Created On:  11/7/2011

Problem:

Updated procedure for DP Analysis Remote Profiling on VISTA OS or later (Win 7, Win 2008, etc.).

Resolution:

FIREWALL CONFIGURATION
• Local and Remote Machine (Windows Firewall)
- Add an inbound/outbound rule for NCS.EXE process with all ports enabled.
- Add a connection security rule for the IP address of the other endpoint machine to allow connection (e.g. the rule in the Local machine specifies the IP of the Remote machine to be exempted from authentication requirements and vice versa)

• Remote Machine (Windows Firewall)
- Add an inbound/outbound rule for TCP port 37493.

COMPONENT SERVICES
• Local and Remote Machine
1. From the Start menu, type DCOMCNFG.EXE at the Search box.
2. Execute the DCOMCNFG.EXE from the search result. This opens the Component Services application.
3. On the tree view at the left side of the GUI, navigate to Console Root  Component Services  Computers  My Computer. Right-click on My Computer and select Properties from the context menu.
4. On My Computer Properties dialog, select the COM Security tab.
5. Under Access Permissions, select Edit Limits… button and make these changes:
a. Click Add… and enter Authenticated Users
b. Provide Local and Remote access by enabling the corresponding check box.
c. Click OK button to apply changes
6. For Win2008/2008R2 only:
a. Add the Distributed COM Users group having Local and Remote access by following step 5.
b. Under Launch and Activation Permissions section, select Edit Limits… button and make sure that the Distributed COM Users have permissions for Local Launch, Remote Launch, Local Activation and Remote Activation.  If the said user group is missing, then add it and apply the corresponding permissions.
7. Click OK to apply changes and to close the My Computer Properties dialog.


MACHINE LOCAL SECURITY POLICY
• Local and Remote Machine
1. In the Control Panel, open Administrative Tools  Local Security Policy  Local Policies  Security Options.
2. Open the properties for Network Access: Let Everyone permissions apply to anonymous users.
3. Select the Enabled radio button and click OK to apply changes.


RECOMMENDATIONS
Starting from Vista OS, the following items also need to be considered in order for the Remote Profiling feature to work properly.
•  A user with administrative privilege is necessary for configuring DP Remote Profiling because user elevation as Administrator is needed  when setting up the security requirements in the Local and Remote machine.
• Win 7 OS, Win2008/2008R2: The changes made to both Component Services and Machine Local Security Policy will require a machine reboot to fully take effect.
• If a 3rd party anti-virus program is managing the windows firewall (e.g. Symantec Endpoint  Protection), define the firewall rules (program, port, IP) in the managing application rather than in the Windows Firewall console.  The reason for this is that the rules in the managing application takes precedence over the Windows firewall rules.
• Make sure the firewall rules necessary for Remote Profiling (program, port and IP) takes priority over the existing firewall rules esp. if the firewall has the means to prioritize rules (topmost rule in the list is the highest).
• If ever the Local and Remote machines are running in a virtual environment (e.g. VMWare Workstation), make sure that the security application (e.g. Symantec Endpoint  Protection) of the Host machine allows communication on the IPs used by both Local, Remote machine and the virtual network.
• Any name and MAC address conflicts on the network esp. when using cloned virtual machines affects Remote Profiling functionality.
• Never use the Force Profiling switch /f for DPAnalysis when remote profiling an application with a .NET module loaded (aka mix-mode)  or a pure .NET  application because it leads to initialization issues especially if it is a 64-bit process.

------------------------------

The existing procedure we have for Remote Profiling found in our product doc “Understanding DevPartner Studio” still holds true for WinXP or older OS. Thus the procedure described above is intended as an additional information when configure machines having VISTA or later OS (Win7, Win2008/2008R2).

 none