none
Firewall Blocking Public Network RRS feed

  • Question

  • This is starting to do my head in.

    I have DPM19 with a dedicated backup network (which shows as a Public network)

    Everytime i try to install a client the firewall on the client is dropping packets.  Here is a snippet.

    10.11 is the backup subnet and both machines can ping.

    2020-03-12 11:34:13 DROP TCP 10.11.12.86 10.11.20.65 50343 135 52 S 4212841173 0 64240 - - - RECEIVE
    2020-03-12 11:34:25 DROP TCP 10.11.12.86 10.11.20.65 50349 445 52 S 1379159324 0 64240 - - - RECEIVE

    I created these rules as a tester but still drops

    New-NetFirewallRule -Group "DPM2019" -Protocol "TCP" -RemotePort "49000-64999" -LocalPort "445" -DisplayName "MAN_SMBTEST" -Profile Domain,Public -Direction Inbound -Action Allow -EdgeTraversalPolicy Block

    New-NetFirewallRule -Group "DPM2019" -Protocol "TCP" -RemotePort "49000-64999" -LocalPort "135" -DisplayName "MAN_135TEST"  -Profile Domain,Public -Direction Inbound -Action Allow -EdgeTraversalPolicy Block

    What am i doing wrong?  If i drop the firewall it works.

    Thursday, March 12, 2020 11:52 AM

All replies

  • These are the rules i apply to the client in whole by the way.

    (New-Object -ComObject HNetCfg.FwPolicy2).RestoreLocalFirewallDefaults()

    New-NetFirewallRule -Group "DPM2019_Client" -Protocol "TCP" -LocalPort 135,5718,5719,88,389,139,445 -Enabled True -Action Allow -Profile Domain,Public -DisplayName "SCDPM Agent TCP" -Description "DPM 2019 tcp rules" -Direction Inbound 

    New-NetFirewallRule -Group "DPM2019_Client" -Protocol "UDP" -LocalPort 53,88,389,137,138 -Enabled True -Action Allow -Profile Domain,Public -DisplayName "SCDPM Agent UDP" -Description "DPM 2019 UDP rules" -Direction Inbound 

    New-NetFirewallRule -Group "DPM2019_Client" -Program "%ProgramFiles%\Microsoft System Center\DPM\DPM\ProtectionAgents\AC\10.19.58.0\amd64\dpmac.exe" -Enabled True -Action Allow -Profile Domain,Public -DisplayName "SCDPM Agent Cordinator" -Description "DPM 2019 Agent Cordinator" -Direction Inbound

    New-NetFirewallRule -Group "DPM2019_Client" -Program "%ProgramFiles%\Microsoft System Center\DPM\DPM\ProtectionAgents\AC\10.19.58.0\amd64\dpmac.exe" -Enabled True -Action Allow -Profile Domain,Public -DisplayName "SCDPM Agent Cordinator" -Description "DPM 2019 Agent Cordinator" -Direction Inbound


    Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -enabled True -Profile Public


    New-NetFirewallRule -Group "DPM2019" -Protocol "TCP" -RemotePort "49000-64999" -LocalPort "445" -DisplayName "MAN_SMBTEST" -Profile Domain,Public -Direction Inbound -Action Allow -EdgeTraversalPolicy Block
    New-NetFirewallRule -Group "DPM2019" -Protocol "TCP" -RemotePort "49000-64999" -LocalPort "135" -DisplayName "MAN_135TEST"  -Profile Domain,Public -Direction Inbound -Action Allow -EdgeTraversalPolicy Block

    Thursday, March 12, 2020 11:53 AM
  • Hi,

    When you are protecting a production server or a Windows client, the communication is initialized in different ways:

    • In a production server scenario, the DPM server initializes the communication
    • In a Windows client scenario, the DPM agent initializes the communication


    The DPM control protocol uses DCOM, DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

    TCP port 135 is the DCE endpoint resolution point used by DCOM.

    By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can configure this range by using Component Services.

    Note that for DPM-Agent communication you must open the upper ports 1024-65535.

    To open the ports, perform the following steps:

    1. In IIS 7.0 Manager, in the Connections pane, click the server-level node in the tree.
    2. Double-click the FTP Firewall Support icon in the list of features.
    3. Enter a range of values for the Data Channel Port Range.
    4. After you enter the port range for your FTP service, in the Actions pane, click Apply to save your configuration settings.

    You’ll find the above information and the list of required firewall ports for DPM 2019 over here:
    https://docs.microsoft.com/en-us/system-center/dpm/configure-firewall-settings-for-dpm?view=sc-dpm-2019

    An easy way to check which ports are being used is to use a network monitoring tool, like Wireshark or Microsoft Network Monitor, this helps you to identify the ports/protocols being used.

    Below you'll also find a very detailed troubleshooting for agent network communication:

    Data Protection Manager Agent Network Troubleshooting
    https://techcommunity.microsoft.com/t5/system-center-blog/data-protection-manager-agent-network-troubleshooting/ba-p/344726

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Proposed as answer by Leon Laude Monday, April 6, 2020 9:02 PM
    Thursday, March 12, 2020 1:36 PM