How to configure MS DTC through a firewall
If you are using TransactionScope for handling your transactions then the ambient transactions you open with the TransactionScope command will be inlisted in the Distributed transaction coordinator (DTC). For the transaction to run the DTC (Microsoft or otherwise) must exist on all machines that will participate in the transaction and the participants must be able to talk to each other through the firewall.
The DTC requires several things to be able to comunicate:
- being able to resolve names by DNS or NetBios (from both sides)
- being able to communicate trough port 135 (RPC Endpoint Mapper port for handshake)
- being able to dynamicly assign at least one port for communication (by default in the 1024 – 65535 range)
- RPC & DTC must exist on all particiants
First ensure that all of the participants can resolve their respective names by using the ping command, if they can’t then add entreies to LMHOSTS file to secesfully resolve names.
The comunication of the participants begins with the originating DTC negotiating with the destitation DTC trough port 135 authentication and on which port the actual exchange of transaction data will occur. The port will randomly be assinged in the 1024-65535 range. That means that the firewall must allow all of thoes ports in both directions for the DTC to work proprely which of course blows the heads off of the IT security guys.
Lucky for the IT security guys you can control the port range for dynamic assigment trough a few registry values. The settings are controled by the Ports, PortsInternetAvailable, UseInternetPorts values under the “HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc” path. When limiting the port range Microsoft recomends to use ports 5000 and above and assing a minimum of 20 ports. However you should assing a minimum of 100 ports since the RPC will be used for other process as well as for the DTC.
So for example to limit the port range to ports 20000-21000 do the following:
- Add key Name:”Internet”
- Add value Name:”Ports”, Type:”REG_MULTI_SZ” (Multistring), Data:”20000-21000″
- Add value Name:”PortsInternetAvailable”, Type:”REG_SZ” (String), Data:”Y”
- Add value Name:”UseInternetPorts”, Type:”REG_SZ” (String), Data:”Y”
Then all you have to do is adjust your firewall setting to match the one above.
- Allow inbound & outbound to port 135
- Allow inbound & outbound to port range 20000-21000
That’s it you should be able to run your distributed transactions and if you need more detailed instructions you can find them in KB 250367