RPC dynamic ports range
Andrea 'ML' Suatoni
I am looking for advice on reducing the ports range used by RPC. We have a quite segmented network and I’d like to streamline such range in the core firewall configuration. The default range is too broad, however I don’t seem to find a clear indication on the recommended amount of reserved ports. I know somewhat the theory behind (thanks to the great old article by Ned Pile), but is the empirical rule of thumb of 1000 ports I’ve read on various threads large enough to accommodate the typical set of Windows services (AD, Exchange, SQL, SharePoint, Hyper-V, …)?
Or would it be better to have a larger number maybe? Eventually, unless strictly needed, I’d like to find a range that is generally good enough for all the servers, and to avoid specializing the port range for specific servers.
Thanks a lot.
Andrea
Charles F Sullivan
§
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: 1025
§
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DCTcpipPort
Value type: REG_DWORD
Value data: 1026
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/PR3PR06MB6828C296B3C8C47072CD9D12C43B9%40PR3PR06MB6828.eurprd06.prod.outlook.com.
Charlie Sullivan
Principal Windows Systems Administrator
Michael B. Smith
This isn’t for “all RPC”, but only for “DC RPC”. For DC RPC I think this is fine.
For “all RPC” I think you’d have an issue with only two ports. I think the last time I looked at it (which, granted, may have been 10+ years ago), we needed at least 5 to avoid errors and more like 25 to ensure ports never exhausted.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3DqGKY6HQxmH_%2BTsuS3CDqzcWqNFn2PJ3mfGGj-WU5A3g%40mail.gmail.com.
Kurt Buff
--
Andrea 'ML' Suatoni
I’m not the network admin here, I “think” it may be the case but it is just my guess, as far as I know it is not used that way.
Andrea
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Kurt Buff
Sent: Wednesday 23 February 2022 3:59
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] RPC dynamic ports range
Is your core firewall layer-7 aware? If it is, it should be simple enough to specify the application rule and be done with it.
Kurt
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6bKgoty%3D40RSouM-94twH5NGkEuP7E65QmcBKu3hYBgg%40mail.gmail.com.
Kurt Buff
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/PR3PR06MB6828ABA84F5EBF19C931B418C43C9%40PR3PR06MB6828.eurprd06.prod.outlook.com.
Andrea 'ML' Suatoni
So I asked, unfortunately L7 is not an option.
In the meantime, I’ve deepened my search on the ‘net. So Microsoft, in its infinite wisdom, finally adopted the standard ephemeral ports range with Windows Server 2008 and Vista, _but_ Exchange 2016 is still widening it starting from 1025 up to almost 60000. And apparently Hyper-V role in WS 2019 is also going behind the “safe” fence of 49152, I’ve found the six hosts of one of our clusters having the range starting at 33000 or so. I don’t know what/who changed the default value, as I’ve inherited the cluster as it is.
So the question remains: is there a safe range that can be used for RPC dynamic ports? I am not an Exchange expert, but I seem to remember that newer Exchange versions use RPC over HTTPS. Indeed PortQry shows that only a bunch of ports (all between 1025 and less than 3000) are currently used on the Exchange host, so maybe it the “default” port range in Exchange can be trimmed down.
Thanks!
Andrea
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce43ZfDywwkTmUeDXF46BTMynvTXE85zQ8V6SW9E7AN42g%40mail.gmail.com.