Recently I got several calls from customers or internal about how MSDTC clients talks to MSDTC Cluster, this decides how to configure the firewall between them.
As we know, as a cluster resource, MSDTC has its virtual name and virtual IP address in a cluster group. When a MSDTC client tries to work with MSDTC Cluster through Firewall, the network admin team needs to open necessary ports range for MSDTC communication. MSDTC relies on RPC communication, so that we need to ensure below ports should be opened by default (its sample dynamic port
range is too limited, it is better from 5000~5200):
250367 Configuring Microsoft Distributed Transaction Coordinator (DTC) to work through a firewall
For Win2003, the “network DTC access” option is also fairly important on client and servers:
817064 How to enable network DTC access in Windows Server 2003
When we define the incoming rules with firewall, in addition to ports, we also need to make sure the IP rule is opening for MSDTC virtual IP address and physical IP address of cluster nodes. Because:
When a client application performs transaction requests to MSDTC server, actually there will be two MSDTC transaction managers work at the same time. One is on client side, another is on server side. The main difference on server side is it has a Resource Manager which is used for enlisting transactions and maintain the data. SQL is a type of Resource manager. When the two MSDTC transaction managers start communication, they always choose RPC (Remote Process Call) as the protocol. And the communication is not single direction from RPC client to RPC server, it is a bi-direction communication.
As for the reason of the RPC Reverse Binding uses physical IP, this is because when RPC is going to bind socket, it doesn’t explicitly use a dedicate IP address. It will choose the first bound IP address on the network interface. In common cluster environment, the physical IP address is always as the first bound IP address, we can see the same symptom even test cluster environments are different (in Microsoft Cluster or a third party cluster).
Therefore, when a client starts working with MSDTC cluster, it is very likely that we can see two RPC connections, one is from Client to MSDTC Cluster Virtual IP, another is from MSDTC Physical IP to Client. Such as:
A node(Active-10.0.0.9) -------+-----B Node (Passive-10.0.0.10)
| msdtc cluster resource (Virtual IP: 10.0.0.8)
port(2215) ^ (port: 5102)
| V (port: 1321)
+----------port(5078)--> Web Server (220.127.116.11)
From another KB, it delivered similar information, please check the “more information” section:
The firewall rules must include the following:
The IP network names and the addresses of both physical nodes on the cluster
311846 Description of names and IP addresses that an MSDTC client in a cluster environment must have