Hello, I am trying to have our firewall team open ports to allow a restricted set of DCOM ports to our firewalled servers so that I can run remote WMI PowerShell queries from our management server. I found the information about setting the ports in DCOMCFG, but everything I found mentions to use the "Internet" radio button when setting the ports instead of "Intranet" radio button. I am just curious as to what the difference is. I am guessing that "Internet" means only apply this port restriction to addresses off-net (aka - devices on the other side of the firewall). So if the server is on 10.10.190 and another device on 10.10.190 tries to talk WMI with it, it is not affected by the port restriction. But if a device on 10.10.180 (the management server, on the other side of the firewall) tries to talk WMI with it, it would be affected by the port restriction. Is this correct? If not, could someone explain what it does mean? Thanks NK

Hi NK, Thanks for posting here. May I know the topologic we have here? According to your description , it seems this firewall is connecting with both subnet and we are attempt to enable exceptions on it in order to allow the remote WMI Powershell queries traffics could pass through it . If I misunderstand please let me know. ---(Subnet1)---Firewall---(Subnet2)--- > I am just curious as to what the difference is. Usually firewall has two network interface types in order to identify traffics: internal and external facing. And we need to set inbound and outbound rules to each interface in order to specify how the traffics will be allowed to go. For example the subnet1 is the Internal and subnet2 is external and if we want to allow the hosts at subnet1 to access the hosts at subnet2 then we need to set both inbound rule of internal interface and outbound rule of external interface to bypass the DCOM ports by setting exceptions. And yes, if hosts are all at same subnet then the traffics should not be affected by the firewall device that connects with both subnets . And could you show us your topologic here ? Understanding Firewall Rules http://technet.microsoft.com/en-us/library/dd421709(WS.10).aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Thanks for the response. We are using a 3rd party physical firewall. So we are not using Windows firewall. Nelson

Hi Nelson, Thanks for update. All firewall devices are work in same way , so may I know what firewall are we using now and the topologic? Basically we need to modify both inbound and outbound rules to both internal and external facing interfaces in order to allow hosts at each subnet are able to manage each other remotely by going through this firewall device . For how to configure this third party firewall device I d suggest to consult with their support service and acquire the method. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Thanks Tiger. I think you are mis-understanding my question. I already have the firewall rules setup. Everything is working. I am able to use Get-WMIObject from my management machine to the remote machine behind the firewall. To get this to work, I had to setup a port restriction for DCOM remote machine (in addition to setting up the firewall rules). This is described here: http://support.microsoft.com/kb/300083 Again - everything is working. My question is: What is the difference between the "Internet" and "Intranet" settings when setting up that port restriction on the remote machine (not the firewall)? In that article, they tell you to use "Internet"...why? Why Internet and not Intranet? What is the difference between these two settings? NK

Hi, Thanks for clarifying. >Why Internet and not Intranet? This is about what our definition , take look the KB article below which gave an explanation : Ports REG_MULTI_SZ Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by 5984, and a set of ports may be represented by 5000-5100. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid. PortsInternetAvailable REG_SZ Y or N (not case-sensitive) If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available. UseInternetPorts REG_SZ ) Y or N (not case-sensitive Specifies the system default policy. If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. If N, the processes using the default will be assigned ports from the set of intranet-only ports. How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/kb/154596 Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Thanks. I guess I dont know what "set of Internet-available ports" means. NK

Hi NK, Thanks for update. The set of available ports means the port range we defended in port ranges previously : Ports REG_MULTI_SZ Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. I think Intranet means local subnet that same IP segment where local host located , internet mean other external subnets but not local one that connects by router or other 3^rd layout devices: Chapter 4 Subnetting http://technet.microsoft.com/en-us/library/bb726997.aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi NK, Thanks for update. The set of available ports means the port range we defended in port ranges previously : Ports REG_MULTI_SZ Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. I think Intranet means local subnet that same IP segment where local host located , internet mean other external subnets but not local one that connects by router or other 3^rd layout devices: Chapter 4 Subnetting http://technet.microsoft.com/en-us/library/bb726997.aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Thank you. I believe that matches what I was thinking too. NK