none
What Specific Firewall Rules are Needed for DPM Agent Protection? RRS feed

  • Question

  • We do want to enable the Windows Firewall on all of our Windows Server 2008 R2 servers, but we do not want to have to manually install the DPM protection agents on those servers.

    And we do want to add the necessary firewall rules for DPM agent installation/communication/updating on our 2008 R2 servers, but we do not want to open the DPM agent rules to any and all ports but instead only the ports that it really needs.

    So, with some difficulty, we've determined what we think are the six firewall rules necessary for 1) New agent installations, 2) Agent upgrades (on servers that already have the agent installed), and 3) agent communication for backups. Following are these six rules:

    Protocol   Local Port      Program Path
    TCP           5719               %ProgramFiles%\Microsoft Data Protection Manager\DPMAC\bin\dpmac.exe
    TCP           RPC Dynamic   %ProgramFiles%\Microsoft Data Protection Manager\DPMAC\bin\dpmac.exe
    TCP           5719                C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\3.0.7696.0\dpmac.exe
    TCP           RPC Dynamic   C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\3.0.7696.0\dpmac.exe
    TCP           5718                %ProgramFiles%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe
    TCP           RPC Dynamic    %ProgramFiles%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe

    Could someone please verify for us whether these are indeed the only specific rules needed by DPM for agent communication? Please note that this applies to just the DPM data channel ports. We've reviewed the Configuring Firewalls TechNet article (http://technet.microsoft.com/en-us/library/ff399341.aspx) and we know that DPM also needs the DCOM, DNS, Kerberos, LDAP, and NetBIOS ports.

    Also, the Configuring Firewalls TechNet article is evidently mistaken in that it says, "DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719." We've used the TCPView and Process Monitor Sysinternals tools to verify that it's actually the other way around: the PA uses 5718 and the AC uses 5719. Could this be corrected?

    -Taylorbox

    Wednesday, August 4, 2010 5:40 PM

Answers

  • Well my initial test machine had the agent installed on it several times.

    I have not upgraded any agents so I cant comment, but will bear this in mind when I do.

    I have now deployed the agent to 10 servers and have had no issue using the configuration I described.

    Thursday, August 12, 2010 9:20 PM

All replies

  • Hello,

    You are right about DPMRA.exe using TCP 5718. I will look at the document correction.

    RPC dynamic does not encompass TCP 135 (End POint Mapper). You will need an explicit exception for that port.


    Regards, Rajeev Narshana [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Wednesday, August 4, 2010 7:55 PM
    Moderator
  • Thank you. Are we correct in stating that the DPM Agent Coordinator may use both of the following paths? And, are any more program paths needed for the DPM agent?

    %ProgramFiles%\Microsoft Data Protection Manager\DPMAC\bin\dpmac.exe
    C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\3.0.7696.0\dpmac.exe

    -Taylorbox

    Wednesday, August 4, 2010 8:49 PM
  • Only %ProgramFiles%\Microsoft Data Protection Manager\DPMAC\bin\dpmac.exe is used
    Regards, Rajeev Narshana [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights
    Saturday, August 7, 2010 8:48 PM
    Moderator
  • Hmmm. Well, we used the TCPView and Process Monitor Sysinternals tools and saw that the C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\3.0.7696.0\dpmac.exe path is also used. We saw this path used when performing a new agent install on a 2008 R2 server. In fact, until we added this path to the inbound firewall rule exceptions on the server, the agent install failed. We can send you the logs proving this if you'd like, but it would seem odd to have to send this to Microsoft...

    -Taylorbox

    Sunday, August 8, 2010 3:30 AM
  • OK heres how I got this to work based on the original post in this thread

    DPMRA.exe -> %programfiles%\Microsoft Data Protection Manager\DPM\Bin\DPMRA.exe

    Requires TCP 5718, TCP RPC Dynamic, TCP 135

    DPMAC.exe -> %systemroot%\Microsoft Data Protection Manager\DPM\Protection Agent\AC\3.0.7696.0\DPMAC.exe

    Requires TCP 5719, TCP RPC Dynamic

    I applied these to my servers using Group Policy, although I tested the rules manually initially.

    Another point to note is that the Agent Install Adds two rules to the Firewall of its own, again these are very open access for DPMRA and the TCP port 135, I disabled both these rules and all worked fine.

    Hope this helps

    Thursday, August 12, 2010 11:08 AM
  • Windows_Nick,

    Was this tested on a server that had never had the DPM 2010 agent installed on it before? Likely, since it worked with the %systemroot% path for DPMAC.exe. However, we've found that the TCP 5719 and TPC RPC Dynamic firewall exceptions are evidently also needed for the %ProgramFiles%\Microsoft Data Protection Manager\DPMAC\bin\dpmac.exe path if you're upgrading the agent (not installing it for the first time), including when upgrading a DPM 2007 agent to DPM 2010.

    It's odd that the Configuring Firewalls TechNet article (http://technet.microsoft.com/en-us/library/ff399341.aspx) still has not been updated with the correct ports for the agent coordinator and protection agent...

    -Taylorbox

    Thursday, August 12, 2010 5:24 PM
  • Well my initial test machine had the agent installed on it several times.

    I have not upgraded any agents so I cant comment, but will bear this in mind when I do.

    I have now deployed the agent to 10 servers and have had no issue using the configuration I described.

    Thursday, August 12, 2010 9:20 PM