KB1106 - Ports to open to allow Rolling Restart, Relevos, SALPS, and LAS to communicate?


Our Safe AutoLogon Password Server, Rolling Restart, and Relevos consoles communicate with remote computers. If the remote computers are running firewalls, network administrators need to know which ports to open on their firewall for the console and clients. This information also applies to activating licenses using our LAS Server software.


TLDR version - disable Windows Firewall for 'Domain networks'. Or, at a minimun, enable these ports:

  • Echo Request - ICMPv4-In; Port=(n/a)
  • SMB-In; Port=445
  • RPC-EPMAP; Port=135

Microsoft APIs use RPC over TCP. "If" your clients' firewalls are turned on and you only enable the above ports, the time RR takes to do its initialization checks prior to restarting (in the case of Rolling Restart) will take much longer, upwards of a few minutes per client. To alleviate this delay, open up Registry Editor, and under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, create a new DWORD called SCMApiConnectionParam. Set its data value to Hex and enter: 80000000. This will use RPC/NP instead of RPC/TCP and is up to 20x faster.


We recommend, if possible, to turn off the firewall for Domain networks. This applies to Rolling Restart, Relevos, Safe AutoLogon Password Server, and all LAS license activations. They all use port 135 or port 445 to communicate with the remote computer, so be sure at least one of these two ports are open on your firewalls/routers. If you cannot turn off the firewall for Domain networks, then follow the guides below.

Additionally, parts of our software may use WMI for remote information we are unable to obtain by any other method. Microsoft assigns WMI a random port from 49152 – 65535 in Windows 2008 and above. There are articles on how to force WMI to use a fixed port, but WM Software has not tested this.

How to open ports using Windows Defender Firewall:

Option A: Let Windows change the Inbound Firewall Rules

  1. Leave the Windows Firewall for "Domain Networks" turned on:

  2. Choose the "Allow an app or feature through Windows Firewall". Put a checkmark in front of:
  • File and Printer Sharing
  • iSCSI Service
  • Remote Service Management

Option B: Manually change the Inbound Firewall Rules to open the necessary ports

  1. Leave the Windows Firewall for "Domain Networks" turned on:

  2. Click Advanced settings and then Inbound Rules. Enable rules for the following Inbound Rule Names, or you can open up the ports after each Name:
  • File and Printer Sharing (Echo Request - ICMPv4-In); Port=(n/a)
  • File and Printer Sharing (SMB-In); Port=445
  • File and Printer Sharing (Spooler Service - RPC-EPMAP); Port=135

    Additional Recommended:
  • iSCSI Service (TCP-In); Port=3260 (possible 860 also) https://wmsoftwa.re/36kDYEg
  • Remote Service Management (RPC); Port=1024 to 5000, or 5001 to 5021. https://wmsoftwa.re/3ixxGng
  • Windows Remote Management (HTTP-In); Port=5985

No questions yet.