-
Title
Configuring Connectivity with the EDM Service Through a Firewall -
Description
This article describes how to configure the EDM Service computer so that EDM Clients can communicate with the EDM Service through a firewall.
-
Resolution
For each service that needs to communicate across a firewall, there is a fixed port and protocol. Normally, the ActiveRoles Server (ARS) Service uses dynamically allocated ports. If there is a need for ARS Clients to communicate with the ARS Service through a firewall, the ARS Service must be restricted to communicate on a static port, which can be set using the following steps.
IMPORTANT: On the firewall, the static port you assign to the ARS Service must be open along with the port 135 used by the RPC Endpoint Mapper service. Additionally, ARS Clients must have access to Active Directory Global Catalog in order to detect the ARS Service. Best practice recommendations for deploying Active Directory in segmented networks can be found in Microsofts White Paper "Active Directory in Networks Segmented by Firewalls."
To assign a static port to the ARS Service:1. On the ARS Service computer, start the DCOM Configuration tool by running the file dcomcnfg.exe (click Start, click Run, type dcomcnfg.exe, click OK).
2. Click DCOM Config, select Aelita Enterprise Administration Service from the Applications list, and then click Properties.
3. On the Endpoints tab, click Add.
4. In the Select DCOM protocol and endpoint dialog box:
a. Ensure that Connection-oriented TCP/IP is selected from the Protocol Sequence list
b. Under Endpoint Assignment, click Use static endpoint, and then, in the box next to this option, type the number of the port(i.e 5001)
c. Click OK
5. Click OK to close the Properties dialog box, and then click OK to close the DCOM Configuration tool.
6. Restart the ARS Service (computer restart is not required).
See also information provided by Microsoft "Active Directory in Networks Segmented by Firewalls" <http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/adsegment.asp> -
Additional Information
Please be aware of the RPC ports ranges for the different Windows Operating System versions. Under Windows 2008 for example, the RPC port range is changed to 49152 - 65535 according to IANA standard. When configuring DCOM to use a port, if outside of this range, the service will not work. Please research Microsoft's documentation on this topic, related to your environment.