Configure the Forefront TMG 2010 to allow DPM 2010 communication

    The DPM agent uses various ports and protocols to connect with the DPM server. The Forefront TMG needs to be configured to allow the DPM server to communicate through those ports. The complete list of ports that are used by DPM are documented at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=118620).

    Use the following procedures to configure the Forefront TMG to work with DPM:

  • Define protocols for DPM in Forefront TMG

  • Add a computer rule for the DPM server

  • Create an access rule for DPM traffic

  • Configure registry settings on the Security Server and the DPM server

    To define protocols for DPM in Forefront TMG

  1. Open the Forefront Threat Management Gateway console.

  2. In the console tree, expand the node for TMG Server, and then click Firewall Policy.

In the right pane, click Toolbox, expand Protocols, click New, and then click Protocol.

      The New Protocol Definition Wizard appears, and you can define a new DPM Agent Coordinator protocol (TCP, outbound, port range 5718) as follows:

    1. In the New Protocol Definition Wizard, type DPM Agent Coordinator, and then click Next.

    2. On the Primary Connection Information page, click New.

    3. In the New/Edit Protocol Connection dialog box, choose a Protocol type of TCP, a Direction of Outbound, and a Port Range (both From and To) of 5718. Click OK.

    4. Click Next twice, and then click Finish to close the New Protocol Definition Wizard.

  1. In the right pane, click New, and then click Protocol.

    The New Protocol Definition Wizard appears, and you can define a new DPM Protection Agent protocol (TCP, outbound, port range 5719).

  2. In the right pane, click New, and then click Protocol.

    In the New Protocol Definition Wizard, define a new DPM Dynamic Ports protocol (TCP, outbound, port range 50000-50050).

    noteNote

    You need approximately 50 ports in the unreserved dynamic port range between 49152 and 65535. For more information about this range, see the Internet Assigned Numbers Authority Web Site (http://go.microsoft.com/fwlink?LinkId=22654).

    1. In the right pane, click New, and then click RPC Protocol.

      The New RPC Protocol Definition Wizard appears, and you can define a new RPC Compliant DPM protocol as follows:

    2. In the New Protocol Definition Wizard, type DPM RPC, and then click Next.

    3. On the Select Server page, click Add interfaces manually.

    4. On the Adding Interfaces to the Protocol Definition page, click Add.

    5. In the Add/Edit Interfaces dialog box, under Interface UUID type {12345778-1234-abcd-ef00-0123456789ac}. Under Interface Name, type RPC for DPM, click OK, and then click Next.

    6. Click Finish to close the New RPC Definition Wizard.

  3. In the top pane, click Apply to save changes and update the configuration.

    To add a computer rule element for the DPM server

  4. In the right pane of the Forefront TMG console, click Toolbox, expand Network Objects, click New, and then click Computer.

  5. In the New Computer Rule Element dialog box, type a Name for the DPM server, and then under Computer IP Address, type the server’s IP address. Click OK.

  6. In the top pane, click Apply to save changes and update the configuration.

    To create an access rule for DPM traffic

  7. In the right pane of the Forefront TMG console, click Tasks, and then under Firewall Policy Tasks, click Create Access Rule.

  8. The New Access Rule Wizard appears. Type a name for the access rule (such as Allow DPM Traffic), and then click Next.

  9. On the Rule Action page, click Allow, and then click Next.

  10. On the Protocols page, under This rule applies to, choose Selected protocols, and then click Add.

    • In the Add Protocols dialog box, expand All Protocols. Select each of the following protocols and click Add:

    • DPM Agent Coordinator

    • DPM Dynamic Ports

    • DPM Protection Agent

    • NetBIOS Datagram

    • NetBIOS Name Service

    • NetBIOS Session

    • Ping

    • RPC (all interfaces)

    • DPM RPC

      When you have finished adding the protocols, click Close.

      Turn off RPC filtering for RPC (all interfaces). Under Protocols, click RPC (all interfaces), and then click Edit. Click the Parameters tab, under Application Filters clear the check box for RPC Filter, click OK, and then click Next.

  11. On the Access Rule Sources page, click Add.

    • In the Add Network Entities Dialog box, do the following:

    • Expand the Networks node, click Local Host, and then click Add.

    • Expand the Computers node, click the name of your DPM server, and then click Add.

      When you have finished adding network entities, click Close. Then click Next.

  12. On the Access Rule Destinations page, click Add.

    • In the Add Network Entities Dialog box, do the following:

    • Expand the Networks node, click Local Host, and then click Add.

    • Expand the Computers node, click the name of your DPM server, and then click Add.

      When you have finished adding network entities, click Close. Then click Next.

  13. On the User Sets page, accept the default (All Users). Click Next, and then click Finish.

  14. Under All Firewall Policy, right-click the DPM access rule, and then click Properties.

  15. In the Properties dialog box, click Protocols, click RPC (all interfaces), click Filtering, and then click Configure RPC protocol.

  16. In the Configure RPC protocol policy dialog box, clear the Enforce strict RPC compliance check box. Then click OK twice.

  17. Under All Firewall Policy, if the DPM access rule is not the first listed, right-click the DPM access rule, and then click Move Up. Repeat until the rule is the first listed.

  18. In the top pane, click Apply to save your changes and update the configuration.

    WarningWarning

    Use the following procedure to modify registry settings on TMG and the DPM server. Modify the registry with care. Serious system-wide problems might occur if you modify the registry incorrectly. To correct such problems, you may need to reinstall the operating system software on these servers.

    To configure registry settings on the TMG and the DPM server

  19. Log on to the server as domain administrator.

  20. Click Start, click Run, type regedit, and then click OK.

  21. In the left pane of Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.

  22. Right-click the Rpc node, click New, and then click Key. Type Internet as the name of the key.

  23. Configure the following values for the Internet key:

    Ports REG_MULTI_SZ 50000-50050

    PortsInternetAvailable REG_SZ Y

    UseInternetPorts REG_SZ Y

  24. To apply the registry settings, close Registry Editor and then restart the server.



Leave a Reply