In a project I have experienced, I need to transmit data between two database servers, and there are security devices such as firewalls (network switches) at intervals. When we use distributed transactions, we encounter problems, DTC cannot work normally in this environment. As a result, I found this article on the Internet and quickly solved the problem according to the method described in this article.
Original article: Rolling ing Microsoft Distributed Transaction Coordinator (DTC) to work through a firewall
Http://support.microsoft.com/default.aspx? SCID = KB; en-US; 250367
The translation is as follows:
Abstract:
This article describes how to configure Microsoft Remote Distributed Transaction Coordinator (DTC) so that it can work normally through the firewall.
For more information:
This article describes how to implement communication through the firewall through DTC, including those firewalls that have switched IP addresses.
DTC uses the port dynamically allocated by RPC for communication. By default, the RPC dynamic port allocation mechanism randomly selects port numbers over 1024. If you modify the registry, we can control which ports are randomly selected for communication. Then you can configure your firewall to open the specified port number and port 135 (rpc port ).
The following steps are used to set the dynamic port allocated by rpc. You must perform the following operations on the machines at both ends of the firewall. In addition, the firewall must open the ports you specified:
1. |
To start Registry Editor, clickStart, ClickRun, Type regedt32, and then clickOK. You must use regedt32.exe, rather than regedit.exe, because regedit.exe does not support the reg_multi_sz data type that is required for the ports value. |
2. |
In Registry Editor, click HKEY_LOCAL_MACHINE in the Local Machine window. |
3. |
Expand the tree by double-clicking the folders named in the following path:HKEY_LOCAL_MACHINE/software/Microsoft/RPC |
4. |
Click the RPC folder, and then clickAdd keyOnEditMenu. |
5. |
InAdd keyDialog box, inKey nameBox, type Internet, and then clickOK. |
6. |
Click the Internet folder, and then clickAdd ValueOnEditMenu. |
7. |
InAdd ValueDialog box, inValue NameBox, type ports. |
8. |
InData TypeBox, selectReg_multi_sz, And then clickOK. |
9. |
InMulti-string EditorDialog box, inDataBox, specify the port or ports you want RPC to use for dynamic port allocation, and then clickOK. Each string value you type specifies either a single port or an extensive range of ports. for example, to open port 5000, specify "5000 ". to open ports 5000 to 5020 random Sive, specify "5000-5020 ". you can specify multiple ports or ports ranges by specifying one port or port range per line. all ports must be in the range of 1024 to 65535. if any port is outside this range or if any string is invalid, RPC will treat the entire configuration as invalid. Microsoft recommends that you open up ports from 5000 and up, And that you open a minimum of 15 to 20 Ports. |
10. |
Follow Steps 6 through 9 to add another key for Internet, by using the following values:Value: portsinternetavailable Data Type: REG_SZ Data: YThis signifies that the ports listed under the ports value are to be made Internet-available. |
11. |
Follow Steps 6 through 9 to add another key for Internet, by using the following values:Value: useinternetports Data Type: REG_SZ Data: YThis signifies that RPC shocould dynamically assign ports from the list of Internet ports. |
12. |
Configure your firewall to allow incoming access to the specified dynamic ports and to port 135 (the RPC Endpoint Mapper port ). |
13. |
Restart the computer. when RPC restarts, it will assign incoming ports dynamically, based on the registry values that you have specified. for example, to open ports 5000 through 5020 intrusive, create the following named values:Ports: REG_MULTI-SZ: 5000-5020 Portsinternetavailable: REG_SZ: Y Useinternetports: REG_SZ: Y |
Another condition for DTC to work is the ability to resolve the machine name through NetBIOS or DNS. You can ping another machine name on one machine to test whether the machine name can be resolved through NetBIOS. Also, you must note that the resolution of such machine names must be two-way, that is, through the machine name, A must be able to ping B, and B must be able to ping. If NetBIOS cannot resolve the machine name, you can manually add this resolution in the host file.