SharePoint 2010 is all the rage (still) and products are finally maturing enough where you don't need best of breed to get everything done. We recent started rolling Microsoft's Data Protection Manager (DPM) 2010 to do our SharePoint 2010 back ups. DPM 2007 recovery process through a "recovery farm" is a thing of the past with DPM 2010 so the timing was right. So we choose DPM 2010 as our backup/recovery strategy and implemented it fine on the intranet but then....yes we need SharePoint 2010 on the extranet so DPM 2010 followed and so did the firewall....
I followed the ports outlined by Microsoft and cringed a little with the 135 TCP Dynamic reference and the somewhat legal jargen below it. Anyone who has worked with Microsoft and sees DCOM, RPC or the phrase "port range" knows what I mean when I say cringe. I found this article recently by Thomas Shinder and while a little older the diagrams illustrate network traffics behavior for RPC traffic. Since all our servers are Windows Server 2008, the high port range is ONLY the TCP 49152 – 65535. Yes only 16,000 ports which makes my security team cringe as well.
Our environment:
- All Windows Server 2008 or 2008 R2 64bit
- DPM 2010
- SharePoint 2010
- Juniper SRX Firewall
So assuming you have proper communication to your Domain Controller from your windows servers, what are the options:
1. Open 135 TCP Dynamic, 3148/3149 TCP, and open the port range if not respected by the firewall as dynamic
Pros: Easy...just open the ports
Cons: Lots of ports open
2. Create an IPsec tunnel between DPM and the Protected Servers (see this for more info)
Pros: Open only a few ports
Cons: Need to maintain IPsec policy via local or group policy on all DPM and Protected Servers
3. Change the RPC port range
Pros: Easy to change via registry
Cons: It affects ALL RPC traffic not just DPM's PLUS need to maintain on all DPM and Protected Servers
4. Open 3148/3149 TCP and leverage MSDPM UUIDs
Pros: Set it and forget it
Cons: Hard to find the UUID without looking through traces or googling a lot.
So we when with number #4. We dealt with Active Directory communciation through our Juniper firewalls a few years ago and remembered the UUID model. So I started searching and came across Steve Buchanan write-up and while for ISA, Juniper has the same functionality. Long story short, we implemented a Global UUID Services with the following on our Juniper SRX Firewall:
MSDPM AC:
{C4EBD674-1457-4B79-BE30-B04735AED9D1}
{A3B9D3F4-2477-4F95-B2D1-F75B0FDF2A2F}
DPM RA:{DA6AA17A-D61C-4E9C-8CEA-DB25DEA52A95}
{2DF31D97-33CC-4966-8FF9-F47C90F7D0F3}
MSDPM:
{27F60283-447F-4D5F-AA84-F45D09BD06EF}
{8D8C691A-AFE6-4EA3-A6B2-F3E5EF1BD0CA}
DPM LA:{1B308A4A-FFEC-4C85-957C-53AA1DCC696F}
{9E6C5356-B180-4295-888C-5A99E505420F}
RPC interface UUID for IRemoteSCMActivator
{000001A0-0000-0000-C000-000000000046}
RPC interface UUID for IObjectExporter
{99fcfec4-5260-101b-bbcb-00aa0021347a}
RPC SMB Relay type bind
{6cb71c2c-9812-4540-0300-000000000000}
Microsoft NDR Transfer Syntax Identifier
{8a885d04-1ceb-11c9-9fe8-08002b104860}
The last four I'm thinking are covered under ISA's default 135 TCP Dynamic configuration so they were additional on the SRX.
** Some of the errors you'll see if firewall is blocking traffic to the protected servers (when you are "attaching" an agent). Just run a trace on the DPM server using Wireshark or Netmon and look for ReSynTransmits over the TCP 49152 – 65535 range.
Install protection agent on SERVERA.lmx.abc.com failed: Error 346: DPM is unable to retrieve the configuration information from SERVERA.abc.com. Recommended action: Ensure that the Windows Management Instrumentation (WMI) service is started. If the firewall is turned on, on SERVERA.abc.com make sure that an exception for WMI is created.
The RPC server is unavailable (0x800706BA)
Good luck..and chances are it is the firewall!
I followed the ports outlined by Microsoft and cringed a little with the 135 TCP Dynamic reference and the somewhat legal jargen below it. Anyone who has worked with Microsoft and sees DCOM, RPC or the phrase "port range" knows what I mean when I say cringe. I found this article recently by Thomas Shinder and while a little older the diagrams illustrate network traffics behavior for RPC traffic. Since all our servers are Windows Server 2008, the high port range is ONLY the TCP 49152 – 65535. Yes only 16,000 ports which makes my security team cringe as well.
Our environment:
- All Windows Server 2008 or 2008 R2 64bit
- DPM 2010
- SharePoint 2010
- Juniper SRX Firewall
So assuming you have proper communication to your Domain Controller from your windows servers, what are the options:
1. Open 135 TCP Dynamic, 3148/3149 TCP, and open the port range if not respected by the firewall as dynamic
Pros: Easy...just open the ports
Cons: Lots of ports open
2. Create an IPsec tunnel between DPM and the Protected Servers (see this for more info)
Pros: Open only a few ports
Cons: Need to maintain IPsec policy via local or group policy on all DPM and Protected Servers
3. Change the RPC port range
Pros: Easy to change via registry
Cons: It affects ALL RPC traffic not just DPM's PLUS need to maintain on all DPM and Protected Servers
4. Open 3148/3149 TCP and leverage MSDPM UUIDs
Pros: Set it and forget it
Cons: Hard to find the UUID without looking through traces or googling a lot.
So we when with number #4. We dealt with Active Directory communciation through our Juniper firewalls a few years ago and remembered the UUID model. So I started searching and came across Steve Buchanan write-up and while for ISA, Juniper has the same functionality. Long story short, we implemented a Global UUID Services with the following on our Juniper SRX Firewall:
MSDPM AC:
{C4EBD674-1457-4B79-BE30-B04735AED9D1}
{A3B9D3F4-2477-4F95-B2D1-F75B0FDF2A2F}
DPM RA:{DA6AA17A-D61C-4E9C-8CEA-DB25DEA52A95}
{2DF31D97-33CC-4966-8FF9-F47C90F7D0F3}
MSDPM:
{27F60283-447F-4D5F-AA84-F45D09BD06EF}
{8D8C691A-AFE6-4EA3-A6B2-F3E5EF1BD0CA}
DPM LA:{1B308A4A-FFEC-4C85-957C-53AA1DCC696F}
{9E6C5356-B180-4295-888C-5A99E505420F}
RPC interface UUID for IRemoteSCMActivator
{000001A0-0000-0000-C000-000000000046}
RPC interface UUID for IObjectExporter
{99fcfec4-5260-101b-bbcb-00aa0021347a}
RPC SMB Relay type bind
{6cb71c2c-9812-4540-0300-000000000000}
Microsoft NDR Transfer Syntax Identifier
{8a885d04-1ceb-11c9-9fe8-08002b104860}
The last four I'm thinking are covered under ISA's default 135 TCP Dynamic configuration so they were additional on the SRX.
** Some of the errors you'll see if firewall is blocking traffic to the protected servers (when you are "attaching" an agent). Just run a trace on the DPM server using Wireshark or Netmon and look for ReSynTransmits over the TCP 49152 – 65535 range.
Install protection agent on SERVERA.lmx.abc.com failed: Error 346: DPM is unable to retrieve the configuration information from SERVERA.abc.com. Recommended action: Ensure that the Windows Management Instrumentation (WMI) service is started. If the firewall is turned on, on SERVERA.abc.com make sure that an exception for WMI is created.
The RPC server is unavailable (0x800706BA)
Good luck..and chances are it is the firewall!