Symantec System Recovery Monitor cannot connect to computers through firewalls which perform Network Address Translation (NAT)

Article:TECH218283  |  Created: 2014-06-12  |  Updated: 2014-06-13  |  Article URL http://www.symantec.com/docs/TECH218283
Article Type
Technical Solution


Issue



Symantec System Recovery Monitor (SSR Monitor) 2013 cannot connect to computers through firewalls which perform Network Address Translation (NAT)

 

 


Cause



SSR Monitor utilizes Microsoft's Distributed Component Object Model (DCOM) to communicate with client computers.   In order for DCOM to work properly, client computers must be able to reach the server by its actual IP address.  If a firewall is performing Network Address Translation (NAT), clients outside of the firewall use a virtual IP address when communicating with the server instead of using the server's actual IP adress.  This causes DCOM communications to fail and prevents SSR Monitor from connecting to client computers which are located on the other side of the NAT firewall.

 

More detailed information can be found in the following Microsoft articles:

 

"How to configure RPC dynamic port allocation to work with firewalls": 
http://support.microsoft.com/kb/154596 

This article explains how to configure non-NAT firewalls to allow DCOM communications.  However, it is noted in the article that even after following these steps communications will fail if the firewall is performing IP address translation.  The relevant section from this KB article states: 

"Even though you can configure the port used by the client to communicate with the server, the client must be able to reach the server by its actual IP address. You cannot use DCOM through firewalls that do address translation (e.g. where a client connects to virtual address 198.252.145.1, which the firewall maps transparently to the server's actual address of, say, 192.100.81.101). This is because DCOM stores raw IP addresses in the interface marshaling packets and if the client cannot connect to the address specified in the packet, it will not work.

 

"DCOM Does Not Work over Network Address Translation-Based Firewall": 
http://support.microsoft.com/kb/248809 

The relevant section from this KB article is:

"For DCOM to work, the client must be able to reach the server by its actual IP address. If you use firewalls that translate network addresses, the client cannot use the actual IP address to reach the server.
COM inserts the IP address of the server computer into the interface marshaling packets that are returned to the client. Instead of using the translated IP/header, Remote Procedure Call (RPC, or DCOM) uses the actual IP address to reach the server. Because the firewall prevents the client from directly accessing the server, the client receives the above-mentioned error message.
"

 


Solution



The inability to connect to clients through a firewall performing address translation is a limitation of the DCOM communications protocol which the SSR Monitor uses to communicate with client computers.  A workaround would be to install a second instance of SSR Monitor on a computer which is outside of the NAT firewall.  The second instance of SSR Monitor can be used to monitor the client computers on that side of the firewall.

 

 




Article URL http://www.symantec.com/docs/TECH218283


Terms of use for this information are found in Legal Notices