locked
Backup UAG with DPM 2010 RRS feed

  • Question

  • Hi,

    I would like to allow my UAG server to be backed up using DPM 2010, however, i cant get the agent to install.

    I assume this is to do with the TMG portion of UAG blocking the agent from installing, or if manually installed the communcation back to the dpm server fails.

    i have tried following guides to configure the TMG to allow DPM through, but this seems to break the DirectAccess functionality, in the webmonitor the current status of DirectAccess reports Teredo Server, Teredo Relay and Network Security as unhealthy.

    guide used:http://msmvps.com/blogs/wssra/archive/2010/10/20/configure-the-forefront-tmg-2010-to-allow-dpm-2010-communication.aspx

    also in this guide, it uses ports 50000 - 50050, but i know this can break the webmonitor as this is using 50002.

    Any help here greatly appreciated.

    Craig.

    Thursday, August 23, 2012 3:17 PM

Answers

  • I have been working on this issue for some time and checked with Microsoft Team as well and finally it worked with me. I am using DPM 2012 but it shouldn't differ. The main blocking issue here is the TMG component on the UAG server, to enable the DPM to backup UAG and install the client you need to do the following (Make sure to take Full backup from your TMG settings and Rules):

    1. Ensure the File and Printer sharing is checked/Enabled on the UAG internal Network card.

    2. From the TMG console- Firewall Policy. On the right pane click show system Policy rule

    3. You need to disable system Rule number 2 (Allow Remote Management from selected computers using MMC) by Right clicking the rule and edit system policy, I am assuming the default TMG rules are not touched before.

    4. You need to disable System Rule number 22 (Allow RPC from Forefront TMG to Trusted servers)

    5. From the Right Pane, in the toolbox section create a new Protocol under user defined. The Protocol parameters as follows:

    Primary connection: Type: TCP, Direction: Outbound, Port range: 135-135

    Secondary Connection: Type: TCP, Direction: Outbound, Port range: 1024 - 65535

    6. Final Step, create a new Access Rule (Make sure to move it to the top). Allow - All outbound traffic except selected (Choose - RPC All interfaces) - From DPM server (Create computer object with DPM IP address)- To Local Host (UAG server) - All users................etc

    Save the Settings and ensure they are Synched from the monitoring tab. Now try to install the Agent from the DPM on the UAG server and take a simple test backup.


    Please remember to click “Mark as Answer” or "Vote as Helpful" on the post that helps you

    My blog: http://itcalls.blogspot.com/



    Saturday, November 17, 2012 10:51 PM

All replies

  • Hi thanks for the info, but this still does not work.

    its closer i think.for the checks in part 6,

    ping works,

    net view works,

    sc \\uag query works,

    wmic /node:"uagFQDN" fails with RPC Server is unavailable. any further suggestion on how to get the wmi traffic through TMG.

    Thanks

    Friday, August 24, 2012 3:32 PM
  • Hi,

    try to create a Firewall policy rule which allows the RPC protocol with "enforce strict RPC compliance" disabled from the client to the UAG Server and create a Firewall policy rule which allows a custom protocol with port 10002 TCP


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    Saturday, August 25, 2012 9:35 AM
  • I have been working on this issue for some time and checked with Microsoft Team as well and finally it worked with me. I am using DPM 2012 but it shouldn't differ. The main blocking issue here is the TMG component on the UAG server, to enable the DPM to backup UAG and install the client you need to do the following (Make sure to take Full backup from your TMG settings and Rules):

    1. Ensure the File and Printer sharing is checked/Enabled on the UAG internal Network card.

    2. From the TMG console- Firewall Policy. On the right pane click show system Policy rule

    3. You need to disable system Rule number 2 (Allow Remote Management from selected computers using MMC) by Right clicking the rule and edit system policy, I am assuming the default TMG rules are not touched before.

    4. You need to disable System Rule number 22 (Allow RPC from Forefront TMG to Trusted servers)

    5. From the Right Pane, in the toolbox section create a new Protocol under user defined. The Protocol parameters as follows:

    Primary connection: Type: TCP, Direction: Outbound, Port range: 135-135

    Secondary Connection: Type: TCP, Direction: Outbound, Port range: 1024 - 65535

    6. Final Step, create a new Access Rule (Make sure to move it to the top). Allow - All outbound traffic except selected (Choose - RPC All interfaces) - From DPM server (Create computer object with DPM IP address)- To Local Host (UAG server) - All users................etc

    Save the Settings and ensure they are Synched from the monitoring tab. Now try to install the Agent from the DPM on the UAG server and take a simple test backup.


    Please remember to click “Mark as Answer” or "Vote as Helpful" on the post that helps you

    My blog: http://itcalls.blogspot.com/



    Saturday, November 17, 2012 10:51 PM