ServiceNow Discovery - MID Server RPC calls port 1024 and up and firewall blocking

Go to solution
Kyle Scharkopf
Tera Guru

‎08-03-2022 09:01 AM

When it comes to Discovery, I understand that the MID Server initiates a connection on port 135 and randomly pics a port in that range to communicate on - Has anyone ever had a situation to where they had to work around that requirement due to security and/or Firewall requirements?   I also know that the ACC-V could solve that as well but there will still be a need to put in Service Mapping which would require native Discovery to be able to run. 
 
Thank you for your input! 
0 Helpfuls
  • 1,729 Views
1 ACCEPTED SOLUTION

Go to solution
Jim Palmer
ServiceNow Employee
ServiceNow Employee

‎08-07-2022 03:18 PM

Kyle,

Depending on the version of Windows you are connecting to the range differs. Earlier versions of Windows used a default port range of 1025 through 5000, newer versions 49152 to 65535.

see: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang

Depending on your organisation's policies you can try either of the solutions suggested previously (restrict port range on the target, or just skip it entirely and use WinRm). Though I have experienced that some firewalls do support WMI dynamic port allocation as an option (it was either Juniper or Cisco or both). Even Microsoft mentions it here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls

"Some firewalls also allow for UUID filtering where it learns from an RPC Endpoint Mapper request for an RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass."

So talk to your firewall team, it might be a very simple answer.

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
Appli
Mega Sage
Mega Sage

‎08-03-2022 11:52 PM

Hi, indeed, network team may be against opening ~4k ports on the firewall to allow communication over the whole range; consider to restrict RPC dynamic port range to a smaller, more manageable range. 

Placing MID server to the same network segment (behind the firewall) with target server should eliminate the challenge.

Hope it helps.

Hope it helps

Go to solution
doug_schulze
ServiceNow Employee
ServiceNow Employee

‎08-05-2022 03:32 PM

You might consider using WinRM

Go to solution
Jim Palmer
ServiceNow Employee
ServiceNow Employee

‎08-07-2022 03:18 PM

Kyle,

Depending on the version of Windows you are connecting to the range differs. Earlier versions of Windows used a default port range of 1025 through 5000, newer versions 49152 to 65535.

see: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang

Depending on your organisation's policies you can try either of the solutions suggested previously (restrict port range on the target, or just skip it entirely and use WinRm). Though I have experienced that some firewalls do support WMI dynamic port allocation as an option (it was either Juniper or Cisco or both). Even Microsoft mentions it here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls

"Some firewalls also allow for UUID filtering where it learns from an RPC Endpoint Mapper request for an RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass."

So talk to your firewall team, it might be a very simple answer.

0 Helpfuls