Windows Firewall Rules for Data Protection Manager

I’ve had the pleasure of trying to reverse engineer the firewall requirements DPM has since they’ve declined to document any of this in a useful fashion. My experience so far is that this product does something very slick with Exchange and brings with it the baggage of awful documentation and a user interface which would earn an A for a high school computer science project.

The manner in which DPM does its deployment and management of agents is through something called the Agent Coordinator service. The agent coordinator comes and goes on an as necessary basis (it’s temporary) and for whatever reason is installed into the Windows folder. If you take a network trace you’ll see all of the file copy and service control manager operations happening assuming you have those firewall rules in place (you’ll need them). Now in order for the agent coordinator to work it needs to listen on TCP 5719 as well as accept RPCs. If you don’t have the rules in place for this, you’ll get a failure with an Error 313 0x80070643 which the documentation points out could be due to a firewall. Of course the documentation doesn’t specify what firewall rules might be necessary (go figure).

What I’ve discovered is that you need the following rules for agent deployment and management as well as backup to work. You can just use the "Custom" option in the Windows Firewall New Rule wizard to specify all this.

Note: I only tested this on Windows Server 2008 with Service Pack 2.

DPM Server

Name

Program

Remote Address

Protocol

Local Port

DPM (RPC)

%ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe

<DPM Agents>

TCP

Dynamic RPC

DPM Replication Agent (TCP-In)

%programfiles%\Microsoft DPM\DPM\bin\DPMRA.exe

<DPM Agents>

TCP

5718

DPM Agent:

Name

Program

Remote Address

Protocol

Local Port

DPM Agent Coordinator (TCP-In)

%windir%\Microsoft Data Protection Manager\DPM\Agents\AC\2.0.5820.0\dpmac.exe

<DPM Server IP>

TCP

5719

DPM Agent Coordinator (RPC)

%windir%\Microsoft Data Protection Manager\DPM\Agents\AC\2.0.5820.0\dpmac.exe

<DPM Server IP>

TCP

Dynamic RPC

RPM Replication Agent (TCP-In)

%ProgramFiles%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe

<DPM Server IP>

TCP

5718

RPM Replication Agent (RPC)

%ProgramFiles%\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe

<DPM Server IP>

TCP

Dynamic RPC

Add those rules to a Group Policy object or your local Windows Firewall policy and you should be good to go. I’ve only tested this with Exchange backups, and I’m not 100% positive that this is a complete list or that it is the minimum baseline (e.g. there could be rules here that aren’t necessary), but, it has been working for me successfully for over a month now.

Warning: Be wary of the fact that the Agent Coordinator service path is versioned and thus if they increment the version and simultaneously change the installation path, the rule will no longer work. Seeing what I’ve seen with this product so far, I wouldn’t be the least bit surprised if that happens.

Updated 11Jul09 – Broke out DPM server and DPM agents

Leave a Reply

Your email address will not be published. Required fields are marked *