Configure firewall exceptions for the agent

 

Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Data Protection Manager, System Center 2012 - Data Protection Manager, System Center 2012 R2 Data Protection Manager

For a protection agent to communicate with the System Center 2012 – Data Protection Manager (DPM) server through a firewall, firewall exceptions are required.

Configure an incoming exception for sqservr.exe for the DPM instance of SQL Server, to allow TCP on port 80.The report server listens for HTTP requests on port 80 for HTTP requests. The following table lists the protocols and ports required for communication between the DPM server and protected servers and clients.

Protocol Port Details
DCOM 135/TCP
Dynamic
The DPM control protocol uses DCOM. DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

TCP port 135 is the DCE endpoint resolution point used by DCOM.

By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can configure this range by using Component Services.

Note that for DPM-Agent communication you must open the upper ports 1024-65535. To open the ports, perform the following steps:

1. In IIS 7.0 Manager, in the Connections pane, click the server-level node in the tree.
2. Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. After you enter the port range for your FTP service, in the Actions pane, click Apply to save your configuration settings.
TCP 5718/TCP
5719/TCP
The DPM data channel is based on TCP. Both DPM and the protected computer initiate connections to enable DPM operations such as synchronization and recovery.

 DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719.
DNS 53/UDP Used between DPM and the domain controller, and between the protected computer and the domain controller, for host name resolution.
Kerberos 88/UDP 88/TCP Used between DPM and the domain controller, and between the protected computer and the domain controller, for authentication of the connection endpoint.
LDAP 389/TCP
389/UDP
Used between DPM and the domain controller for queries.
NetBIOS 137/UDP
138/UDP
139/TCP
445/TCP
Used between DPM and the protected computer, between DPM and the domain controller, and between the protected computer and the domain controller, for miscellaneous operations. Used for SMB directly hosted on TCP/IP for DPM functions.