none
DPM Communication Between Subnets RRS feed

  • Question

  • Hey all,

    I am having some trouble with DPM communicating to it's agent on a web server which is on a different (DMZ'ed) subnet.

    It seems every time I research which ports I need allow between the two servers at the firewall level, it will work for a day or two and then communication will fail.

     

    Is there a difinitive list of what I need to have open between the two for DPM to work correctly?

    Below is a list of ports I have already opened:

    TCP: 135, 3148, 3149, 88, 49342, 49334, 49260, and 5718

    UDP: 88

    The error states that DPM failed to communicate with the protection agent, I have tried uninstalling and re-installing the agent but with no luck.

    Any help would be greatly appreciated

    Thanks,

    Xavier

     

    Tuesday, December 6, 2011 7:09 PM

Answers

All replies

  • Hi Xavier,

    The problem is likely due to RPC which uses ephemeral ports. See this blog for help in limiting the RPC ports used:

    http://blogs.technet.com/b/dpm/archive/2011/06/28/how-to-limit-dynamic-rpc-ports-used-by-dpm-and-protected-servers.aspx

     

    Thanks,

    Marc

     

    Tuesday, December 6, 2011 8:34 PM
    Moderator
  • I'll give that a shot and report back.
    Wednesday, December 7, 2011 2:02 PM
  • Hi,

    I have been working on protection DMZ clients recently and had to configure a TMG 2010 firewall. (this will also work on a ISA 2006)

    The ports that needs to be configured can be found at:

    http://technet.microsoft.com/en-us/library/ff399341.aspx

    For the possible RPC issues: change the access rule on your firewall. Right click the access rule and select "Configure RPC protocol". Uncheck the "Enforce strict RPC compliance".

    Hope this helps.



    Wednesday, December 7, 2011 9:35 PM
  • Hey Marc,

     

    I tried this, but when I look at the blocked traffice on my firwall the DMZ server keeps trying to communicate back to the DPM server over the original RPC port 49225 instead of my defined ranged. I will put pictures of the Regedit settings here, maybe I did something wrong? I have rebooted both after I made the changes.

    The DPM Server

     

     

    The Server of the DMZ:

     

    And here is my firewall showing the blocked packets, its a watchguard.

    2011-12-08 09:18:13 Deny 10.1.13.X 10.1.4.X 49225/tcp 57723 49225 5-DMZ 4-Server4 Denied 52 127 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" tcp_info="offset 8 S 1008234085 win 32" Traffic

     

     


    • Edited by db1010110 Thursday, December 8, 2011 2:27 PM
    Thursday, December 8, 2011 2:26 PM
  • Hey Marthijn,

     

    Any idea how to do this one a watchguard firewall? I will researchit but thought you may know offhand.

    Thanks,


    Xavier

    Thursday, December 8, 2011 2:28 PM
  • Xavier,

     

    Sorry, i have no relevant experience with WatchGuard.

     

    Best regards,

    Thursday, December 8, 2011 7:28 PM
  • Worked, I was just putting it in the wrong spot.
    Friday, December 9, 2011 4:05 PM
  • Hi Xavier,

    Give a try with netsh command:

    # in elevated command prompt type:

    to see range of dynamic TCP port => netsh int ipv4 show dynamicport tcp
    to set new range of dynamic TCP port between 51100 and 51500 (example)=> netsh int ipv4 set dynamicport tcp start=51100 num=400

    I used it between TMG and DPM to limit TCP dynamic range => Works great :)

    Stéphane.

    Monday, December 12, 2011 1:34 PM