DPM 2010 Remote Agent Install (windows firewall settings)
TAF
agent from the console. All the documentation references point to firewall
settings for the DPM server. I'm only interested in the windows firewall
settings on the client (protected machine) necessary to push the agent. If I
manually install on the client the installer opens the correct ports on the
firewall for the agent to function so I'm not even concerned about those
settings. I just need to be able to install/uninstall from the console and
have been unable to do so unless I turn off the Windows firewall. Again, my
machines are on the same LAN so just need to know what ports should be open
to push the agent.
Santhosh Sivarajan
Firewall config on DPM Server:
http://technet.microsoft.com/en-us/library/bb870936.aspx
Also, a good reference blog:
http://www.ss-infrastructure.com/2009/10/dpm-agent-common-installation-mistakes.html
--
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX
http://blogs.sivarajan.com/
http://publications.sivarajan.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
"TAF" <nos...@nospam.nospam.com> wrote in message
news:1A1B552C-3A1A-4B0D...@microsoft.com...
TAF
open on the protected client (NOT DPM SERVER) to PUSH the agent. I've seen
all the Technet links and they are not what I want. For example, when you
manually install the client the installer automatically configures the
firewall. I don't care about those settings. I want to know what ports need
to be open to PUSH the client. Everyone keeps linking that technet article
that shows ports used by DPM, but I don't think that applies to the PUSHING
of the client. I obviously don't need to configure exceptions for DNS,
NETBIOS, KERBEROS, and LDAP since those are already open on a domain joined
system. I've tried exceptions for all these just to be sure and I cannot
push the client unless I turn the firewall off completely. Just for
comparison, I have no problem pushing my System Center Essentials agents or
my Altiris agents.
Santhosh Sivarajan
default, it is going to use "high ports"
DCOM
135/TCP
Dynamic
The DPM control protocol uses DCOM. DPM issues commands to the protection
agent by invoking DCOM calls on the agent. The protection agent responds by
invoking DCOM calls on the DPM server.
Note DPM Management Shell does not require a port. To communicate it uses
the DCOM port on the DPM server.
TCP port 135 is the DCE endpoint resolution point used by DCOM.
By default, DCOM assigns ports dynamically from the TCP port range of 1024
through 65535. However, you can configure this range by using Component
Services. For more information, see Using Distributed COM with Firewalls
(http://go.microsoft.com/fwlink/?LinkId=46088).
TCP
5718/TCP
5719/TCP
The DPM data channel is based on TCP. Both DPM and the protected computer
initiate connections to enable DPM operations such as synchronization and
recovery.
DPM communicates with the agent coordinator on port 5718 and with the
protection agent on port 5719.
--
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX
http://blogs.sivarajan.com/
http://publications.sivarajan.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
"TAF" <nos...@nospam.nospam.com> wrote in message
news:FAEA597C-4A03-4766...@microsoft.com...
TAF
DPM server once it's deployed and operating. It doesn't discuss the process
in which the agent is deployed. I assume the MSI is copied and executed
silently in some manner, and obviously you need to have a particular port or
ports open. I just want to know what has to be open in order to deploy the
agent. My best guess is that I would have to manually open 5718 and 5719
which I have done, but I still can't deploy the agents. I have yet to see
any documentation which specifically addresses this process. Actually with a
domain admin username and password I can connect to any clients c$ share
remotely without specifying any firewall exceptions so I don't really know
what the problem is. I was hoping to get some clarification on what exactly
happens in the remote agent deployment process. I have DPM installed on
Server 08 R2 and clients of XP, Vista, 7 and Server 2003. The remote
deployment only works on the Server 2003 machines because the firewall isn't
enabled. Please someone clarify what is happening when I remote install the
agent from the DPM console.
AllenOliver
answer. This seems like it should be something VERY basic. Doesn't anyone
know?
Chandraneel Chakka[MSFT]
Please open the ports specified in the above article on all the protected
servers. This will make your push agent work.
--
This posting is provided “AS IS” with no warranties, and confers no rights
"TAF" <nos...@nospam.nospam.com> wrote in message
news:1A1B552C-3A1A-4B0D...@microsoft.com...
TAF
article. It just doesn't work. Read my above posts. No one is answering my
question. HOW specifically does the agent push operation work? I don't know
why anyone can't just explain that to me. I don't care what ports the agent
needs open to operate. I have no problem with that. I just want to know why
I can't push the agents. I wish someone would go step by step on how you
configure the built in Windows firewall to allow the agent to push.
RMouton
same exercise just now. I've created exceptions for all ports listed in the
"repeated" technet article, even 5718 & 5719, no fix. So I had to disable
the firewall and run "netstat -n" on the DPM server to see what ports its
actually hitting on the target computer. All of the listed ones in the
article are being hit, but actually it's high-ports (49000 and above) that
are utilized. I will continue to test and get a better answer.
HTH: RMouton
Miles
same issue pushing DPM agents with the firewall enabled on the remote
computer (the computer to be protected). I’ve added ports 5178 and 5179 to
the remote computer’s firewall ‘allow list’ and of course had no luck.
Netstat didn’t give me too much to work with and when I enabled logging on
the firewall it’s just using random ports like Santhosh said. I don’t really
want to open all ports above 1024 to get RPC and DCOM communication to
function. I might be looking at a script to push this out…
And here I thought going with DPM would save me the headache of dealing with
Symantec Backup Exec. At least those remote agent pushes work! Well, most
of the time anyway.
Thanks,
Miles
Miles
the DPM agent, and then re-enable the firewalls I created a quick script to
help with the push installation of the agents. Well, it’s not so much of a
script as a single command, really:
netsh advfirewall firewall add rule name="Allow DPM Remote Agent Push"
dir=in action=allow service=any enable=yes profile=any remoteip=172.16.1.19
If you can somehow run the above command on all the computers you want to
push the DPM agent out to (either through login scripts, Group Policies, SC
Configuration Manager, Prism Deploy, PowerShell, etc.) it should allow for a
successful remote agent installation. Simply replace the IP address at the
end with your DPM server’s IP address.
Not terribly elegant, but it worked for me!
Thanks,
Miles
Miles
purposes after the DPM agent is installed. Just run the command below on
those same computers to delete the firewall rule:
netsh advfirewall firewall delete rule name="Allow DPM Remote Agent Push"
daveguenthner
[Option A]
\\%DPMServer\c$\Program Files\Microsoft DPM\DPM\ProtectionAgents\RA\3.0.7696.0\amd64\DPMAgentInstaller_x64.exe %DPMServerName%
If you do not pass in the DPMServer name you may need to run the second command on the protected server to update/create firewall rules.
[Option B]
C:\Program Files\Microsoft Data Protection Manager\DPM\bin>SetDpmServer.exe -DPM ServerName %DPMServerName%
Configuring dpm server settings and firewall settings for dpm server
Configuration completed successfully!!!
davguent
TAF wrote:
I am sorry, but can people responding to this post stop linking that
03-Mar-10
I am sorry, but can people responding to this post stop linking that technet
article. It just does not work. Read my above posts. No one is answering my
question. HOW specifically does the agent push operation work? I do not know
why anyone cannot just explain that to me. I do not care what ports the agent
needs open to operate. I have no problem with that. I just want to know why
I cannot push the agents. I wish someone would go step by step on how you
configure the built in Windows firewall to allow the agent to push.
"Chandraneel Chakka[MSFT]" wrote:
Previous Posts In This Thread:
On Tuesday, February 23, 2010 3:45 PM
TAF wrote:
DPM 2010 Remote Agent Install (windows firewall settings)
I am looking for the specific ports I need to unblock in order to push the
agent from the console. All the documentation references point to firewall
settings for the DPM server. I am only interested in the windows firewall
settings on the client (protected machine) necessary to push the agent. If I
manually install on the client the installer opens the correct ports on the
firewall for the agent to function so I am not even concerned about those
settings. I just need to be able to install/uninstall from the console and
have been unable to do so unless I turn off the Windows firewall. Again, my
machines are on the same LAN so just need to know what ports should be open
to push the agent.
On Tuesday, February 23, 2010 4:11 PM
Santhosh Sivarajan wrote:
Port details: http://technet.microsoft.com/en-us/library/bb808766.
Port details: http://technet.microsoft.com/en-us/library/bb808766.aspx
Firewall config on DPM Server:
http://technet.microsoft.com/en-us/library/bb870936.aspx
Also, a good reference blog:
http://www.ss-infrastructure.com/2009/10/dpm-agent-common-installation-mistakes.html
--
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX
http://blogs.sivarajan.com/
http://publications.sivarajan.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
On Tuesday, February 23, 2010 4:57 PM
TAF wrote:
Thanks, but not quite what I want.
Thanks, but not quite what I want. Please tell me which ports need to be
open on the protected client (NOT DPM SERVER) to PUSH the agent. I have seen
all the Technet links and they are not what I want. For example, when you
manually install the client the installer automatically configures the
firewall. I do not care about those settings. I want to know what ports need
to be open to PUSH the client. Everyone keeps linking that technet article
that shows ports used by DPM, but I do not think that applies to the PUSHING
of the client. I obviously do not need to configure exceptions for DNS,
NETBIOS, KERBEROS, and LDAP since those are already open on a domain joined
system. I have tried exceptions for all these just to be sure and I cannot
push the client unless I turn the firewall off completely. Just for
comparison, I have no problem pushing my System Center Essentials agents or
my Altiris agents.
"Santhosh Sivarajan" wrote:
On Tuesday, February 23, 2010 5:23 PM
Santhosh Sivarajan wrote:
This posting is provided "AS IS" with no warranties, and confers no rights.
On Tuesday, February 23, 2010 11:17 PM
TAF wrote:
Well not really.
Well not really. All this describes is how the agent communicates with the
DPM server once it is deployed and operating. It does not discuss the process
in which the agent is deployed. I assume the MSI is copied and executed
silently in some manner, and obviously you need to have a particular port or
ports open. I just want to know what has to be open in order to deploy the
agent. My best guess is that I would have to manually open 5718 and 5719
which I have done, but I still cannot deploy the agents. I have yet to see
any documentation which specifically addresses this process. Actually with a
domain admin username and password I can connect to any clients c$ share
remotely without specifying any firewall exceptions so I do not really know
what the problem is. I was hoping to get some clarification on what exactly
happens in the remote agent deployment process. I have DPM installed on
Server 08 R2 and clients of XP, Vista, 7 and Server 2003. The remote
deployment only works on the Server 2003 machines because the firewall is not
enabled. Please someone clarify what is happening when I remote install the
agent from the DPM console.
On Thursday, February 25, 2010 2:43 PM
AllenOliver wrote:
I am in the same exact position as you and not having any luck finding
I am in the same exact position as you and not having any luck finding an
answer. This seems like it should be something VERY basic. Doesn't anyone
know?
"TAF" wrote:
On Wednesday, March 03, 2010 2:49 AM
Chandraneel Chakka[MSFT] wrote:
http://technet.microsoft.com/en-us/library/bb808766.
http://technet.microsoft.com/en-us/library/bb808766.aspx
Please open the ports specified in the above article on all the protected
servers. This will make your push agent work.
--
This posting is provided ???AS IS??? with no warranties, and confers no rights
On Wednesday, March 03, 2010 12:28 PM
TAF wrote:
I am sorry, but can people responding to this post stop linking that
I am sorry, but can people responding to this post stop linking that technet
article. It just does not work. Read my above posts. No one is answering my
question. HOW specifically does the agent push operation work? I do not know
why anyone cannot just explain that to me. I do not care what ports the agent
needs open to operate. I have no problem with that. I just want to know why
I cannot push the agents. I wish someone would go step by step on how you
configure the built in Windows firewall to allow the agent to push.
"Chandraneel Chakka[MSFT]" wrote:
On Thursday, March 11, 2010 3:28 PM
RMouton wrote:
I agree, simple question, cannot get a straight answer.
I agree, simple question, cannot get a straight answer. I ran through the
same exercise just now. I have created exceptions for all ports listed in the
"repeated" technet article, even 5718 & 5719, no fix. So I had to disable
the firewall and run "netstat -n" on the DPM server to see what ports its
actually hitting on the target computer. All of the listed ones in the
article are being hit, but actually it is high-ports (49000 and above) that
are utilized. I will continue to test and get a better answer.
HTH: RMouton
"TAF" wrote:
On Friday, April 16, 2010 11:24 PM
Miles wrote:
I don???t suppose anyone has figured this out yet, have they?
I don???t suppose anyone has figured this out yet, have they? I also have the
same issue pushing DPM agents with the firewall enabled on the remote
computer (the computer to be protected). I???ve added ports 5178 and 5179 to
the remote computer???s firewall ???allow list??? and of course had no luck.
Netstat didn???t give me too much to work with and when I enabled logging on
the firewall it???s just using random ports like Santhosh said. I don???t really
want to open all ports above 1024 to get RPC and DCOM communication to
function. I might be looking at a script to push this out???
And here I thought going with DPM would save me the headache of dealing with
Symantec Backup Exec. At least those remote agent pushes work! Well, most
of the time anyway.
Thanks,
Miles
"TAF" wrote:
On Saturday, April 17, 2010 12:31 AM
Miles wrote:
Since I wasn???
Since I wasn???t about to manually disable 20 firewalls on my network, install
the DPM agent, and then re-enable the firewalls I created a quick script to
help with the push installation of the agents. Well, it???s not so much of a
script as a single command, really:
netsh advfirewall firewall add rule name="Allow DPM Remote Agent Push"
dir=in action=allow service=any enable=yes profile=any remoteip=172.16.1.19
If you can somehow run the above command on all the computers you want to
push the DPM agent out to (either through login scripts, Group Policies, SC
Configuration Manager, Prism Deploy, PowerShell, etc.) it should allow for a
successful remote agent installation. Simply replace the IP address at the
end with your DPM server???s IP address.
Not terribly elegant, but it worked for me!
Thanks,
Miles
"TAF" wrote:
On Saturday, April 17, 2010 12:37 AM
Miles wrote:
Oh, I forgot to mention that you may want to remove that rule for
Oh, I forgot to mention that you may want to remove that rule for security
purposes after the DPM agent is installed. Just run the command below on
those same computers to delete the firewall rule:
netsh advfirewall firewall delete rule name="Allow DPM Remote Agent Push"
"Miles" wrote:
Submitted via EggHeadCafe - Software Developer Portal of Choice
Task Parallelism in C# 4.0 with System.Threading.Tasks
http://www.eggheadcafe.com/tutorials/aspnet/21013a52-fe11-4af8-bf8b-50cfd1a51577/task-parallelism-in-c-40-with-systemthreadingtasks.aspx
