BigFix Tuning: Configure TCP/IP: Exclude BES WebUI API Port from Ephemeral Port Ranges
| 0 Votes |
Description
Excludes the BigFix WebUI API Port 52315 from being used by Ephemeral Port Ranges
Windows stores Port Range Exclusions depending upon protocol:
IPv4/IPv6 TCP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\29
IPv4/IPv6 UDP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a02-9b1a-11d4-9123-0050047759bc}\5
Interestingly, there are separate netsh commands for ipv4 and ipv6, but the same keys are updated - a given tcp or udp exclusion apply to both ipv4 and to ipv6.
WIthin each Key, range exclusions are stored in REG_BINARY values.
The Name of the value indicates the starting port (first four bytes of name) and the number of excluded ports (next four bytes of the name, in byte-swapped order).
For example, the value named "cc570100" first 4 bytes is cc57, hexadecimal for integer 52311. The next four bytes are in byte-swapped order and should be read as 0001, or 1 port reserved.
The value of the value, "1200ffff" indicates this is a "range" exclusion type.
Useful sample queries:
TCP exclusions in Registry:
q:
((hexadecimal integer (first 4 of it), (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it) of names of it, it) of values of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\29" of registryUDP exclusions in Registry:
q:
((hexadecimal integer (first 4 of it), (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it) of names of it, it) of values of keys "HKLM\System\CurrentControlSet\Control\Nsi\{eb004a02-9b1a-11d4-9123-0050047759bc}\5" of registry
Sample Validation (command-line):
C:\>netsh int ipv4 show excludedportrange tcp
Protocol tcp Port Exclusion Ranges
Start Port End Port
---------- --------
52315 52315 ** - Administered port exclusions.
Property Details
| 27007 | |
| Beta - Preliminary testing ready for more | |
| BigFix Tuning: Configure TCP/IP: Exclude BES WebUI API Port from Ephemeral Port Ranges | |
| BESC | |
| HCL Lab Services | |
| 2/2/2019 12:00:00 AM | |
| TCP, port, exclude, ephemeral | |
| JasonWalker on 8/4/2023 8:35:41 AM | |
| JasonWalker on 8/4/2023 8:35:41 AM | |
| 1725 Views / 4 Downloads | |
* Average over 0 ratings.
** Log In or Register to add your rating.
|
Relevance
| Used in 1 fixlet | * Results in a true/false |
| Used in 1 fixlet | * Results in a true/false |
Actions
Action 1 (default)
action uses wow64 redirection false
parameter "portnumber_int"="52315"
parameter "portnumber_hex"="{parameter "portnumber_int" as integer as hexadecimal}"
parameter "valuename"="{parameter "portnumber_hex"}0100"
// While both ipv4 and ipv6 exclusions end up in the same place in the Registry, will use the netsh commands for each
// to protect against systems that may not have both ipv4 and ipv6 enabled
wait netsh int ipv4 add excludedportrange tcp {parameter "portnumber_int"} 1
wait netsh int ipv6 add excludedportrange tcp {parameter "portnumber_int"} 1
// In some cases, have found the exclusion cannot be applied while a process (like BESRootServer) actively has the port locked. In that case, add the reg edit manually
// and flag for required restart
// TCP check - check whether there is an exclusion in registry with a start port below or equal to 52311 and end point above or equal to 52311.
// This exclusion may have just been added by the netsh command above, or netsh may have failed because the port was in use (by BESRootServer or conflicting application)
// If the netsh failed, manually add a new one-port exclusion to registry and flag for 'reboot required'
if {not exists (((hexadecimal integer (first 4 of it), (hexadecimal integer (first 4 of it)) + (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it - 1) of names of it) of values whose (it as string = "1200ffff") of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}}\29" of registry) whose (item 0 of it <= (parameter "portnumber_int" as integer) and item 1 of it >= (parameter "portnumber_int" as integer) )}
// Name of the value that should be applied in the Registry - "cc5b0100" for the default port 52315 and range of 1 port to exclude
regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{{eb004a03-9b1a-11d4-9123-0050047759bc}\29]" "{parameter "valuename"}"=hex:12,00,ff,ff
action requires restart "bes_webui_tcp_port_exclusion"
endif
This action will be considered successful when the applicability relevance evaluates to false.
Sharing
| Social Media: |
