DTC port

Hi All,
I'm using two machines running 2003Server. Machine A is in the DMZ and
MachineB is in the lan.
I'm trying to start DTC transaction from MachineA to MachineB. Transaction
joins a .NET application in MachineA and SqlServer2000 in MachineB.
When i first used it, the firewall blocked the dtc transaction. I made a
litlle investigation , tried to open some ports and nothing helped.
Only after i checked the the firewall I found the port DTC was trying to
use (4122). I guess this port was selected randomally somehow. When i opened
it, all worked fine.
I read microsoft's article about this issue:
http://support.microsoft.com/?id=250367 , and i'm really confused now. How
should i configure the firewall to allow DTC transactions? Which ports
should i open? Is Microsoft's article relevant?

Thanks,
Ido

In news:(E-Mail Removed),
Ido <(E-Mail Removed)> stated, which I commented on below:
> Hi All,
> I'm using two machines running 2003Server. Machine A is in the DMZ and
> MachineB is in the lan.
> I'm trying to start DTC transaction from MachineA to MachineB.
> Transaction joins a .NET application in MachineA and SqlServer2000 in
> MachineB. When i first used it, the firewall blocked the dtc transaction.
> I
> made a litlle investigation , tried to open some ports and nothing
> helped. Only after i checked the the firewall I found the port DTC was
> trying to use (4122). I guess this port was selected randomally
> somehow. When i opened it, all worked fine.
> I read microsoft's article about this issue:
> http://support.microsoft.com/?id=250367 , and i'm really confused
> now. How should i configure the firewall to allow DTC transactions?
> Which ports should i open? Is Microsoft's article relevant?
>
> Thanks,
> Ido

I would try 5000 to 5020 first. Usually for most Windows services going thru
firewalls, I select UDP 1024 - 6000, but need to monitor thru your firewall
logs which ports are being used. Keep in mind these are UDP ports. The
random ports you see is based on the empherical (randomly selected) UDP
response port that Windows uses. Becomes a nightmare with security and such,
but that's the way it works. If you use IPSec filters on the DMZ machine,
you can force these ports only available between itself and the inside
machine.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, if I may suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx, you can easily find your post, track
threads, cross-post, and sort by date, poster's name, watched threads or
subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================

Thnanks

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:(E-Mail Removed)...
> In news:(E-Mail Removed),
> Ido <(E-Mail Removed)> stated, which I commented on below:
>> Hi All,
>> I'm using two machines running 2003Server. Machine A is in the DMZ and
>> MachineB is in the lan.
>> I'm trying to start DTC transaction from MachineA to MachineB.
>> Transaction joins a .NET application in MachineA and SqlServer2000 in
>> MachineB. When i first used it, the firewall blocked the dtc
>> transaction. I
>> made a litlle investigation , tried to open some ports and nothing
>> helped. Only after i checked the the firewall I found the port DTC was
>> trying to use (4122). I guess this port was selected randomally
>> somehow. When i opened it, all worked fine.
>> I read microsoft's article about this issue:
>> http://support.microsoft.com/?id=250367 , and i'm really confused
>> now. How should i configure the firewall to allow DTC transactions?
>> Which ports should i open? Is Microsoft's article relevant?
>>
>> Thanks,
>> Ido
>
> I would try 5000 to 5020 first. Usually for most Windows services going
> thru firewalls, I select UDP 1024 - 6000, but need to monitor thru your
> firewall logs which ports are being used. Keep in mind these are UDP
> ports. The random ports you see is based on the empherical (randomly
> selected) UDP response port that Windows uses. Becomes a nightmare with
> security and such, but that's the way it works. If you use IPSec filters
> on the DMZ machine, you can force these ports only available between
> itself and the inside machine.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> If you are having difficulty in reading or finding responses to your post,
> instead of the website you are using, if I may suggest to use OEx (Outlook
> Express or any other newsreader of your choosing), and configure a
> newsgroup account, pointing to news.microsoft.com. This is a direct link
> into the Microsoft Public Newsgroups, and it is FREE and DOES NOT require
> a Usenet account with your ISP. With OEx, you can easily find your post,
> track threads, cross-post, and sort by date, poster's name, watched
> threads or subject.
>
> Not sure how? It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Windows Server Directory Services
> Microsoft Certified Trainer
> Assimilation Imminent. Resistance is Futile.
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>

In news:ObW$(E-Mail Removed),
Ido <(E-Mail Removed)> stated, which I commented on below:
> Thnanks

No prob. Hope it helps.