Share via

Configuring Firewalls

  • Article

Applies To: System Center Data Protection Manager 2010

If the computers you want to protect reside behind a firewall, you must configure the firewall to allow communication between the DPM server, the computers it protects, and the domain controllers.

Protocols and Ports

Depending on your network configuration, you might need to perform firewall configuration to enable communication between DPM, the protected servers, and the domain controllers. To help with firewall configuration, the following table provides details about the protocols and ports used by DPM.

Protocols and Ports Used by DPM

Protocol Port Details

DCOM

135/TCP
Dynamic

The DPM control protocol uses DCOM. DPM issues commands to the protection agent by invoking DCOM calls on the agent. The protection agent responds by invoking DCOM calls on the DPM server.

TCP port 135 is the DCE endpoint resolution point used by DCOM.

By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. However, you can configure this range by using Component Services. For more information, see Using Distributed COM with Firewalls (https://go.microsoft.com/fwlink/?LinkId=46088).

Note that for DPM-Agent communication you must open the upper ports 1024-65535. To open the ports, perform the following steps:

  1. In IIS 7.0 Manager, in the Connections pane, click the server-level node in the tree.

  2. Double-click the FTP Firewall Support icon in the list of features.

  3. Enter a range of values for the Data Channel Port Range.

  4. After you enter the port range for your FTP service, in the Actions pane, click Apply to save your configuration settings.

TCP

5718/TCP
5719/TCP

The DPM data channel is based on TCP. Both DPM and the protected computer initiate connections to enable DPM operations such as synchronization and recovery.

DPM communicates with the agent coordinator on port 5718 and with the protection agent on port 5719.

DNS

53/UDP

Used between DPM and the domain controller, and between the protected computer and the domain controller, for host name resolution.

Kerberos

88/UDP 88/TCP

Used between DPM and the domain controller, and between the protected computer and the domain controller, for authentication of the connection endpoint.

LDAP

389/TCP
389/UDP

Used between DPM and the domain controller for queries.

NetBIOS

137/UDP
138/UDP
139/TCP
445/TCP

Used between DPM and the protected computer, between DPM and the domain controller, and between the protected computer and the domain controller, for miscellaneous operations. Used for SMB directly hosted on TCP/IP for DPM functions.

Windows Firewall

Windows Firewall is included with Windows Server 2008 and Windows Server 2008 R2. If you enable Windows Firewall on the DPM server before you install DPM, DPM Setup properly configures the firewall for DPM.

If you enable Windows Firewall on the DPM server after you install DPM, you must configure the firewall manually to permit communication between the DPM server and protected computers. Configure Windows Firewall on a DPM server by opening port 135 to incoming TCP traffic and specifying the DPM service (Microsoft DPM/bin/MsDPM.exe) and the protection agent (Microsoft DPM/bin/Dpmra.exe) as exceptions to the Windows Firewall policy.

For instructions for configuring Windows Firewall, search on "Windows Firewall" in Windows Help and Support for Windows Server 2008 or Windows Server 2008 R2.

See Also

Concepts

Security Considerations