Hello! Regarding the dynamic RPC port range, what is the recommended/safe RPC port range to use with hardware firewalls for workstations and servers? And how can I ensure that I am not exhausting the port range?
We have a department that is behind a hardware firewall that is managed by our security team. The security team has opened up the firewall for things that use dedicated ports like SMB (port 445), RPC EndPoint Mapper (port 135), etc from our management server. However, they have only opened a limited set of ports in the dynamic RPC range: 1024-1123 (99 ports) and 49152-49161 (9 ports). With this configuration, when I attempt to run the Group Policy RSoP from our W2K8r2 management server against a remote Windows XP computer, I get a failure. The security team was willing to add an exception for the single port that was blocked (port 1282) and this allowed RSoP to work for one round. However, when I later tried to gather another set of RSoP data, it got blocked again on port 1477.
I’ve been told by the security team that they will not open the firewall to allow the entire dynamic ranges (1025-5000 and 49152-65535). They have suggested that I limit the number of RPC ports that are used on the workstation. However, I haven’t been able to find any good resources on what a “safe” dynamic RPC range is, since I’ve read that it depends on what services are run. I’d like to avoid potential problems in the future with the workstations, so any advice would be appreciated. Alternatively, if restricting the dynamic RPC port range is not realistic/practical, please let me know if you have any resources that I can cite.
Thanks!