Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

windows 2008 server firewall config for MTS COM+ dll

Posted on 2011-09-05
2
Medium Priority
?
2,056 Views
Last Modified: 2012-05-12
Hi

We are under migration process for our servers from 2003 to 2008 R2.

We have a specific client application connecting to the server 2003 via a COM+ Applications called APPMTS which use a component that launch MTSFileXfer command.
We installed the same on our server 2008 R2 before migrating the application.
The applications works perfectly from the client side if the W2K8 firewall is turned OFF, but does not work when turned ON.
We insist on the fact that the application works perfectly when the W2K8 firewall is turned OFF!

The following vb script summarize the process

'Create an object refering to APPMTS
Set mobjMTS = CreateObject("APPMTS.MTSFileXfer", "10.148.0.42") 'MyServer ip address
msgbox "Set mobjMTS - " & err.description & " - " & err.number

'Send the copy command to copy one file from one shared directory to an other shared one on the same server
mobjMTS.CopyFile "\\MyServer\MainDirectory\MyFile.pdf", "\\MyServer\TempCopyFileDirectory\MyFile.pdf"
msgbox "Copy file - " & err.description & " - " & err.number


When the W2K8 firewall is turned ON herewith the error message we receive at line Set mobjMTS:

script: c:\docandsett\admi\dsektop\testmts.vb
line 1
char 1
Error: The remote server machine does not exist or is unavailable: 'CreateObject'
Code: 800A01CE
Source: Microsoft VBScript runtime error

Our question is: how do we have to configure the W2K8 firewall for our application to work?
We turned on the predifined inbound rules
- COM+ Network Access (DCOM-In)
- COM+ Network Access (DCOM-In)

We also added an inbound rule for our registered dll %systemroot%/APPMTS.dll: all profile, allow, any local address, any remote address, any protocol, any local port, any remote port, any allowed computers, any allowed users (we think it is full open for that dll)

Still it is not working.
We have no more clue, except turning off W2K8 firewall (but shame on us if we get to that point)

Any valuable help will be highly appreciated.

Regards
0
Comment
Question by:CAMTEC_SPRL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
Crower earned 500 total points
ID: 36493929
As part of that default configuration, DCOM connections to the Windows 2008 server are blocked. However, there are various scenarios where it would be advantageous to allow DCOM connections to that server. Try this to allow DCOM traffic:


On the Windows 2008 server that you wish to allow DCOM connections to:

Open the Windows Firewall with Advanced Security application from Administrative Tools
Right click on the Inbound Rules node in the tree view and select New Rule from the context menu
When the New Inbound Rule Wizard opens, select the Rule Type page
Select Custom and click the Next button
On the Program page, select All Programs and click Customize
On the resulting Customize Service Settings dialogue, make sure that Apply to all programs and services is selected and click the OK button
Back on the Program page, click the Next button
On the Protocol and Ports page, select TCP for the Protocol Type
Select Dynamic RPC for the Local Port (DCOM uses the Dynamic RPC ports)
Select All Ports for the Remote Port and click the Next button
On the Scope page, select Any IP Address for the Local IP Address
Enter the IP Address (recommended if only one machine is going to connect via DCOM), subnet or IP Address range (recommended if you have a number of machines that will connect via DCOM) of the machine(s) to allow access from for the "Remote IP Address" (or select Any IP Address - recommended if you don't care which machines connect via DCOM) and click the Next button
On the Action page, select Allow the connection and click the Next button
On the Profile page, select only the Domain option and click the Next button
On the Name page, name your rule and click the Finish button
If the rule shows as disabled, enable it
0
 

Author Comment

by:CAMTEC_SPRL
ID: 36497027
Hi Crower
Thanks for your reply

As per your proposal I addded the rule.
To summarized the RULE i setup:
OPEN RPC Dynamic Port, TCP,  for DOMAIN, all Remote PORT, Remote IP = 10.148.0.1/15 (our Domain IP range)

I also disable the two predifined rules that I had turned ON for test previously
- COM+ Network Access (DCOM-In)
- COM+ Remote Administrator (DCOM-In)

and it works - with only this addded rule
Thanks you!!!

Any advice to setup more restrictively the rule? and any comment on the predifined rules COM+ thet Microsoft propose?

I accept your answer as the solution
Regards
Phm
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question