Firewall settings for IISreset and other Dynamically assigned RPC ports
I was wondering if there was a way to remedy a issue where developers needed access to run RPC commands on firewalled servers. I didn’t want the developers subnet to have unrestricted access to the the servers but i needed them to have remote iisreset rights. The problem was the firewall was blocking their subnet access. Opening up TCP port 135 helped open the initial line of communication but the server would then dynamically assign the port number in the range of 1024-5000 and i couldn’t justify opening a range in the firewall that opened up 3,976 ports. After some searching I did find this article from Microsoft that states how to reduce/change the range of RPC dynamically allowed ports. http://support.microsoft.com/kb/908472
so what I did on my 2003 server was run -
rpccfg.exe -pe 5001-5021 -d 0
that command adds the following registry settings to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
Ports: REG_MULTI_SZ: 5001-5021
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y
which basically shrinks the ports avail from 3976 to 20, which is a range i feel much more comfortable allowing the developers subnet access to in the firewall.
after running the command you will have to restart the box in order for the changes to take affect. Once i had that set and my firewall set it was smooth sailing.
B-rad