Configuring Firewalls
Published : April 8, 2005 | Updated : August 17, 2005
If the file servers you want to protect reside behind a firewall, you must configure the firewall to allow communication between the DPM server, the file servers it protects, and the domain controllers.
Depending on your network configuration, you may need to perform firewall configuration to enable communication between DPM, the file servers, and the domain controllers. To help with firewall configuration, Table 2.6 provides details about the protocols and ports used by DPM.
Table 2.6 Protocols and Ports Used by DPM
Protocol |
Port |
Details |
|---|---|---|
DCOM |
135/TCP Dynamic |
The DPM control protocol uses DCOM. DPM issues commands to the file agent by invoking DCOM calls on the agent. The file agent responds by invoking DCOM calls on the DPM server. TCP port 135 is the DCE endpoint resolution point used by DCOM. By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. You can, however, configure this range by using Component Services. For more information, see Using Distributed COM with Firewalls (https://go.microsoft.com/fwlink/?LinkId=46088). |
TCP |
3148/TCP 3149/TCP |
The DPM data channel is based on TCP. Both DPM and the file server initiate connections to enable DPM operations such as synchronization and recovery. DPM communicates with the agent coordinator on port 3148 and with the file agent on port 3149. |
DNS |
53/UDP |
Used between DPM and the domain controller, and between the file server and the domain controller, for host name resolution. |
Kerberos |
88/UDP 88/TCP |
Used between DPM and the domain controller, and between the file server and the domain controller, for authentication of the connection endpoint. |
LDAP |
389/TCP 389/UDP |
Used between DPM and the domain controller for Active Directory queries. |
NetBIOS |
137/UDP 138/UDP 139/TCP |
Used between DPM and the file server, between DPM and the domain controller, and between the file server and the domain controller, for miscellaneous operations. |
Windows Firewall is included with Windows Server 2003 SP1. If you want to enable Windows Firewall on the DPM server, do so after you have installed DPM. Configure Windows Firewall on a DPM server by opening port 135 to TCP traffic, and specifying the DPM service (Microsoft Data Protection Manager\DPM\bin\MsDpm.exe) and the file agent (Microsoft Data Protection Manager\DPM\bin\MsDpmFsAgent.exe) as exceptions to the Windows Firewall policy.
If Windows Firewall is enabled on a file server you want to protect, you must disable the firewall before you can install the DPM File Agent. After you have installed the file agent, configure Windows Firewall by opening port 135 to TCP traffic and then specifying the file agent (Microsoft Data Protection Manager\DPM\bin\MsDpmFsAgentCA.exe) as an exception to the Windows Firewall policy.
For instructions for configuring Windows Firewall, search on “Windows Firewall” in Windows Help and Support for Windows Server 2003.