Windows Server: KMS client behind firewall

Software Protection windows service is responsible for managing activation with KMS (Key Management Server). In the last couple of months I have been working on deploying and managing Windows Server 2008 R2 VM’s running behind the firewall. The VM’s are sitting in a dedicated VLAN that allows certain network traffic that is controlled by a gateway that functions as a firewall. During the installation the servers have been installed and configured on a VLAN that had connection to the Active Directory domain, DNS and central KMS server that is responsible to activate Server and Client licenses. KMS service was published in the AD DNS zone. After these servers were configured they were placed in to this dedicated VLAN where no communication was possible any longer to the Active Directory network. The KMS client was not able the renew its activation. The following events started to show up in the Application Event Viewer: After looking at some events and trying the “C:\Windows\System32>cscript slmgr.vbs /ato” command I soon realized that the KMS client communication was blocked. I used TCPView.exe to see which network packets didn’t come through and were dropped with SYN_SENT event. I am using default configuration for KMS infrastructure and TCP 1688 port was used for communication. This traffic was dropped. How to enable Windows KMS client behind a firewall? Make sure the KMS client can reach the server by FQDN. If no DNS server is available, add new HOSTS entry to allow IP to FQDN resolution Open firewall from […]