Hello,
We want to confirm which firewall ports need to be opened on the DPM server (not protected servers) for all DPM processes, so that we can set these rules in group policy. Below are what we think are the needed rules. Note that we have rules for both new DPM 2012 installs and upgrades from DPM 2010 to 2012, since these use different program paths.
Rule Name |
Program Path |
Protocol |
Local Port |
DPM 2012 DCOM Port |
Any |
TCP |
135 |
DPM 2012 AM Port |
Any |
TCP |
6075 |
DPM 2012 RTM Agent Coordinator |
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\dpmac.exe |
Any |
Any |
DPM 2012 SP1 Agent Coordinator |
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.1.3313.0\dpmac.exe |
Any |
Any |
DPM 2012 R2 Agent Coordinator |
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.2.1205.0\dpmac.exe |
Any |
Any |
DPM 2012 AM Service Host (New Install |
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\AMSvcHost.exe |
Any |
Any |
DPM 2012 AM Service Host (Upgrade Install) |
%ProgramFiles%\Microsoft DPM\DPM\bin\AMSvcHost.exe |
Any |
Any |
DPM 2012 DPM AM Service (New Install) |
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMAMService.exe |
Any |
Any |
DPM 2012 DPM AM Service (Upgrade Install) |
%ProgramFiles%\Microsoft DPM\DPM\bin\DPMAMService.exe |
Any |
Any |
DPM 2012 MSDPM (New Install) |
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\msdpm.exe |
Any |
Any |
DPM 2012 MSDPM (Upgrade Install) |
%ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe |
Any |
Any |
DPM 2012 DPMRA (New Install) |
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMRA.exe |
Any |
Any |
DPM 2012 DPMRA (Upgrade Install) |
%ProgramFiles%\Microsoft DPM\DPM\bin\DPMRA.exe |
Any |
Any |
Questions:
- Are any of these rules not needed?
- We know the Agent Coordinator rules are needed on protected servers. Are they also needed on the DPM server (including if we use secondary DPM servers)?
- The DPM Configuring Firewalls TechNet page says DCOM uses TCP 135 and the RPC Dynamic ports. Does that mean we also need a rule that opens all TCP RPC Dynamic ports for any program? Or is this not necessary since we have rules for msdpm.exe and dpmra.exe? Reference: http://technet.microsoft.com/en-us/library/hh757794
- What other rules may be missing, if any?
Note that we do not include rules for ports 53 (DNS), 88 (Kerberos), 389 (LDAP), 137-139 & 445 (NetBIOS) because we already open these ports in other group policy objects.
Also, the below forums post says two exceptions for SQL Server are needed on the DPM server to allow the Remote Administrator console to work. Is there any documentation in the DPM TechNet site on these rules?
Thanks,
- Edited by Taylorbox Thursday, December 26, 2013 6:24 PM