Configure firewall settings for DPM

 

Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Data Protection Manager, System Center 2012 - Data Protection Manager, System Center 2012 R2 Data Protection Manager

A common question that arises during Data Protection Manager (DPM) server and DPM agent deployment concerns which ports have to be opened on the firewall. This article introduces the firewall ports and protocols that DPM uses for network traffic. For more information about firewall exceptions for DPM clients, go to: Configure firewall exceptions for the agent.

ProtocolPortDetails
DCOM135/TCP DynamicDCOM is used by the DPM server and the DPM protection agent to issue commands and responses. DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

TCP port 135 is the DCE endpoint resolution point that is used by DCOM. By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can adjust this range by using Component Services. To do this, follow these steps:

1. In IIS 7.0 Manager, in the Connections pane, click the server-level node in the tree.
2. In the list of features, double-click the FTP Firewall Support icon.
3. Enter a range of values for the Data Channel Port Range for your FTP service.
4. In the Actions pane, click Apply to save your configuration settings.
TCP5718/TCP

5719/TCP
The DPM data channel is based on TCP. Both DPM and the protected computer initiate connections to enable DPM operations such as synchronization and recovery. DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719.
TCP6075/TCPEnabled when you create a protection group to help protect client computers. Required for end-user recovery.

An exception in Windows Firewall (DPMAM_WCF_Service) is created for the program Amscvhost.exe when you enable Central Console for DPM in Operations Manager.
DNS53/UDPUsed for host name resolution between DPM and the domain controller, and between the protected computer and the domain controller.
Kerberos88/UDP

88/TCP
Used for authentication of the connection endpoint between DPM and the domain controller, and between the protected computer and the domain controller.
LDAP389/TCP

389/UDP
Used for queries between DPM and the domain controller.
NetBios137/UDP

138/UDP

139/TCP

445/TCP
Used for miscellaneous operations between DPM and the protected computer, between DPM and the domain controller, and between the protected computer and the domain controller. Used for DPM functions for Server Message Block (SMB) when it is directly hosted on TCP/IP.

If Windows Firewall is enabled when you install DPM, the DPM setup configures the Windows Firewall settings as required together with the rules and exceptions that are summarized in the following table.

Note:

Rule nameDetailsProtocolPort
Microsoft System Center 2012 Data Protection Manager DCOM SettingRequired for DCOM communications between the DPM server and protected computers.DCOM135/TCP Dynamic
Microsoft System Center 2012 Data Protection ManagerException for Msdpm.exe (the DPM service). Runs on the DPM server.All protocolsAll ports
Microsoft System Center 2012 Data Protection Manager Replication AgentException for Dpmra.exe (protection agent service that is used to back up and restore data). Runs on the DPM server and protected computers.All protocolsAll ports

How to configure Windows Firewall manually

  1. In Server Manager, select Local Server > Tools > Windows Firewall with Advanced Security.

  2. In the Windows Firewall with Advanced Security console verify that Windows Firewall is on for all profiles, and then click Inbound Rules.

  3. To create an exception, in the Actions pane, click New Rule to open the New Inbound Rule Wizard.

    On the Rule Type page, verify that Program is selected, and then click Next.

  4. Configure exceptions to match the default rules that would have been created by DPM Setup if Windows Firewall had been enabled when DPM was installed.

    1. To manually create the exception that matches the default Microsoft System Center 2012 R2 Data Protection Manager rule on the Program page, click Browse for the This program path box, and then browse to <system drive letter>:\Program Files\Microsoft DPM\DPM\bin > Msdpm.exe > Open> Next

      On the Action page leave the default setting of Allow the connection, or change the settings according to your organization’s guidelines > Next.

      On the Profile page, leave the default settings of Domain, Private, and Public, or change the settings according to your organization’s guidelines > Next.

      On the Name page, type a name for the rule and optionally a description > Finish.

    2. Now follow the same steps to manually create the exception that matches the default Microsoft System Center 2012 R2 Data Protection Replication Agent rule by browsing to <system drive letter>:\Program Files\Microsoft DPM\DPM\bin, and selecting Dpmra.exe.

    Be aware that if you’re running System Center 2012 R2 with SP1 the default rules will be named by using Microsoft System Center 2012 Service Pack 1 Data Protection Manager.

  • If you use a remote instance of SQL Server for your DPM database, as part of the process, you’ll have to configure Windows Firewall on that remote instance of SQL Server.

  • After the SQL Server installation is complete, the TCP/IP protocol should be enabled for the DPM instance of SQL Server together with the following settings:

    • Default failure audit

    • Enabled password policy checking

  • Configure an incoming exception for sqlservr.exe for the DPM instance of SQL Server to allow TCP on port 80. The report server listens for HTTP requests on port 80.

  • The default instance of the database engine listens on TCP port 1443. This setting can be changed. To use the SQL Server Browser service to connect to instances that don’t listen on the default 1433 port, you’ll need UDP port 1434.

  • By default, a named instance of SQL Server uses Dynamic ports. This setting can be changed.

  • You can see the current port number that is being used by the database engine in the SQL Server error log. You can view error logs by using SQL Server Management Studio and connecting to the named instance. You can view the current log under Management – SQL Server Logs in the entry “Server is listening on [‘any’ <ipv4> port_number].”

    You’ll have to enable remote procedure call (RPC) on the remote instance of SQL Server.

Show: