Enabling centralized licenses scheme—Quick Guide

Unofficial Content

This document is a quick guide on the steps needed to configure GeneXus Centralized licenses scheme. for more details on the process please read Enabling centralized licenses scheme.

Enabling DCOM port (135) and applications through Windows Firewall, Enabling ports range and editing DCOM Rights

Step 1: Enabling a port range

  1. Click "Start", "Administrative Tools", "Component Services".
  2. Expand "Component Services", "Computers".
  3. Right-click "My Computer" and select Properties.
  4. Click the "Default Protocols" tab.
  5. Select "Connection-oriented TCP/IP", and click Properties—if more connections are available set TCP/IP as the first of the list.
  6. Use the Add button to add the required port range, for example, "5000-5300". It is recommended that you have at least 300 ports available.
  7. Leave all other settings with default values.

Another way to setup this ports range is entering the following entrys in the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet" key—if this key does not exist you must create it:

Name = Ports , Type = REG_MULTI_SZ, Value = 5000 - 5300
Name = PortsInternetAvailable, Type = REG-SZ, Value = Y,
Name = UseInternetPorts, Type = REG_SZ, Type = Y

Please use REGEDT32.EXE to configure these settings. REGEDT.EXE currently does not support the REG_MULTI_SZ type required by the ports named value entry

In short, make sure to enable the 135 port and the associated port range detailed above to connect to another machine to get licenses, otherwise you will get "Access is denied" or "The RPC server is unavailable" errors.

Step 2: Enabling DCOM port (135) and applications through Windows Firewall

  1. Click "Start" -> "Administrative Tools" -> "Windows Firewall" and then "Advanced Settings".
  2. Click "Inbound Rules", and check that "COM+ Network Access (DCOM-In)" is enabled.
  3. Create an inbound rule for TCP Port 135, if one does not exist, allowing the connection.
  4. Create an inbound rule of type "Port". Select TCP and specify the port range that you used in "Enabling a port range" and set it to allow the connection.
  5. Create an inbound rule of type "Port". Select UDP and specify the port range that you used in "Enabling a port range" and set it to allow the connection.
  6. Create an inbound rule of type "Program". Select the "ProtSrv.exe"—usually instaled under "%Program Files (x86)%\Common Files\Artech\GXProt1\ProtSrv.exe"— and set it to allow the connection.

Step 3: Editing DCOM rights (Application)

  1. Go to "Control Panel" -> "Administrative Tools" -> "Component Services".
  2. In the left tree, go to "Component Services" -> "Computers" -> "My Computer".
  3. Select "DCOM Config" and then select "ProtSrvService" in the applications list.
  4. Right click and select Properties.
  5. On the screen shown, you must edit the launch and activation rights and the access rights (Launch and Activation Permissions and Access Permissions) by selecting the Customize option and pressing the Edit... button. You must select total access (select the four options) for the following groups: Everyone, Network, System and Interactive, with every permission marked as "Allow".

Step 4: Editing DCOM rights (System)

  1. Verify that the distributed DCOM is enabled (in Default Properties tab, by selecting Enable distributed COM on this computer. Besides, Default Authentication Level must be in Connect and Default Impersonation Level in Identity.
  2. Setup access and launch rights (Access Permissions and Launch and Activate Permissions) in COM Security tab.
  3. You have to do the same in both places: first go to Edit Limits ... and setup the rights (for the group Everyone and ANONYMOUS LOGON), with every permission marked as "Allow".
  4. And then, in Edit Defaults ..., you must setup the rights for the following groups: Everyone, Network, System and Interactive , with every permission marked as "Allow".


GeneXus 9.0 and older versions

GeneXus 9.0, and older versions, need to make callbacks to the GeneXus Protection Server. Therefore a connection is firstly created using port 135 and then a second connection is established from the license server to the client. In order to enable this second connection—from the server to the client—through the firewall, in addition to enabling the connection through port 135, all TCP connections initialized from the server must be allowed.
A port range can be given for these connections, to do so follow the next steps:
  1. In the server and client PCs, enable the DCOM port range as explained in section "Enabling DCOM port (135) and applications through Windows Firewall". 
  2. In the server PC allow all outbound connections for DCOM port 135 and to the port range used in step 1.
Port 135 and the port range used by DCOM must be enabled in the VPN settings if the client and server are connected through a VPN.