ServiceNow Discovery - MID Server RPC calls port 1024 and up and firewall blocking

Kyle Scharkopf
Tera Guru
When it comes to Discovery, I understand that the MID Server initiates a connection on port 135 and randomly pics a port in that range to communicate on - Has anyone ever had a situation to where they had to work around that requirement due to security and/or Firewall requirements?   I also know that the ACC-V could solve that as well but there will still be a need to put in Service Mapping which would require native Discovery to be able to run. 
 
Thank you for your input! 
1 ACCEPTED SOLUTION

Jim Palmer
ServiceNow Employee
ServiceNow Employee

Kyle,

Depending on the version of Windows you are connecting to the range differs. Earlier versions of Windows used a default port range of 1025 through 5000, newer versions 49152 to 65535.

see: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang

Depending on your organisation's policies you can try either of the solutions suggested previously (restrict port range on the target, or just skip it entirely and use WinRm). Though I have experienced that some firewalls do support WMI dynamic port allocation as an option (it was either Juniper or Cisco or both). Even Microsoft mentions it here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls

"Some firewalls also allow for UUID filtering where it learns from an RPC Endpoint Mapper request for an RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass."

So talk to your firewall team, it might be a very simple answer.

View solution in original post

3 REPLIES 3

Appli
Mega Sage
Mega Sage

Hi, indeed, network team may be against opening ~4k ports on the firewall to allow communication over the whole range; consider to restrict RPC dynamic port range to a smaller, more manageable range. 

Placing MID server to the same network segment (behind the firewall) with target server should eliminate the challenge.

Hope it helps.

Hope it helps

doug_schulze
ServiceNow Employee
ServiceNow Employee

You might consider using WinRM

Jim Palmer
ServiceNow Employee
ServiceNow Employee

Kyle,

Depending on the version of Windows you are connecting to the range differs. Earlier versions of Windows used a default port range of 1025 through 5000, newer versions 49152 to 65535.

see: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang

Depending on your organisation's policies you can try either of the solutions suggested previously (restrict port range on the target, or just skip it entirely and use WinRm). Though I have experienced that some firewalls do support WMI dynamic port allocation as an option (it was either Juniper or Cisco or both). Even Microsoft mentions it here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls

"Some firewalls also allow for UUID filtering where it learns from an RPC Endpoint Mapper request for an RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass."

So talk to your firewall team, it might be a very simple answer.