In order to facilitate communication between servers, appropriate firewall ports need to be open to the gateway server. These ports may already be open or may need to be opened.
On the AnyCAGateway DCOM server:
-
Verify that the current ephemeral port range is open by opening an administrative command prompt and running the following command:
netsh interface ipv4 show dynamic protocol=tcpThe output from this command should look like this:
Protocol tcp Dynamic Port Range --------------------------------- Start Port: 49152 Number of Ports: 16384
- If the range is not open, it needs to be opened to allow RPC
Remote procedure call (RPC) allows one program to call a function from a program located on another computer on a network without specifying network details. In the context of Keyfactor Command, RPC errors often indicate Kerberos authentication or delegation issues. communication via TCP.Keyfactor provides a PowerShell script for this purpose (see Appendix - Firewall Rules Script). -
After running the firewall script to open the ports, check the firewall rules to confirm that the newKeyfactor rule has been added by opening an administrative command prompt and running the following command:
wf.msc - Click Inbound Rules and verify that the new rule—Keyfactor CA AnyGateway RPC-IN—exists and is enabled. Verify that the existing rule—COM+ Network Access (DCOM-In)—is enabled.
Figure 730: Firewall Rules