Thanks, but not quite what I want. Please tell me which ports need to be
open on the protected client (NOT DPM SERVER) to PUSH the agent. I have seen
all the Technet links and they are not what I want. For example, when you
firewall. I do not care about those settings. I want to know what ports need
to be open to PUSH the client. Everyone keeps linking that technet article
of the client. I obviously do not need to configure exceptions for DNS,
system. I have tried exceptions for all these just to be sure and I cannot
push the client unless I turn the firewall off completely. Just for
my Altiris agents.
Post by Santhosh SivarajanIt is in the first TechNet article unless I am missing something here.. By
default, it is going to use "high ports"
DCOM
135/TCP
Dynamic
The DPM control protocol uses DCOM. DPM issues commands to the protection
agent by invoking DCOM calls on the agent. The protection agent responds by
invoking DCOM calls on the DPM server.
Note DPM Management Shell does not require a port. To communicate it uses
the DCOM port on the DPM server.
TCP port 135 is the DCE endpoint resolution point used by DCOM.
By default, DCOM assigns ports dynamically from the TCP port range of 1024
through 65535. However, you can configure this range by using Component
Services. For more information, see Using Distributed COM with Firewalls
(http://go.microsoft.com/fwlink/?LinkId=46088).
TCP
5718/TCP
5719/TCP
The DPM data channel is based on TCP. Both DPM and the protected computer
initiate connections to enable DPM operations such as synchronization and
recovery.
DPM communicates with the agent coordinator on port 5718 and with the
protection agent on port 5719.
--
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX
http://blogs.sivarajan.com/
http://publications.sivarajan.com/
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by TAFWell not really. All this describes is how the agent communicates with the
DPM server once it is deployed and operating. It does not discuss the process
in which the agent is deployed. I assume the MSI is copied and executed
silently in some manner, and obviously you need to have a particular port or
ports open. I just want to know what has to be open in order to deploy the
agent. My best guess is that I would have to manually open 5718 and 5719
which I have done, but I still cannot deploy the agents. I have yet to see
any documentation which specifically addresses this process. Actually with a
domain admin username and password I can connect to any clients c$ share
remotely without specifying any firewall exceptions so I do not really know
what the problem is. I was hoping to get some clarification on what exactly
happens in the remote agent deployment process. I have DPM installed on
Server 08 R2 and clients of XP, Vista, 7 and Server 2003. The remote
deployment only works on the Server 2003 machines because the firewall is not
enabled. Please someone clarify what is happening when I remote install the
agent from the DPM console.
Post by unknownI am in the same exact position as you and not having any luck finding an
answer. This seems like it should be something VERY basic. Doesn't anyone
know?
Post by Santhosh Sivarajanhttp://technet.microsoft.com/en-us/library/bb808766.aspx
Please open the ports specified in the above article on all the protected
servers. This will make your push agent work.
--
This posting is provided ???AS IS??? with no warranties, and confers no rights
Post by unknownI am sorry, but can people responding to this post stop linking that technet
article. It just does not work. Read my above posts. No one is answering my
question. HOW specifically does the agent push operation work? I do not know
why anyone cannot just explain that to me. I do not care what ports the agent
needs open to operate. I have no problem with that. I just want to know why
I cannot push the agents. I wish someone would go step by step on how you
configure the built in Windows firewall to allow the agent to push.
Post by unknownI agree, simple question, cannot get a straight answer. I ran through the
same exercise just now. I have created exceptions for all ports listed in the
"repeated" technet article, even 5718 & 5719, no fix. So I had to disable
the firewall and run "netstat -n" on the DPM server to see what ports its
actually hitting on the target computer. All of the listed ones in the
article are being hit, but actually it is high-ports (49000 and above) that
are utilized. I will continue to test and get a better answer.
HTH: RMouton
Post by unknownI don???t suppose anyone has figured this out yet, have they? I also have the
same issue pushing DPM agents with the firewall enabled on the remote
computer (the computer to be protected). I???ve added ports 5178 and 5179 to
the remote computer???s firewall ???allow list??? and of course had no luck.
Netstat didn???t give me too much to work with and when I enabled logging on
the firewall it???s just using random ports like Santhosh said. I don???t really
want to open all ports above 1024 to get RPC and DCOM communication to
function. I might be looking at a script to push this out???
And here I thought going with DPM would save me the headache of dealing with
Symantec Backup Exec. At least those remote agent pushes work! Well, most
of the time anyway.
Thanks,
Miles
Post by unknownSince I wasn???t about to manually disable 20 firewalls on my network, install
the DPM agent, and then re-enable the firewalls I created a quick script to
help with the push installation of the agents. Well, it???s not so much of a
netsh advfirewall firewall add rule name="Allow DPM Remote Agent Push"
dir=in action=allow service=any enable=yes profile=any remoteip=172.16.1.19
If you can somehow run the above command on all the computers you want to
push the DPM agent out to (either through login scripts, Group Policies, SC
Configuration Manager, Prism Deploy, PowerShell, etc.) it should allow for a
successful remote agent installation. Simply replace the IP address at the
end with your DPM server???s IP address.
Not terribly elegant, but it worked for me!
Thanks,
Miles
Post by MilesOh, I forgot to mention that you may want to remove that rule for security
purposes after the DPM agent is installed. Just run the command below on
netsh advfirewall firewall delete rule name="Allow DPM Remote Agent Push"
Post by unknownI ran into this exact issue and wanted to post my findings. In my case the DPM Server and protected agents are all Windows Server 2008 R2. The out of box firewall setttings do not allow DPM Server and agent to communicate. When running the "Protection Agent Installation Wizard" I noticed the "Install Agent" option is for computers where required firewall settings have already been configured. Since I did not know what those setting are I opted to execute agent installer manually from a share on the DPM Server.
[Option A]
\\%DPMServer\c$\Program Files\Microsoft DPM\DPM\ProtectionAgents\RA\3.0.7696.0\amd64\DPMAgentInstaller_x64.exe %DPMServerName%
If you do not pass in the DPMServer name you may need to run the second command on the protected server to update/create firewall rules.
[Option B]
C:\Program Files\Microsoft Data Protection Manager\DPM\bin>SetDpmServer.exe -DPM ServerName %DPMServerName%
Configuring dpm server settings and firewall settings for dpm server
Configuration completed successfully!!!
davguent