Deployment Scanner for Enterprise Vault fails: Windows firewall is preventing DCOM requests

book

Article ID: 100023066

calendar_today

Updated On:

Description

Error Message

The Deployment Scanner fails with one of the following error messages:

The Windows Firewall is preventing DCOM activation on the RPC Endpoint Mapper Port (TCP Port 135). This port must be unblocked in the Windows Firewall settings for DCOM to work correctly.

The Windows Firewall is preventing DCOM requests on the RPC Dynamic Ports. These ports must be unblocked in the Windows Firewall settings for DCOM to work correctly.
 

IMPORTANT: Do not edit this content in Information Manager

Internal Notes

 

The content of this document is referenced in the Deployment Scanner. Do not make changes to this article. If you would like changes to be made to this content, use the Information Manager feedback feature. Alternatively, you can send e-mail to the owner or the Enterprise Vault Knowledge Management team.

Resolution

Enterprise Vault requires access to the Enterprise Vault server using the DCOM protocol. Firewalls protecting the server must be configured to allow access to the Enterprise Vault server through one of the following:

Allow access through the RPC Endpoint Mapper Port (TCP port 135)

To configure the Windows Firewall:

  • Windows 2008 R2

    Run the following command from a Command Prompt as a local administrator:

    netsh advfirewall firewall add rule name="RPC Activation Port" dir=in protocol=tcp action=allow localport=135 remoteip=localsubnet profile=DOMAIN

  • Windows 2012 or 2012 R2

    Run the following command from a PowerShell console as a local administrator:

    New-NetFirewallRule -Name "EnterpriseVault-DCOM-Activation" -Description "Inbound rule for Enterprise Vault to allow remote DCOM activation via RPCSS service" -DisplayName "Enterprise Vault DCOM activation" -Enabled:True -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort RPCEPMap -Service RPCSS

If you are using a different software firewall or a hardware firewall, refer to its documentation for information about how to allow access to TCP port 135 on the local subnet.

Allow access through the RPC Dynamic Ports

To configure the Windows Firewall:

  • Windows 2008 R2

    Before you configure the firewall, use the following command to determine the range of dynamic ports available:

    netsh int ipv4 show dynamicport tcp

    The range of ports is displayed, for example:

    Protocol tcp Dynamic Port Range
    -------------------------------
    Start Port : 1025
    Number of Ports : 64510

    To configure the firewall, run the following command from a Command Prompt as a local administrator:

    netsh advfirewall firewall add rule name=RPC dir=in protocol=tcp action=allow localport=x-y remoteip=localsubnet profile=DOMAIN

    where x and y are the start and end port of the range.

  • Windows 2012 or 2012 R2

    Run the following command from a PowerShell console as a local administrator:

    New-NetFirewallRule -Name "EnterpriseVault-DCOM-Call" -Description "Inbound rule to allow remote DCOM calls to Enterprise Vault services" -DisplayName "Enterprise Vault DCOM calls" -Enabled:True -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort RPC

These commands open all the Dynamic RPC ports on the server. You can restrict the range of ports that are opened but, if you limit this too much, it will affect the performance of Enterprise Vault. For more information see https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls.

If you are using a different software firewall or a hardware firewall, refer to its documentation for information about how to allow access on the local subnet to the range of ports shown by the netsh command.

Issue/Introduction

The Enterprise Vault Deployment Scanner fails with a message that the Windows firewall is preventing DCOM requests, even if you have disabled the firewall.
Powered by Wolken Software