IDM Remote Loader on Windows 2008 R2 and PWFilter firewall settings

  • 7005894
  • 04-May-2010
  • 26-Dec-2018


NetIQ Identity Manager Driver - Active Directory
NetIQ Identity Manager - Password Synchronization
NetIQ Identity Manager 4.7
NetIQ Identity Manager 4.0
Novell Identity Manager 3.6.1
Novell Identity Manager - Password Synchronization
Novell Identity Manager Driver - Active Directory

Windows 2008 R2
Windows 2012 R2


Password changes will not flow from any Domain Controller to another 2008 R2 server running the Remote Loader.  Same problem may be seen in newer versions of Windows servers.


The existing Windows Firewall configuration prevents the remote loader from receiving any password changes as captured by the PWFilter.dll on other Domain Controllers within the domain. To solve this problem, do the following:
On the Windows Server firewall, (required only on the server which hosts the Active Directory Remote Loader) add the following rules:

--- Inbound Rules ---
Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers.
Rule 1
dirxml port 8090 IN Domain Yes Allow No Any Any Any TCP 8090 Any Any Any
Rule 2
dirxml process dirxml_remote.exe IN Domain Yes Allow No %SystemDrive%\Novell\RemoteLoader\dirxml_remote.exe Any Any Any Any Any Any Any

NOTE:  The port number should be the port number specified on the Remote Loader configuration.  So instead of 8090, it will be whatever you specified in the configuration.

No specific Outbound Rules are needed.
The rules can be given any name.
They rules must be assigned to at least the Domain profile.
If using the 64 bit remote loader, the path differs: %SystemDrive%\Novell\RemoteLoader\64bit\dirxml_remote.exe

The rules can be also added from the command line using the following commands, modifying the port and path as applicable:

netsh advfirewall netsh advfirewall firewall add rule name="dirxml port 8090" dir=in action=allow enable=yes profile=domain protocol=TCP localport=80
netsh advfirewall firewall add rule name="dirxml process dirxml_remote.exe" dir=in action=allow program="%SystemDrive%\Novell\RemoteLoader\dirxml_remote.exe" enable=yes profile=domain


The host-based firewall in windows prevents inbound connections on TCP 8090 (or another port as configured), and also prevents the dirxml_remote.exe process from using RPC to receive connections from other systems.  Configuring the firewall to allow access where needed permits the services to work properly.

Additional Information

While not advisable for security reasons, temporarily disabling the firewall entirely in a test environment may provide quick verification that the current issue is indeed caused by the firewall.