Overview: RPC requires these follow ports to function properly:
- RPC TCP 135
- RPC randomly allocated high TCP ports¹ TCP 1024 – 5000 | 49152 – 65535²
- SMB (RPC dependency) TCP 445
Troubleshooting Sequence:
Use wbemtest to perform layer-7 validation of RPC functionality:
Run > Start > wbemtest.exe > click Connect > Input the value for Server Name in this format: {serverName}\root\cimv2 > Connect
Alternatively, we can also use Perfmon for this validation:
Run > Start > perfmon.exe > press Enter > right-click Performance node > click on “Connect to another computer…” > input {serverName} > OK > if there’s no error in connectivity, we may generalize that WMI Access for RPC is accessible from this current client to the remote server
Another useful tool from Systernals:
RDP or VNC into target Server > click on Run > Start > tcpview.exe > press Enter > sort “Local Port” numerically to locate connectivities on the RPC port numbers as cited previously
Test connectivity to server at specified port using psping utility. Below is a true-positive result:
C:\WINDOWS>psping {serverName}:135
TCP connect to ::1:135:
5 iterations (warmup 1) ping test:
Connecting to ::1:135 (warmup): from ::1:7496: 0.26ms
Connecting to ::1:135: from ::1:7497: 0.35ms
Connecting to ::1:135: from ::1:7498: 0.27ms
Connecting to ::1:135: from ::1:7499: 0.31ms
Configure Server’s Windows Firewall to allow RPC services:
Set Windows Firewall to allow some static ports:
netsh advfirewall firewall add rule name=”RPC” dir=in action=allow protocol=tcp localport=135
netsh advfirewall firewall add rule name=”SMB” dir=in action=allow protocol=tcp localport=445
Set Windows Firewall to allow some dynamic ports:
netsh int ipv4 set dynamicport tcp start=1024 num=5000
netsh int ipv4 set dynamicport tcp start=49152 num=65535
netsh int ipv4 show dynamicport tcp #verify
Alternative method: use PowerShell Commands to open appropriate static ports:
Net-NetFirewallRule -DisplayName “RPC” -Direction Inbound -Action Allow -Protocol TCP -LocalPort 135
Net-NetFirewallRule -DisplayName “SMB” -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445
New-NetTransportFilter -SettingName “RPC-Dynamic-Range1” -LocalPortStart 1024 -LocalPortEnd 5000 -RemotePortStart 0 -RemotePortEnd 65535
New-NetTransportFilter -SettingName “RPC-Dynamic-Range2” -LocalPortStart 49152 -LocalPortEnd 65535 -RemotePortStart 0 -RemotePortEnd 65535
Up to now, this instruction only applies to the SysAdmin side. On the Network Admin side, enterprise firewalls would need to allow Ingress traffic of the aforementioned ports to the target host. Most likely, Egress traffic would already be unfiltered from the Zone where this target server resides toward the Zone(s) where its clients exist.
nbraasch
LocalPortStart must be the same as LocalPortEnd, RemotePortStart must be the same as RemotePortEnd or only one of the ranges must be wildcard (0, 65535)+ CategoryInfo : InvalidArgument: (MSFT_NetTransportFilter:ROOT/StandardCi...TransportFilter) [New-NetTransportFilter], CimException
+ FullyQualifiedErrorId : Windows System Error 87,New-NetTransportFilter
+ PSComputerName : DEVVM
LocalPortStart must be the same as LocalPortEnd, RemotePortStart must be the same as RemotePortEnd or only one of the ranges must be wildcard (0, 65535)
+ CategoryInfo : InvalidArgument: (MSFT_NetTransportFilter:ROOT/StandardCi...TransportFilter) [New-NetTransportFilter], CimException
+ FullyQualifiedErrorId : Windows System Error 87,New-NetTransportFilter
+ PSComputerName : DEVVM