Windows Server pairing failures caused by DirectAccess policy

Topic

The DirectAccess policy on Windows Servers can cause the required ports for the Datto Windows Agent communication to be filtered, despite valid exceptions in the anti-virus and Windows Firewall. This can cause pairing errors as well as backup failures similar to:

Unable to start backup because agent service is stopped.

"Unable to start backup because agent is unreachable."

Environment

  • Windows Server 2008 or newer

Description

The issue is linked to Group Policy settings for the device network, specifically DirectAccess Server (DAS) settings listening on ports 25566 or 25568, preventing the Datto agent software from communicating with the Datto appliance.

When trying to pair an agent that is failing due to DirectAccess Policy, the error will look like this.

11:10:13 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25566
11:10:14 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25566]
11:10:14 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25568
11:10:15 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25568]
11:10:15 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25567
11:10:16 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25567]
11:10:16 EDT ASC0006 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:148 Checking connectivity for new agent at 10.10.10.100:25569
11:10:17 EDT ACS0003 fb7d2cfbc01b4092bbb15149279690e7 AgentConnectivityService.php(2) : eval()'d code:181 domain name [10.10.10.100] is NOT responding on port [25569]
11:10:17 EDT PHD0001 fb7d2cfbc01b4092bbb15149279690e7 PairHandler.php(2) : eval()'d code:417 Could not connect to the agent.
11:10:18 EDT PHD0004 fb7d2cfbc01b4092bbb15149279690e7 PairHandler.php(2) : eval()'d code:276 Agent pairing failed with an Exception: Could not connect to the agent.
11:10:18 EDT AGT3009 fb7d2cfbc01b4092bbb15149279690e7 PairHandler.php(2) : eval()'d code:292 Cannot add agent.

Despite properly configured antivirus exceptions and Windows Firewall, port 25566/25568 appear as 'filtered':

root@backupdevice:~# nmap -p25566,25567,25568,25569 10.10.10.100
Starting Nmap 7.01 ( https://nmap.org ) at 2018-04-08 11:07 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00011s latency).
PORT STATE SERVICE
25566/tcp filtered unknown
25567/tcp filtered unknown
25568/tcp filtered unknown
25569/tcp filtered unknown

To check the service and the ports being used on the protected system:

  • Navigate to the Start menu.

  • In the search box, type "powershell" until Windows Powershell is found in the results.

  • Right click Windows Powershell and click Run as Administrator

  • In Powershell, type the following:

    Get-NetNatTransitionConfiguration

  • IPv4AddressPortPool will show the IP that the service is using and the port range that is being reserved for it. If the range includes ports 25566-25568, like in the example here, the range will need to be adjusted.
    Get-NetNatTransitionConfiguration.png

Resolution

Ensure that firewall and anti-virus exceptions covered in Unified Backup Networking and Bandwidth Requirements are properly configured for target machine.

Ensure that the agent services are running by following the troubleshooting outlined in: Datto Windows Agent: Unable To Start Backup Because Agent Service Is Stopped

Once the requirements are validated, either change the port range used by DirectAccess, or disable DirectAccess entirely.

Configure Name Resolution Policy Table entries

  1. On the Start page, open Group Policy Management.

  2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Client Settings, and then click Edit.

  3. Click Computer Configurations, click Policies, click Windows Settings, and then click Name Resolution Policy. Choose the entry that has the namespace that is identical to your DNS suffix, and then click Edit Rule.

  4. Click the DNS Settings for DirectAccess tab; then select Enable DNS settings for DirectAccess in this rule. Add the IPv6 address for the IP-HTTPS interface in the DNS server list.

Configure firewall rules

  1. On the Start page, open Group Policy Management.

  2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.

  3. Click Computer Configuration, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click next-level Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.

  4. Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.

  5. Repeat the same procedure for Domain Name Server (UDP-In).

Reserve ports

Open powershell as an administrator:

  1. Click the Start button or press the Windows key.

  2. Type “PowerShell”.

  3. In the search results, right-click Windows PowerShell (or Windows PowerShell ISE).

  4. Choose Run as administrator.

  5. If prompted by User Account Control, click Yes.

In PowerShell, run the command to change the DNS64 configuration to listen to the IP-HTTPS interface:

Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface

Use the following Windows PowerShell command to reserve ports for the WinNat service. Replace <ipAddress> with the IP in the IPv4AddressPortPool:

Set-NetNatTransitionConfiguration -IPv4AddressPortPool @("<ipAddress>, 25570-47000")

Open powershell as an administrator:

  1. Click the Start button or press the Windows key.

  2. Type “PowerShell”.

  3. In the search results, right-click Windows PowerShell (or Windows PowerShell ISE).

  4. Choose Run as administrator.

  5. If prompted by User Account Control, click Yes.

In PowerShell, run the command:

Set-NetNatTransitionConfiguration -state disabled

Additional Resources