This recipe will cover the firewall configuration that is needed to establish a successful communication between DPM 2012 R2 and the data source that should be included in the DPM protection.
Opening just the right amount of firewall ports with the right direction of communication will provide you a more high-end security approach. DPM uses Microsoft standard communication ports, but for some features, there are a few other TCP ports that need to be opened.
|
Protocol |
Port |
|---|---|
|
DCOM |
135 / TCP |
|
DPM specific ports |
5718 / TCP 5719 / TCP |
|
DNS |
53 / UDP |
|
Kerberos |
88 / UDP 88 / TCP |
|
LDAP |
389 / UDP 389 / TCP |
|
NetBIOS |
137 / UDP 138 / UDP 139 / UDP 445 / TCP |
|
Centralized Console |
6075 / TCP 1433 / TCP 1434 / UDP 80 / TCP 443 / TCP 50000 – 65000 / TCP 4022 / TCP 5723 / TCP |
Having the Windows firewall enabled would be considered the most natural thing. However, many companies rely on a physical firewall as their first line of defense meaning that their Windows firewalls are disabled.
An easy approach is to create a Group Policy Object (GPO) that holds the configuration for the Windows firewalls. Use the Advanced mode for firewall configurations so you can easily provide the necessary configurations.
One important thing regarding the direction of communication is to understand who is initiating the communication. When DPM is protecting server workloads, the DPM server will call for the DPM agent to start its VSS request, but when DPM is protecting clients, the DPM server will wait for the DPM agent present on the client to call in.
You could also limit the actual port range for the high-end ports to a specific port range. For instructions on how to do this, you can refer to this article: http://blogs.technet.com/b/dpm/archive/2011/06/28/how-to-limit-dynamic-rpc-ports-used-by-dpm-and-protected-servers.aspx.