IE HTTP close (reset) - port reuse causing firewall issues

Similar Messages

• Xserves blocking all ports upon reboot [Firewall issue]

  Almost every time I need to shut down/restart my new Intel Xserves, they block all their ports upon reboot and I can't access my SAN or VNC into the servers (every network port/fiber port gets blocked). I found the solution for this is to run:
  -sudo serveradmin stop ipfilter
  -and then reboot and then everything is fine again, strangely.
  -However if I keep the firewall disabled (as a temp fix) my client machines cannot access the internet or LDAP.
  I was just wondering if anyone else has ever encountered this odd glitch and how to stop it from happening. It's not too much of a big deal at the moment since I'm on campus but in the future I will not be and I'd have to travel up here to fix it.
  Is this a problem with OSX Server?
  Message was edited by: evets90

  If this is two systems and involves a disk wipe and install hasn't cured it, then this is usually not the servers, but something else on the network that's common.  Though I don't have a way to explain all of what you're describing, and particularly the effects on the "fiber ports".  This effects the fibre channel (optical) SAN ports?  That's definitely odd.  What happens?  Or do you have fiber-optic network connections?
  How are you testing for blocked ports here?  Using dig and ping and related tools, or using a higher-level application?
  I have seen cases where some firewall process goes nuts and clogs up a server.  But that's not usually both servers.
  Check the server logs for any related details, and see if there are any rogue CPU-bound processes.
  And check the local area network for problems with DNS services, with errors with IP routing, with errors around subnet routing configuration (use unique IP addresses in distinct subnets for both controllers, unless you're using link aggregation), etc.

• Preview failed because Adobe Muse could not make a connection over HTTP. The most common cause of this is Firewall software which prevents HTTP connections. You may need to change Firewall settings to allow Adobe Muse to make connections.

  Preview failed because Adobe Muse could not make a connection over HTTP. The most common cause of this is Firewall software which prevents HTTP connections. You may need to change Firewall settings to allow Adobe Muse to make connections.
  no firewall at all, in win 8.1, turned it off for all networks
  ftp and publish works just fine

  Hi,
  Please take a look at this post : Re: Adobe Muse - Preview Failed
  Regards,
  Aish

• Adding NetGear Prosafe 8-port Gigabit VPN Firewall to existing TimeCapsule Network

  I need some help and direction with this one...
  What I currently have setup and what I am doing on a day to day is as follows;
  Cox Cable Broadband > ISP Cable Model > Time Capsule >Airport Express v1 + Airport Express v2 (Both extending wireless). I have a Dell/Windows Server setup as a Media Server and also have it setup to accept  VPN connection as well. I remote into my network quite a bit as well as VPN into it quite a bit, I RDP into the Dell Server as well as an iMAC and MacBook Pro from time to time. I have PS3, Xbox360, Apple TV 1stG and 2ndG, 2011iMac, 2011MacBookPro, iPAD3 and various other wireless clients. I would really like to add as much security as I possibly can and thought adding a Hardware firewall would be a good step.
  So I Purchased a NetGear ProSafe 8-port Gigabit VPN Firewall that I would install on my network and have everything behind that. The problem is I have no idea how to set it up for the best protection and performance. Only thing I found online is putting it behind my TC which would then leave my Wireless Clients outside the Firewall? I'm usually pretty good with this stuff, but this time I'm just completely confused and not even sure if I need this or if it's completely useles. I do like the TimeCapsule also running 2 Airport Express (v1 & v2) to extend my wireless network, but I'm not sure if it's as secure as it could be.
  If this was a good step buying a hardware firewall and from what I've read the model I bought (FVS318G) is pretty good, it's also solving a problem I have had with my network is needed Ethernet access. Time Capsule only has 3 ports so I figured this would also solve the lack of Ethernet ports as well.
  I'm thinking I would go from Modem > NetGear(DHCP Enabled) > Time Capsule (Somehow turn DHCP/Router off) > all my network clients.
  Can Anyone offer advice?? How I should configure this? Is it pointless? Return the Netgear Firewall? Buy a different hardware firewall???
  *BTW* I have software security covered, just want to add hardware as well.
  Any help/suggestions would be extremely helpful!
  Thank you!

  I am not sure who made the suggestion for the vpn router to be behind the TC.. they do that sometimes for connection to vpn for downloading TV shows etc.. but your proposed network layout is correct.
  I'm thinking I would go from Modem > NetGear(DHCP Enabled) > Time Capsule (Somehow turn DHCP/Router off) > all my network clients.
  All correct.. The Netgear has to be the one and only router.. otherwise the VPN will not give you access to the rest of the network behind the NAT.
  So easy peasy.. bridge the TC.. use the 5.6 utility if LIon.. you will need to download and install it..
  http://support.apple.com/kb/DL1482
  Lion v6 is a toy..
  Go to manual setup, internet tab. Connection sharing.. off, bridge mode. update the TC.. voila you are done.
  You should probably reboot the whole network. As the expresses will need to now get IP from the netgear not the TC. Tell us if you run into trouble, but everything should work, although it may require a reset and redo setup of the TC and express to get everything smooth again.
  Next issue.. hardware and software firewalls.. sometimes produces the great wall of china.. very secure... oh so secure nothing gets in.. or out. I do not know the Netgear.. but I would start with whatever the lowest preset is for the firewall. And see if you have issues.
  And of course then do the vpn setup.. which is a lot of fun.. (read strong sarcasm). But once you establish the tunnel should then give you access to the whole network.. you will not need to use RDP unless you need to actually take over a computer.
  VPN firewall is the RIGHT WAY.. albeit it can be painful in the initial stages.

• Opening of TCP/IP Port 53 in Firewall

  Hi ,
  I checked few SharePoint blogs which say for SharePoint 2013 need to open Port 53 in Firewall for "User Profile Synchronization Service(FIM)" to
  DNS server.
  - What user profile sync is been done between SP server and DNS server. isn't the user profile sync is from AD server ?
  pl see the link http://technet.microsoft.com/en-us/library/cc262849.aspx
  Thanks 
  Hari
  Hari

  thanks guys.
  My SP farm is in could and AD & DNS are in different cloud zone, hence firewall is in between.
  I am SP guy no much knowledge of firewall, DNS & AD. The cloud infra team has rejected the request to open port 53 to DNS server reason " This rule cannot be allowed
  as it will also cause functional issues for the Cloud VMs. Cloud VMs depends on Cloud internal DNS services to function. One method may be to consider if another AD/ DNS can be configured within G-Cloud as a VM. We apologize as we are unable to advise a solution,
  and even this needs to be submitted in this Pre-Qualification form for approval. Please note that Cloud VMs must not directly join the remote domain as this will cause the required DNS records to be missing."
  So I still this FIM to connect to AD-DS server or DNS server to fetch user information. 
  Thanks
  hari
  Hari

• RV042 - How to close all ports and leave some specific open

  Hello everybody,
  Here is the scenario of my network:
  - A company with 20 branches in Rio de Janeiro area. The main servers are in a datacenter located in downtown.
  Each branch has a RV042 router with firmware version 1.3.12.19-tm (Feb 13 2009 13:03:21) installed.
  All users in this network have a proxy configuration pointing to proxy.[blah].com.br port 3128.
  The HTTP/HTTPS traffic should go through proxy only.
  The network settings for every RV042 are similar:
  RV042 LAN IP = 172.16.***.1 /24.
  RV042 WAN IP = 192.***.***.*** /30.
  Network Setting Status
  LAN IP: 172.16.***.1 /24
  WAN1 IP: 192.168.***.*** /30               
  WAN2 IP: Not used
  Mode: Router
  DNS(WAN1): 208.67.220.220 / 208.67.222.222 [OpenDNS Service]
  DNS(WAN2): Not used
  Firewall Setting Status
  SPI (Stateful Packet Inspection): On
  DoS (Denial of Service): On
  Block WAN Request: On
  Firewall -> Access Rules Section: Please see below
  The problem:
  - Some "smart" users were caught using Ultrasurf application, which changes the proxy settings to go through port 9666 or even 443.
  In other machines, we've found some black proxies [for example: 212.46.27.142 port 8080].
  My objective:
  - To close all ports in Firewall -> Access Rules section and grant permission only to some selected and specified ports.
  - To redirect all HTTP/HTTPS connections to go to proxy's IP address only.
  Gentlemen, could you please tell me which Access Rules can I set in these RV042s in order to block and prevent these users to continue abusing this network? Is there anything else am I missing?
  P.S.: The users who were caught using Ultrasurf were fired. ;-)
  I gladly appreciate your comments.
  Thanks in advance,
  Luciano

  Hello Randy,
  Thanks for your answer. But let me tell you better. In this scenario, all machines in LAN can use RDP and VNC normally.
  I want to block everything else, just to avoid users to try using other ports.
  You might want to try Deny all traffic out, except for the PC's you need  to use RDP, and then only allow 80, and 443 to the proxy.[blah].com.br  port 3128. This way all web traffic would have to pass through that  proxy, otherwise it would be denied.
  In this network, we use VNC to provide remote IT support to users in these branches.
  They use RDP to access some servers in the datacenter.
  I think that the rule below line 6 is letting users go and traverse the proxy.
  Priority    Policy Name    Enable    Action    Service        Source Iface    Source    Destination        Time    Day
  *                                                  Allow    All Traffic [1]             LAN     Any        Any                  Always    
  How can I modify this access rule? It seems it cannot be altered.
  Thanks in advance,
  Luciano

• RDS and Gateway issues: Cannot get remoteapps to run without opening port 3389 on firewall

  I am testing the setup of a small RDweb server to host QuickBooks for some remote sales users (4 users). For the most part, I have everything installed on one virtual server (using 2012r2 "Quick Start" session host deployment with the additional
  Licensing and Gateway server roles added to the same server).
  Everything works excellent with one exception. External clients cannot launch published apps without having port 3389 open on the firewall, even with the gateway role installed and the 'Deployment Properties' set to use the gateway. They can properly connect
  to the RDweb site and view the published apps. The only way it works is open the firewall port (at which time I can disable the gateway or leave it configured and it works either way). Internally, everything works accordingly. I have followed the steps outlined
  on many sites and have combed though the forum here to no avail.
  Error received (summarized but is a well documented error):
  remote desktop can't connect to the remote computer: 1- Your user account is not listed (it actually is) or 2- You might have specified the remote computer in NetBios format . . etc.
  This is an existing SBS 2011 environment with additional virtual servers setup to host QuickBooks as outlined below:
  Current setup:
  Used Quick Start to install Remote Desktop Services in hosted sessions mode
  Installed the additional roles for Licensing and Gateway server on same server
  Configured wild card public certificates on all four services (Connection Broker(2), Web Access and Gateway)
  Configured internal DNS to properly lookup our external FQDN of this server (ex. quickbooks.contoso.com points to quickbooks.contoso.local
  One thing I noticed (just now) when I launch a published app and the firewall has port 3389 closed, a dialog box pops up directly after launching the app that warns about running a RemoteApp program and mentions the Remote Computer and the Gateway Server
  as both the same (which it is); however, I would have assumed one would have listed the internal server's name while, instead, both are listed as the external FQDN. Either way, internal DNS should still allow it to properly route . . no? I don't know . . I'm
  sure I am just missing something in a routing configurations somewhere. The gateway service is not properly looking up the RDweb service and then seeming not routing the encapsulated RDP session through HTTPS. . .. is my guess . .
  I was reading about the "set published name" commandlet; however, I am not experiencing a certificate name mismatch; however, the certificate name does show up as *.contoso.com versus the actual name. I may just be grasping as straws now . . :)

  Ok, while I was in the server and looking over the BPA scans: "The Remote Desktop Gateway (RD Gateway) server Secure Sockets Layer (SSL) certificate may not have a valid certificate subject name." This may be due to it showing up as *.companyname.com
  versus quickbooks.companyname.com. Anyhow. .. on to the list of actions above:
  Changed RD RAP from "Select Active Directory" group to "Allow any network resource" and tested with port 3389 closed on firewall:
  Worked. Initially it did not as I had used a custom shortcut created from earlier; however, after logging into the RDweb site again, the application loaded fine now (after the RD RAP change)
  No error message appeared; however, I did notice that for a split second, the word Error did appear in the browser's tab title, but only very shortly. The app launch does take a bit longer too now (about 10-15 seconds, up from about 4 seconds with the port
  open). This, I could care less about so long as we are properly forwarding the traffic through the gateway.
  As for log entries, I had spend quite a bit of time in there and only had minor issues with loading user profile setting taking too long and policy settings preventing the redirection of USB devices. Looking again, no issues still. Just a bunch of informational
  entries where I would connect before (and disconnect) but only with the port on the firewall open; otherwise, there was not an entry corrolating to when I would receive an error before. Now though, I am connecting after the RD RAP change and logs are showing
  connections even with the port closed. These are in "operational", the "admin" log only shows the update to the RD RAP configuration.
  Yes, the LAN's DNS server does relay the lookup information for my public FQDN as the local LAN address. No need for a local host record.
  I have now added a new rule in our firewall to allow and forward UDP port 3391 traffic to the internal server hosting remote services
  Thank you very much for your assistance on this matter. The RD RAP rule was default built during the creation of this services. Why is the resource not cross-referencing AD security groups? I could have sworn I created a group for that . . .

• How do we change itune and icloud accounts?  My wife and I have seperate accounts but she cannot access hes, only mine.  This causes many issues like facetime, text etc. Do we have to reset her devices and start fresh?

  How do we change itune and icloud accounts?  My wife and I have separate accounts but she cannot access hes, only mine.  This causes many issues like face time, text etc. Do we have to reset her devices and start fresh?

  I think this may be the answer.
  http://support.apple.com/kb/HT5621

• Cannot close Serial port socket on Server 2008, Can on XP

  As per the subject - running the same code using the same hardware, but different OS (Server 2008 Std. NOT XP Pro)will not work!
  It's all very odd... The port opens fine but will not close using SerialPort.close(), thereby causing problems the next time the port is opened (PortInUseException).
  Has anyone here experienced this before? Any suggestions as to where the problem may lie?
  Edited by: wizzkidd on Jan 19, 2010 7:46 AM - More descriptive title

  I have a serial port monitor open on both machines; it shows that the connection is still open (on Server 2008), even after the following is run:
       public void closePort() {
            if (serialPort != null) {
                 serialPort.close();
                 Console.print("Closed port: "       + "(" + commPort + ")");
            else {
                 Console.print("Port is still open: " + "(" + commPort + ")");
       }However, on XP, the connection is closed properly.
  Upon failure to close the port, the code has already been run, however, no exception is thrown.
  Edited by: wizzkidd on Jan 19, 2010 7:56 AM

• How to enter a range of ports in the firewall

  Does anyone know the syntax of how to enter a range of ports in the firewall so I don't have to enter each individual number? 
  For instance, to open port 15000 to 15264, is it possible to type something like "15000 - 15264" instead each port followed by a comma?
  Thanks.

  Hi,
  In Tiger it is the same as the comma and dashes thing I listed for some routers.
  You can also click the Edit button in that pic I posted and look at which ports are listed (they will be greyed out on the Preset ones)
  Windows Sharing should list the SMB ports and the Printing ports.
  EDIT:
  Actually on this page where I listed how to set up iChat - SMB is a separate line.
  (Printing sharing may also list the Windows Print Sharing port)
  If those don't cover the Windows app you want to communicate with you will have to make your own Entry Like the Edit link I just inserted)
  10:37 PM      Friday; May 27, 2011
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb( 10.6.7)
   Mac OS X (10.6.7),
  "Limit the Logs to the Bits above Binary Images."  No, Seriously

• Neighbors keep stealing my internet and resetting permissions - I know they are running Lion and I can't seem to stop them from resetting the wifi and firewall options in Maverick. It's killing my internet and driving me nuts.

  Hi - I thougth I was crazy but after a full reinstall of Mavericks and I can still see the utility repair fixing problems I know my neighbors are stealing in internet and using it. They keep finding different ways to do it - the only way I know they are doing it is because when I login to the terminal it no longer uses my HD name but some long server looking name. I turned off my wifi and plugged it in directly. This time, after the reset, they modified my firewall permission and reset some ruby framework. I want to know how to stop this from happening. Please help.

  More importantly, or at least as important, you must assign a strong password to your router's login. Service providers of DSL and cable have finally wised up and their routers now come with a preassigned and difficult to guess admin password, but not all. Right now, I'm certain it's at a default. Check the manual for your router, but it's probably something like:
  Admin: admin
  Password:
  Sometimes it's the other way around. The admin name is blank, and the password is simply "admin".
  Do this. From Safari, type this into the URL/search field at the top:
  192.168.0.1
  and press Enter. If the defaults are as simple as what I've shown here, that's how they keep getting back in so easily. All anyone has to do is be in range of your wireless signal, type in this same IP address and get into your router settings by using these uselessly easy to bypass admin name and password settings.
  Once into your router's settings, they can see what you've changed the wireless login password to, and just login again. What you need to do more than anything is keep them out of your router's settings.
  Go into the router's settings as I described using 192.168.0.1 in Safari. Find the wireless settings and turn all wireless off so no one is getting a signal. This will keep them out while you change things.
  1) Change the router's wireless security to WPA2.
  2) Change the wireless password to a new, hard to guess password as steve359 showed. Long, random, obnoxious passwords are best. At least 16 characters long.
  3) Now, go to the admin login page and give the login password an equally long and difficult password. Remember to do all of this with wireless broadcasting OFF, or they will be able to watch everything you're doing.
  4) Now turn wireless access back on. They will no longer able to login to your router to see your wireless access password. Not unless they manage to guess a very hard long and difficult password.
  Make sure to write these passwords down so you can get back into the router without manually resetting it.

• Can not seem to connect to an HTTPS with a port number

  Hello,
  I am building an application that needs to connect to an https with a port number...
  If the url is 'https://xxx.yyy.zzz' and the port is 5000 what would I use? I have found examples with out a port number but not with a port number...

  Ah... Like GET and SEND?
  That is definitely not correct in this situation.
  I think what is throwing me is that they specified
  the the host as 'https://xxx.yyy.zzz' where really
  they want an SSL connection... I think anyways...
  Generally there are two situations.
  1. There are two possible connections/protocols. One is SSL only and the other is https.
  2. They got carried away with the documentation. They added a section describing how SSL works. The protocol within SSL is still http. That is the definition of https though.

• No Http server on port 8080 with 10g Express Edition ( TNS-12631 error)

  I downloaded the Oracle 10g Express Edition for Microsoft Windows and tried to install the software on 3 pcs.
  2 pc works but mine is not working.
  All works well during installation but when I want to connect to the home web page, it displays error (http://127.0.0.1:8080/apex)
  It isnormal because I have no process running under 8080 port.
  But I don't know why there is not an http server on port 8080.
  netstat -a :
  Connexions actives
  Proto Adresse locale Adresse distante Etat
  TCP LABOLLC:epmap LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:microsoft-ds LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:1521 LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:42510 LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:1051 LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:1255 LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:1291 localhost:1292 ESTABLISHED
  TCP LABOLLC:1292 localhost:1291 ESTABLISHED
  TCP LABOLLC:netbios-ssn LABOLLC.castel.fr:0 LISTENING
  TCP LABOLLC:1338 messagerie.castel.fr:1026 ESTABLISHED
  TCP LABOLLC:1342 messagerie.castel.fr:1390 ESTABLISHED
  TCP LABOLLC:1355 messagerie.castel.fr:1026 ESTABLISHED
  TCP LABOLLC:1359 messagerie.castel.fr:1390 ESTABLISHED
  TCP LABOLLC:1472 messagerie.castel.fr:epmap TIME_WAIT
  TCP LABOLLC:1473 messagerie.castel.fr:1026 TIME_WAIT
  UDP LABOLLC:microsoft-ds *:*
  UDP LABOLLC:isakmp *:*
  UDP LABOLLC:1027 *:*
  UDP LABOLLC:1339 *:*
  UDP LABOLLC:1340 *:*
  UDP LABOLLC:1356 *:*
  UDP LABOLLC:1357 *:*
  UDP LABOLLC:1427 *:*
  UDP LABOLLC:4500 *:*
  UDP LABOLLC:ntp *:*
  UDP LABOLLC:1028 *:*
  UDP LABOLLC:1062 *:*
  UDP LABOLLC:1900 *:*
  UDP LABOLLC:ntp *:*
  UDP LABOLLC:netbios-ns *:*
  UDP LABOLLC:netbios-dgm *:*
  UDP LABOLLC:1900 *:*
  UDP LABOLLC:42508 *:*
  The file sqlnet.log contains the following comments :
  Fatal NI connect error 12631, connecting to:
  (DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))
  VERSION INFORMATION:
       TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
       Oracle Bequeath NT Protocol Adapter for 32-bit Windows: Version 10.2.0.1.0 - Production
  Time: 08-MARS -2007 16:28:39
  Tracing not turned on.
  Tns error struct:
  ns main err code: 12631
  TNS-12631: Echec de recherche de nom
  ns secondary err code: 0
  nt main err code: 0
  nt secondary err code: 0
  nt OS err code: 0
  I don't know what to do !!
  Help

  Yes i Check all that.
  For example, I have Tomcat installed on my PC and I can launch it easily.
  So that means that port 8080 is completly free.
  No I haven't http service as you can see with netstat results.
  Lokk at the log sqlnet.log, I have following :
  Fatal NI connect error 12631, connecting to:
  (DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))
  VERSION INFORMATION:
       TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
       Oracle Bequeath NT Protocol Adapter for 32-bit Windows: Version 10.2.0.1.0 - Production
  Time: 09-MARS -2007 14:46:35
  Tracing not turned on.
  Tns error struct:
  ns main err code: 12631
  TNS-12631: Echec de recherche de nom
  ns secondary err code: 0
  nt main err code: 0
  nt secondary err code: 0
  nt OS err code: 0
  Thanks

• Opening a port in the firewall

  I want to be able to use pulptunes, but I need to be able to open a port in my firewall (15000), how do I go about this?

  erikagwen,
  Leopard has a new "Application Firewall." What this means for you is that it will automatically configure itself to allow your application to communicate, opening ports as needed, provided you authorize it to do so. When you first launch the application, the firewall will detect the "sockets" that it creates, and ask if you wish to allow it to accept outside requests.
  It is also likely that you are behind a router, which will be running its own firewall. For this, you'll need to first determine the ports involved, then check and follow your router's documentation for forwarding those ports to your computer.
  Scott

• RMI firewall issue - opening port 1099 is not enough

  Hello,
  We have a distributed java desktop app that uses RMI with callbacks to communicate amongst the clients. It all works really well at our dev site and at 2 trial sites.
  We are about to deploy out to more customer sites - so I have been doing more testing with firewalls etc and discovered some issues. Our customers are small businesses and typically have between 1 and 10 desktop clients that connect to the server via RMI. These customers are "very NOT technical", so we need to give them set-and-forget firewalls etc.
  This is all on a LAN, with RMI using port 1099. On the firewalls (of the various PCs) we open ports 1099 (RMI) and 5432 (for the Postgres DB).
  Also, I was using "CurrPorts" and "SmartSniff" to monitor the traffic at each PC - so I had a reasonable view of proceedings.
  Basically, opening port 1099 on the server is necessary, but it is NOT ENOUGH. The RMI moves off to ports other than 1099, and the server firewall does not allow the connection.
  Procedure ...
  (1) start the "server" app - which starts the RMI registry - the "localhost" desktop app also starts and it works well to both the database and the RMI.
  (2) start another client - it connects to the DB Server, but NOT the RMI server.
  (3) open the server firewall to all traffic for a few seconds - then the client connects successfully.
  From CurrPort logging I could watch the RMI comms progress over those first few minutes ...
  Initially the comms do include port 1099 on the initial call to the server, but there after there are always 2 or 3 "channels" open, but not to 1099.
  I notice that the Postgres DB keeps using port 5432 for all of its active channels - so it does not have the same firewall issue.
  After we have opened the firewall for a few seconds - to enable the link - then we can turn the client on and off and the client re-connects without issue - so it would seem to be only an issue with the initial connection.
  I am sure that this is all completely standard and correct RMI behavior.
  QUESTIONS:
  1. Can RMI be "forced" to always use port 1099 for connections, and not move to other ports? (like the database uses 5432)
  2. Are there any suggestions for getting around this seemingly standard RMI behaviour?
  Other comments ...
  The firewall lets me open individual ports (say 1099) - BUT I can not justify opening ALL ports.
  The firewall lets me open all ports to an application, say "C:\Program Files\Java\jre6\bin\java.exe", but that app will occasionally change at a customer's site as they will update their java version and suddenly our app will stop working.
  Any guidance is appreciated.
  Many Thanks,
  -Damian

  1. Can RMI be "forced" to always use port 1099 for connectionsYes. Export all your servers on the same port. See UnicastRemoteObject constructor that takes an int, or UnicastRemoteObject.exportObject(int). If the RMI Registry is a separate process you can't re-use 1099 for this purpose, but see below.
  2. Are there any suggestions for getting around this seemingly standard RMI behaviour?Yes. Start the RMI Registry in the same JVM as the code, then you only need to use 1099 for everything.
  If you are using server socket factories, make sure they have an equals() method, or use the same instance for all remote objects.