When deploying a new K2 Blackpoint or K2 Blackpearl you may get the following error:
(K2Project) SmartObject Server Exception: Could not publish SmartObject Definition to server: Error refreshing Service Instance ‘WorkflowReportingService’. Service returned : ‘Workflow Reporting SO Service: Communication with the underlying transaction manager has failed.
SmartObject: [Test - Process Instances]
If you do checking the following may help:
1) Specifically allow the Distributed Transaction Coordinator access through the Windows Firewall on the servers ‘allowed programs list’
2) The servers might have been cloned causing the MSDTC GUIDS to be duplicated. Remove and re-install the MSDTC components on the servers to fix this
3) Troubleshoot using DTCping & DTCtester (You need to make sure any firewalls allow the RPC port range through – http://support.microsoft.com/kb/154596)
4) In Component Services in Administrative Tools on your servers select the “No Authentication” option in the MSDTC configuration options.
1. Open Command Prompt.
2. Type: netdom trustTrustingDomainName/d:TrustedDomainName/add
TrustingDomainName – Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust being created.
TrustedDomainName – Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust being created.
• To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups [http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx], Default groups [http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx], and Using Run as [http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx].
• To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
• This command-line method requires the Netdom Windows support tool. For information about installing Windows support tools, see Related Topics.
• Other switches can be used to assign a password or determine the direction of the trust. For example, to make a two-way, transitive trust, you can use the following syntax:
• To view the complete syntax for this command, at a command prompt, type:
netdom trust | more
One Way trust validation
LDAP 389 UDP and TCP
MS DS 445 TCP
DCE Endpoint resolution – portmapper 135TCP
Netlogon fixed port
Using object / people picker
LDAP 389 UDP and TCP
LSA fixed port
Kerberos 88 UDP
DCE endpoint 135 TCP
Netlogon to external forest with NTLM
DCE endpoint 135 TCP
netlogon fixed port
H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 spec) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 spec) for caps and channel control. Finally, it opens up 2 dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control). This first port carries the RTP protocol data (defined by the H.225 spec) and the second one carries the RTCP data (defined by the H.225 spec).
As per TCP/IP standards, ports are divided into 3 sections: 0-1023 (privileged ports), 1024-49151 (registered ports) and 49152-65535 (dynamic ports). H.323 specifies the dynamic ports in the dynamic range are open. Polycom has added a feature to its product line that allows the ports to use a fixed ports (instead of dynamic ports) so that it can more easily traverse a firewall. Only the system behind the firewall need to turn on this feature, since the firewall will prevent the audio/video/FECC from the outside to come in unless this is enabled.
You must forward the traffic to and from the video endpoint through the firewall using the specified port numbers and protocol types for outgoing calls. To receive incoming calls, your must forward traffic using the 1720 TCP port.
The following are details on port forwarding assignments for various products:
Polycom Port Forwarding
For Polycom products, the following ports must be opened in the firewall and assigned to the IP address of videoconferencing endpoints (e.g. a video endpoint could be at 192.168.0.109):
· Port 389 (TCP): For ILS registration
· Port 1503 (TCP): Microsoft NetMeeting T.120 data sharing
· Port 1718 (UDP): Gatekeeper discovery
· Port 1719 (UDP): Gatekeeper RAS (Must be bi-directional)
· Port 1720 (TCP) H.323 Call setup (Must be bi-directional)
· Port 1731 (TCP): Audio call control (Must be bi-directional)
· Ports 3230-3235 (TCP): Signaling and control for audio, call, video and data/FECC
· Ports 3230-3253 (UDP): Signaling and control for audio, call, video and data/FECC
· Port 3603 (TCP): ViaVideo Web interface (ViaVideo users only)
So, a typical H.323 ViewStation call would use 2 TCP fixed ports (3230-3231) and 6 UDP fixed ports (3230-3235).
Polycom GMS Ports:
· 21 (FTP) – Software Updates & Provisioning
· 80 (HTTP) – Pulling ViewStation/VS4000 info
· 3601 (Proprietary) (Data Traffic) – GAB data
· 3603 – TCP – Pulling ViaVideo info (since might be non-web server PC)
· 389 (LDAP and ILS)
· 1002 (ILS)
GMS listens for connections on ports 80 and 3601 (GAB) and in the future will listen on port 3604 (ViaVideo) and other potentials later.
H.323 Ports (IP based video conferencing):
· 80 – Static TCP – HTTP Interface (optional)
· 389 – Static TCP – ILS Registration (LDAP)
· 1503 – Static TCP – T.120
· 1718 – Static UDP – Gatekeeper discovery (Must be bidirectional)
· 1719 – Static UDP – Gatekeeper RAS (Must be bidirectional)
· 1720 – Static TCP – H.323 call setup (Must be bidirectional)
· 1731 – Static TCP – Audio Call Control (Must be bidirectional)
· 8080 – Static TCP – HTTP Server Push (optional)
· 1024-65535 Dynamic TCP H245
· 1024-65535 Dynamic UDP – RTP (Video data)
· 1024-65535 Dynamic UDP – RTP (Audio data)
· 1024-65535 Dynamic UDP RTCP (Control Information)
These ports can be set to “Fixed Ports” on Polycom systems, as opposed to dynamic.
Other Polycom ViewStation Ports:
· 21 (FTP) – Software Updates & GMS Provisioning
· 23 (Telnet) – For Diagnostics & API Control
· 3220 to 3225 – TCP Ports
· 3230 to 3247 – UDP Ports
Other ViaVideo Ports:
· 3604 (GMS Server Discovery) (Used by ViaVideo) (Broadcast)
Accord (Polycom Network Systems) Additional Ports:
· 5001 – Static TCP – MGC Manager (5003 can be chosen instead within MGC)
· 21 – Static TCP – FTP (retrieve MGC config. Files etc.)
· 1820 – Gateway Signaling/Call Setup
· 2720 – MCU Signaling/Call Setup
d-Link DVC-1000 Ports:
The port 1720 (TCP) and the 6 ports 15328-15333 (TCP and UDP) need to be forwarded. d-Link indicates that NetMeeting and the H.323 cannot co-exist behind the same router simultaneously.
Typical ports that need to be opened on the firewall:
Optional for external administration
H.323 call setup
H.323 audio call control
H.245, RTP, RTCP
Various audio/video controls
As the above list shows, opening the required ports can leave a number of large “holes” in the firewall. Polycom and Tandberg video conference units do give you the option to set a predetermined range instead of opening up the entire range of 1024-65535 (UDP). However, there is one caveat with this: Whatever port range is chosen, it must be set to exactly the same range on both units that are connecting. This can be a challenge especially when both devices are not managed by the same department or organization. Additionally, some devices will not work with the manual configuration of ports (especially if they are from different manufacturers). That being said, the recommended configuration is to open up the full port range (1-65535) for TCP and UDP.