Hi there! Welcome to my blog. My name is Ivan. I am a Dutch IT Professional working as Principal IT Consultant. Software Protection windows service is responsible for managing activation with KMS (Key Management Server). In the last couple of months I have been working on deploying and managing Windows Server 2008 R2 VM’s running behind the firewall. The VM’s are sitting in a dedicated VLAN that allows certain network traffic that is controlled by a gateway that functions as a firewall.
During the installation the servers have been installed and configured on a VLAN that had connection to the Active Directory domain, DNS and central KMS server that is responsible to activate Server and Client licenses. KMS service was published in the AD DNS zone. After these servers were configured they were placed in to this dedicated VLAN where no communication was possible any longer to the Active Directory network. The KMS client was not able the renew its activation.
The following events started to show up in the Application Event Viewer:
After looking at some events and trying the “C:\Windows\System32>cscript slmgr.vbs /ato” command I soon realized that the KMS client communication was blocked. I used TCPView.exe to see which network packets didn’t come through and were dropped with SYN_SENT event. I am using default configuration for KMS infrastructure and TCP 1688 port was used for communication. This traffic was dropped.
How to enable Windows KMS client behind a firewall?
- Make sure the KMS client can reach the server by FQDN. If no DNS server is available, add new HOSTS entry to allow IP to FQDN resolution
- Open firewall from KMS source clients to the central KMS server on TCP port 1688
- “C:\Windows\System32>cscript slmgr.vbs /ato” command to activate the client
- Software Protection will receive the activation or renew its current one.
Events
The following event was shown where no communication was allowed to the KMS server:
C:\Windows\System32>cscript slmgr.vbs /ato
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Activating Windows Server(R), ServerStandard edition.On a computer running Microsoft Windows non-core edition, run ‘slui.exe 0x2a 0x8007007B’ to display the error text.
Error: 0x8007007B
The following event was shown when communication to the KMS server was allowed:
C:\Windows\System32>cscript slmgr.vbs /ato
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Activating Windows Server(R), ServerStandard edition
Product activated successfully.
The Software Protection service has completed licensing status check.
Behnood Moradi
Thank You.