What Specific Firewall Rules are Needed for the DPM Server?

Hello,

We want to confirm which firewall ports need to be opened on the DPM server (not protected servers) for all DPM processes, so that we can set these rules in group policy. Below are what we think are the needed rules. Note that we have rules for both new DPM 2012 installs and upgrades from DPM 2010 to 2012, since these use different program paths.

 

Rule Name

Program Path

Protocol

Local Port

DPM 2012 DCOM Port

Any

TCP

135

DPM 2012 AM Port

Any

TCP

6075

DPM 2012 RTM Agent Coordinator

C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\dpmac.exe

Any

Any

DPM 2012 SP1 Agent Coordinator

C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.1.3313.0\dpmac.exe

Any

Any

DPM 2012 R2 Agent Coordinator

C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.2.1205.0\dpmac.exe

Any

Any

DPM 2012 AM Service Host (New Install

%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\AMSvcHost.exe

Any

Any

DPM 2012 AM Service Host (Upgrade Install)

%ProgramFiles%\Microsoft DPM\DPM\bin\AMSvcHost.exe

Any

Any

DPM 2012 DPM AM Service (New Install)

%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMAMService.exe

Any

Any

DPM 2012 DPM AM Service (Upgrade Install)

%ProgramFiles%\Microsoft DPM\DPM\bin\DPMAMService.exe

Any

Any

DPM 2012 MSDPM (New Install)

%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\msdpm.exe

Any

Any

DPM 2012 MSDPM (Upgrade Install)

%ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe

Any

Any

DPM 2012 DPMRA (New Install)

%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMRA.exe

Any

Any

DPM 2012 DPMRA (Upgrade Install)

%ProgramFiles%\Microsoft DPM\DPM\bin\DPMRA.exe

Any

Any

Questions:

  • Are any of these rules not needed?
  • We know the Agent Coordinator rules are needed on protected servers. Are they also needed on the DPM server (including if we use secondary DPM servers)?
  • The DPM Configuring Firewalls TechNet page says DCOM uses TCP 135 and the RPC Dynamic ports. Does that mean we also need a rule that opens all TCP RPC Dynamic ports for any program? Or is this not necessary since we have rules for msdpm.exe and dpmra.exe? Reference: http://technet.microsoft.com/en-us/library/hh757794
  • What other rules may be missing, if any?

Note that we do not include rules for ports 53 (DNS), 88 (Kerberos), 389 (LDAP), 137-139 & 445 (NetBIOS) because we already open these ports in other group policy objects.

Also, the below forums post says two exceptions for SQL Server are needed on the DPM server to allow the Remote Administrator console to work. Is there any documentation in the DPM TechNet site on these rules?

http://social.technet.microsoft.com/Forums/en-US/aa88fd00-6836-46d3-8a93-edb487109118/dpm-2012-remote-administration?forum=dataprotectionmanager

Thanks,

-Taylorbox



  • Edited by Taylorbox Thursday, December 26, 2013 6:24 PM
December 26th, 2013 9:19pm

Does anyone have any comments on this post? We would especially appreciate some input from Microsoft reps to help us ensure we're setting up the correct firewall rules.

Thanks,

-Taylorbox

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2014 5:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics