Updating DPM agents through Windows Firewall

Using the setdpmserver.exe on the client side, DPM does a good job of allowing connections for standard DPM functions through the client side firewall.  However, with Windows firewall enabled you will notice two things that DONT work:

• Pushing clients out through the DPM 2007 Management Console will fail with the following error “The agent operation failed because of a communication error with the DPM agent coordinator service on <servername>”.
• Updating agents to a new version out through the DPM 2007 Management Console will fail with the same error.

The reason for this is because by default, the setdpmserver.exe only modifies the local firewall to allow access to DPMRA.exe (C:\Program Files\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe) and TCP port 5718.  This works for normal backup/restore processes, but will fail for processes requiring “Agent Coordination” (like pushing an agent out and upgrading an agent).  To allow the “Agent Coordination” processes to work, add these additional rules to your Windows firewall exceptions on the agent side:

• Allow program dpmac.exe (C:\WINDOWS\Microsoft Data Protection Manager\DPM\Agents\AC\2.0.5820.0\dpmac.exe)
• Allow TCP port 5719 (this is the Agent Coordinator service port)

This should allow you to do all of the additional functions in your DPM environment centrally while still using Windows firewall on your client side.

Tags: DPM, Windows Firewall