none
Unable to Push agent to servers due to restriction on Firewall RRS feed

  • Question

  • Hi,

    I am new to DPM server, We have a DPM server 2012 R2 installed on Windows Server 2012 R2. 

    The setup is such a way that all IPs and Ports restricted, we need to request for each individual/group of IP and Ports which need to be allowed for the DPM server to communicate.

    I have googled and found few blogs for Ports which need to be allowed and got the below Ports allowed by the Network team

    135, 5718-5719, 6075, 445, 139, 137   

    But still unable to establish communication,

    I have tried pushing agent as well as manually installing it. Getting the below error

    Description: Agent operation failed. (ID 370)
    The agent operation failed because of a communication error with the DPM Agent Coordinator service on contoso01.xyz.com. (ID 319 Details: The RPC server is unavailable (0x800706BA))

    More information

    Recommended action:

    1) Verify that contoso01.xyz.com is remotely accessible from the DPM server.
    2) If a firewall is enabled on contoso01.xyz.com, make sure that it is not blocking requests from the DPM server. Refer to the System Center 2012 R2 DPM Deployment Guide for more information on configuring the firewall for DPM.
    To install an agent manually, run DpmAgentInstaller.exe <DPMServerName> on target server. For more information, see http://go.microsoft.com/fwlink/?LinkID=185786
    Resolution: DPM automatically changes this alert's status to inactive 3 days after it is issued.To dismiss the alert, click below Inactivate

    Both servers (DPM and contoso01.xyz.com) are able to ping each other.

    Could someone help me on this.

    Thanks in advance,

    Pradeep Kumar 


    Pradeep Kuimar

    Tuesday, July 23, 2019 12:10 PM

Answers

All replies

  • Hello,

    The DPM control protocol uses DCOM, DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

    TCP port 135 is the DCE endpoint resolution point used by DCOM.

    By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can configure this range by using Component Services.

    Note that for DPM-Agent communication you must open the upper ports 1024-65535.

    To open the ports, perform the following steps:

    1. In IIS 7.0 Manager, in the Connections pane, click the server-level node in the tree.
    2. Double-click the FTP Firewall Support icon in the list of features.
    3. Enter a range of values for the Data Channel Port Range.
    4. After you enter the port range for your FTP service, in the Actions pane, click Apply to save your configuration settings.

    You’ll find the above information and the list of required firewall ports for DPM 2012 R2 over here: 

    https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh758204%28v%3dsc.12%29

    An easy way to check which ports are being used is to use a network monitoring tool, like Wireshark or Microsoft Network Monitor, this helps you to identify the ports/protocols being used.

    Best regards,

    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:


    • Edited by Leon Laude Wednesday, July 24, 2019 11:38 AM
    Wednesday, July 24, 2019 11:38 AM
  • Hi Leon,

    Thanks for you reply, does that mean we will need to request all those Ports to be opened on the Firewall. 

    Do we need to open the dynamic ports bi-directional, as all the IPs and Ports are restricted and will need to request Network team to allow communication for each IP and Ports. 

    Requesting for opening 1024 - 65535 these many ports is not possible, is there a way i can limit/calculate the required number of ports.

    Could you please guide me on this.

    Thanks in advance.


    Pradeep Kuimar

    Wednesday, July 24, 2019 3:59 PM
  • When you are protecting a production server or a Windows client, the communication is initialized in different ways:

    • In a production server scenario, the DPM server initializes the communication
    • In a Windows client scenario, the DPM agent initializes the communication

    For configuring the DCOM ports being used, you can refer to this link:

    https://blogs.technet.microsoft.com/askcore/2008/05/08/troubleshooting-agent-deployment-in-data-protection-manager-2007-dcom/


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Proposed as answer by Leon Laude Sunday, July 28, 2019 5:16 PM
    Wednesday, July 24, 2019 4:15 PM
  • Do you have any update on your issue?

    Blog: https://thesystemcenterblog.com LinkedIn:

    Sunday, July 28, 2019 5:16 PM
  • Hi Leon,

    I am waiting for my Network team for opening the Dynamic ports on the firewall, all the ports related to the DPM are already opened as pet the Microsoft blogs except for the dynamic ports. 

    Network team is holding of this request as these are large number of ports (49152-65535 (16384 ports) ) to be opened.

    Regards,

    Pradeep Kumar


    Pradeep Kuimar


    Friday, August 2, 2019 9:20 AM
  • Hi Leon,

    Our Network team has opened dynamic ports range 49152-65535 (bi-directional) to the DPM server, but still i am unable to install agent from the server, i have added inbound firewall rule for dynamic ports on both server (DPM and Client server). below is the error message

    Affected area: contoso01.xyz.com
    Occurred since: 8/13/2019 1:11:44 PM
    Description: Agent operation failed. (ID 370)
    The agent operation failed because the DPM Agent Coordinator service on contoso01.xyz.com did not respond. (ID 324 Details: Internal error code: 0x8099090E)
    More information
    Recommended action: Do the following to troubleshoot this issue: 
    1) Verify that contoso01.xyz.com is remotely accessible from the DPM server.
    2) If a firewall is enabled on contoso01.xyz.com, make sure that it is not blocking requests from the DPM server and has an exception for Windows Management Instrumentation(WMI).
    3) Try installing the agent manually by selecting "Attach Agents" in the agent installation wizard.

    To troubleshoot this problem, refer to http://go.microsoft.com/fwlink/?LinkId=157614
    To install an agent manually, run DpmAgentInstaller.exe <DPMServerName> on target server. For more information, see http://go.microsoft.com/fwlink/?LinkID=185786
    Resolution: DPM automatically changes this alert's status to inactive 3 days after it is issued.To dismiss the alert, click below
    Inactivate


    Pradeep Kuimar



    • Edited by D.Pradeep kumar Tuesday, August 13, 2019 11:21 AM updated server name
    Tuesday, August 13, 2019 11:16 AM
  • Is the DPM Agent Coordinator installed on your protected server?

    If it is installed, check that the DPM Agent Coordinator service is running.

    Also make sure that the protected server has the Visual C++ 2010 Redistributable installed, you can download it from the link or copy it from the DPM 2012 R2 installation media (<root directory>\Redist\vcredist\vcredist2010_x64.exe)


    Please check the Application & Setup event logs on the protected server for any related errors, also check the DPM installation logs:

    Protected server:

    • %ProgramFiles%\Microsoft Data Protection Manager\DPM\Temp

    DPM Server:

    • %ProgramFiles%\Microsoft System Center 2012 R2\DPM\DPM\Temp

    If you still have issues, try installing the agent manually:
    Install the Protection Agent manually

    Then try attaching the agent to DPM:
    Attach the DPM protection agent


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, August 13, 2019 11:37 AM
  • DPM Agent Coordinator is installed on the protected server and Visual C++ 2010 Redistributable is installed.

    Still unable to deploy agent from server so installed the agent manually and tried to dd the agent to DPM, Server failed to connect to the Protected server agent.


    Pradeep Kuimar



    • Edited by D.Pradeep kumar Tuesday, August 13, 2019 4:31 PM Removed the image
    Tuesday, August 13, 2019 1:30 PM
  • Something is still blocking:

    WARNING Failed: Hr: = [0x80070002] : Error trying to open RegKey [HKLM\Software\Microsoft\Microsoft Data Protection Manager\Agent\2.0\Certificates\contoso01.xyz.com]

    Do you have any antivirus software on the DPM server and the protected server(s)?

    If you have any antivirus, please try to disable it (or even uninstall it temporarily).


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, August 13, 2019 1:36 PM
  • Hi Leon,

    I have uninstalled antivirus and previously installed DPM agent from the Protected machine, tried to deploy the agent from DPM server and it failed, installed the agent manually and tired to connect the agent in DPM server and received same error on server, Below is the error log from the Protected server


    Pradeep Kuimar



    • Edited by D.Pradeep kumar Tuesday, August 13, 2019 4:38 PM uploaded images
    Tuesday, August 13, 2019 4:30 PM
  • What operating system version is the protected server running?


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, August 13, 2019 5:13 PM
  • MS Windows Server 2012 R2 Datacenter edition.

    Pradeep Kuimar

    Tuesday, August 13, 2019 5:50 PM
  • Is the protected server in the same domain as the DPM server?

    Please also verify that the DPM server is a member of the Distributed COM Users group and that the group has DCOM Launch and Access permissions.

    1. In Computer Management, expand System Tools, expand Local Users and Groups, and then click Groups.

    2. In the Details pane, double-click the Distributed COM Users group.

    3. Verify that the computer account for the DPM server is a member of the group.

    For DCOM Launch and Access permission:

    1. In Administrative Tools, open Component Services, Expand Component Services, expand Computers, right-click My Computer, and then click Properties.

    2. On the COM Security tab, under Access Permissions, click Edit Limits. Verify that the Distributed COM Users group is allowed both Local Access and Remote Access permissions.

    3. On the COM Security tab, under Launch and Activation Permissions, click Edit Limits. Verify that the Distributed COM Users groups is allowed the following permissions:

    • Local Launch
    • Remote Launch
    • Local Activation
    • Remote Activation

    However it still seems to be a firewall issue, do you have the possibility to temporarily disable the firewall only to test the behavior?


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, August 13, 2019 7:52 PM
  • Hi Leon,

    DPM server is a member of the Distributed COM Users group and also checked DCOM Launch and Access permission and its configured correctly.

    Network is configured to communicate only to particular VLAN and ports other traffic are restricted.

    DPM server and Protected servers are connected to same domain but in different VLAN, worked with my network team and got these ports 135, 5718-5719, 6075, 445, 139, 137 opened for my DPM server and bi-directional communication from DPM Server to all the servers. Also DCOM ports (49152-65535) are opened for DPM server.

    I have disabled firewall and uninstalled antivirus on the protected server, am i missing any Ports which need to be allowed. 



    Pradeep Kuimar

    Wednesday, August 14, 2019 10:51 AM
  • Below you'll find the firewall ports required:

    Protocol Port Details
    DCOM 135/TCP Dynamic DCOM is used by the DPM server and the DPM protection agent to issue commands and responses. DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

    TCP port 135 is the DCE endpoint resolution point that is used by DCOM. By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can adjust this range by using Component Services. To do this, follow these steps:

    1. In IIS 7.0 Manager, in the Connections pane, click the server-level node in the tree.
    2. In the list of features, double-click the FTP Firewall Support icon.
    3. Enter a range of values for the Data Channel Port Range for your FTP service.
    4. In the Actions pane, click Apply to save your configuration settings.
    TCP 5718/TCP

    5719/TCP
    The DPM data channel is based on TCP. Both DPM and the protected computer initiate connections to enable DPM operations such as synchronization and recovery. DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719.
    TCP 6075/TCP Enabled when you create a protection group to help protect client computers. Required for end-user recovery.

    An exception in Windows Firewall (DPMAM_WCF_Service) is created for the program Amscvhost.exe when you enable Central Console for DPM in Operations Manager.
    DNS 53/UDP Used for host name resolution between DPM and the domain controller, and between the protected computer and the domain controller.
    Kerberos 88/UDP

    88/TCP
    Used for authentication of the connection endpoint between DPM and the domain controller, and between the protected computer and the domain controller.
    LDAP 389/TCP

    389/UDP
    Used for queries between DPM and the domain controller.
    NetBios 137/UDP

    138/UDP

    139/TCP

    445/TCP
    Used for miscellaneous operations between DPM and the protected computer, between DPM and the domain controller, and between the protected computer and the domain controller. Used for DPM functions for Server Message Block (SMB) when it is directly hosted on TCP/IP.





    If you have installed the DPM agent manually on your protected server, could you please check the DPM agent log and provide it's contents here / upload to a shared OneDrive.

    The DPM agent log can be located here:

    • %ProgramFiles%\Microsoft Data Protection Manager\DPM\Temp\DPMRA.errlog

    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, August 14, 2019 11:09 AM
  • Hi Leon,

    I have uploaded DPM server log to Onedrive and shared it, below is the link for the file.

    https://1drv.ms/u/s!AjAi7m5zzyihrUzgdfx019gQ31Uo


    Pradeep Kuimar


    • Edited by D.Pradeep kumar Wednesday, August 14, 2019 1:28 PM Added the link
    Wednesday, August 14, 2019 1:26 PM
  • Nothing much to go with, still the same warning as earlier.

    Please use the following following very detailed and comprehensive troubleshooting guide:
    Data Protection Manager Agent Network Troubleshooting


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, August 15, 2019 1:11 PM
  • Thanks Leon,

    I will check the troubleshooting guide and update this forum if there is any progress.


    Pradeep Kuimar

    Monday, August 19, 2019 12:31 PM
  • Hi Leon,

    I have gone through the troubleshooting guide and did most of the tests from both DPM server and Protected Server, From DPM server all tests were good but from Protected server to DPM server when i test WMI getting error "The RPC server is unavailable". Does this mean DCOM ports from Protected server is not accessible to DPM server.


    Pradeep Kuimar

    22 hours 45 minutes ago
  • Hi,

    The RPC server is unavailable is either due to DCOM misconfiguration or the firewall, my bet would still be the firewall.

    Do you have an active firewall monitoring so you could see on which ports DPM is trying to communicate?


    Blog: https://thesystemcenterblog.com LinkedIn:

    22 hours 24 minutes ago
  • Thanks a lot Leon,

    Checked with the Network team and requested them to allow DCOM ports bidirectional on the Firewall, able to install the agent to Protected server from DPM console.

    Thanks for all the support.


    Pradeep Kuimar

    4 hours 23 minutes ago
  • Great news, you're welcome!

    Blog: https://thesystemcenterblog.com LinkedIn:

    4 hours 21 minutes ago