynamic ports for other subsystems that rely on RPC.

The registry keys and values described in this article do not appear in the registry by default; you must add them by using Registry Editor.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Follow these steps to control RPC dynamic port allocation. You will have to do this on both computers. Note also that the firewall mustbe open in both directions for the specified ports:

1.	To start Registry Editor, click Start, click Run, type regedt32, and then click OK. You must use Regedt32.exe, rather than Regedit.exe, because Regedit.exe does not support the REG_MULTI_SZ data type that is required for the Ports value.
2.	In Registry Editor, click HKEY_LOCAL_MACHINE in the Local Machine window.
3.	Expand the tree by double-clicking the folders named in the following path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
4.	Click the RPC folder, and then click Add Key on the Edit menu.
5.	In the Add Key dialog box, in the Key Name box, type Internet, and then click OK.
6.	Click the Internet folder, and then click Add Value on the Edit menu.
7.	In the Add Value dialog box, in the Value Name box, type Ports.
8.	In the Data Type box, select REG_MULTI_SZ, and then click OK.
9.	In the Multi-String Editor dialog box, in the Data box, specify the port or ports you want RPC to use for dynamic port allocation, and then click OK. Each string value you type specifies either a single port or an inclusive range of ports. For example, to open port 5000, specify "5000". To open ports 5000 to 5020 inclusive, specify "5000-5020". You can specify multiple ports or ports ranges by specifying one port or port range per line. All ports must be in the range of 1024 to 65535. If any port is outside this range or if any string is invalid, RPC will treat the entire configuration as invalid. Microsoft recommends that you open up ports from 5000 and up, and that you open a minimum of 15 to 20 ports.
10.	Follow steps 6 through 9 to add another key for Internet, by using the following values: Value: PortsInternetAvailable Data Type: REG_SZ Data: Y This signifies that the ports listed under the Ports value are to be made Internet-available.
11.	Follow steps 6 through 9 to add another key for Internet, by using the following values: Value: UseInternetPorts Data Type: REG_SZ Data: Y This signifies that RPC should dynamically assign ports from the list of Internet ports.
12.	Configure your firewall to allow incoming access to the specified dynamic ports and to port 135 (the RPC Endpoint Mapper port).
13.	Restart the computer. When RPC restarts, it will assign incoming ports dynamically, based on the registry values that you have specified. For example, to open ports 5000 through 5020 inclusive, create the following named values: Ports : REG_MULTI-SZ : 5000-5020 PortsInternetAvailable : REG_SZ : Y UseInternetPorts : REG_SZ : Y

DTC also requires that you are able to resolve computer names by way of NetBIOS or DNS. You can test whether or not NetBIOS can resolve the names by using ping and the server name. The client computer must be able to resolve the name of the server, and the server must be able to resolve the name of the client. If NetBIOS cannot resolve the names, you can add entries to the LMHOSTS files on the computers.