How do I allow (remote) IISReset through the firewall on Win Server 2008

Question

I'm trying to run the following, to reset IIS on a remote machine.

IISReset <remoteMachine>

If I disable the domain firewall, everything works fine. With the firewall enabled, I get

The RPC server is unavailable.

Initially I tried enabling Remote Administration (RPC-EPMAP) and any other rules that looked even tenuously related. Then I tried enabling all the predefined rules, but with no success.

Answer 1

You might try the following command lines to add inbound rules to the firewall on the web server:

netsh advfirewall firewall add rule name="Remote IIS inetinfo" dir=in action=allow description="Remote IIS Service Managment" program="%systemroot%\System32\inetsrv\inetinfo.exe" enable=yes

netsh advfirewall firewall add rule name="COM+ Remote Administration (All Programs)" dir=in action=allow description="" program="%windir%\system32\dllhost.exe" enable=yes localport=RPC protocol=tcp

I've had to use those to solve WMI/RPC issues when trying to access IIS services. Errors like:

Creating an instance of the COM component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from the IClassFactory failed due to the following error: 800706ba.

Answer 2

135/tcp is only the port-mapper. It is used to negotiate a second connection that runs on a high port (49152-65535/tcp in Server 2008), so you need to allow the port for that connection too. To facilitate firewall traversal, it's possible to lock the port.

Answer 3

The root cause as others have identified is that IISReset requires RPC and by default in newer versions of Windows the required ports are blocked by default (which is a good thing).

You need to open up two sets of ports:

1. 135/tcp - This is the port-mapper as others have mentioned. It negotiates a port in the RPC Dynamic Port Range to communicate on
2. RPC Dynamic Port Range - This is a range of ports that is negotiated above that is used to perform the tasks. I was unable to find any documentation that is still active for this range. As @Ansgar Wiechers mentions this is a high port and changed in Windows Server 2008. I suspect that this change in behavior is why the documentation (https://support.microsoft.com/en-us/help/217351 Formally Microsoft KB217351 DCOM port range configuration problems) has been removed.

If you use Windows Firewall it provides a mnemonic to open the port range @Greg Bray's Answer is close to correct but it opens communication to inetinfo.exe which as far as I can tell was not needed.

The following works for us:

netsh advfirewall firewall add rule name="COM+ (DCOM-In) Port Mapper" dir=in action=allow description="Allow Communication to the DCOM Service Control Manager" enable=yes localport=135 protocol=tcp remoteip=x.x.x.x

netsh advfirewall firewall add rule name="COM+ (DCOM-In) Dynamic Port Range" dir=in action=allow description="Allow DCOM Communication" enable=yes localport=RPC protocol=tcp remoteip=x.x.x.x

I will explain each section of the above commands:

• netsh advfirewall firewall add rule
  • We are going to add a rule to the Windows Firewall
• name="xxx"
  • Name of this rule; Customize as you see fit
• dir=in
  • This is an incoming rule
• action=allow
  • We are going to allow communication
• description="xxx"
  • A Description; Customize as you see fit.
• enable=yes
  • We want to enable these rules
• localport=135
  • In this first usage we are explicitly opening up a port number
• localport=RPC
  • In this second command we set this to RPC which tells Windows Firewall if it is in the Dynamic Port Range to allow it without having to specify each port individually
• protocol=tcp
  • All RPC calls use TCP so we specify this as the protocol
• remoteip=x.x.x.x
  • This is super important; it says that this firewall rule should only apply to the specified IP Address. While it is not required it is STRONGLY recommended that you specify this to narrowly define the Firewall rule.