Child pages
  • Remote Agent Prerequisites
Skip to end of metadata
Go to start of metadata


 

Agent Computer Preparation

A command-line tool is available which performs the firewall and DNS steps to prepare an agent computer.

 AgentPreInstall.exe.


Reflect Requirements

The Remote Agent install includes an install of Reflect. If the computer the Remote Agent is installed on has a standalone Reflect installation, it should be upgraded to the latest version before installation.

If the Remote Agent is installed on a computer without Reflect, a Macrium Agent License must be configured in the Management Console.

Group Policy Requirements

To allow appropriate permissions to create backups and copy them to remote file systems, the Remote Agent creates a Windows service which runs as a local user with administrative privileges. This user is created automatically by the installer and cannot be used to log in to the computer normally. 

This account requires the 'Log In As A Service' permission to be set. On standalone computers this is done automatically by the Remote Agent installer. On a domain-joined computer, the initial granting of this permission can be overwritten by the domain's Group Policy. 

If this is the case, the Remote Agent will initially work on install and appear live in the Management Console, but will fail to run on reboot of the client computer due to a login failure starting the service. This can be diagnosed by checking the Windows event log for service related errors involving the MacriumAgentService service. An example event log entry showing this situation is shown below:

To fix this, the Group Policy should be modified to include 'Log In As a Service' permission for local accounts named MacriumAgent.

More information is available on this process here.

Enabling Communication with Agents - Automatic Steps

A command-line tool is available which performs all of the steps listed in the manual section below. To use it, it must be run on the client machine with administrative privileges.

The tool is available for download here.

Enabling Communication with Agents - Manual Steps

The Macrium Agent uses standard Microsoft Message Queuing (MSMQ) technology to communicate with the Central Management Console. Any firewalls must be configured to allow inbound Message Queuing traffic to each client computer. This is typically done automatically by Windows when the Message Queuing feature is enabled, but may require manual intervention when running under domain-managed firewall rules or when using a third-party firewall.

Windows XP and Server 2003 Specific Steps

The Macrium Agent can be remotely installed on Windows XP and Windows Server 2003 with the exception of Windows XP Home Edition.  MSMQ is not available for Windows XP Home

XP and Server 2003 do not install the remote management feature for Windows Installer by default. When this component is missing, the Central Management Console will display the following error message when attempting to remotely install the Macrium Agent - "Install Failed: Remote Install Not Available"

To enable remote installation, the "WMI Windows Installer Provider" Windows Component must be installed through the "Add or Remove Programs" Control Panel application. The component is found by selecting "Add/Remove Windows Components", selecting the "Management and Monitoring Tools" category, pressing the Details Button then ensuring the "WMI Windows Installer Provider" box is checked as shown below.

Windows Firewall

The built-in Windows Firewall has rules for Message Queuing as part of a 'Message Queuing' group. This group may be enabled by Group Policy on domains, or set manually in the UI as shown below:

The above can also be achieved by running the command below from an elevated command prompt

Other Firewalls

For third-party firewalls, if a built-in rule is not available the following ports may be used for inbound Message Queuing traffic.

 

ProtocolPort
TCP:1801, 380
RPC:135, 2101, 2103, 2105
UDP:3527, 1801

 

Please see the following Microsoft Article for further information on MSMQ port requirements:  https://support.microsoft.com/en-us/kb/178517

Discoverability

To successfully communicate, both the Central Management Console and the Agent must be able to resolve each other's NetBIOS names to an IP address. To test whether a client and server can successfully resolve each other's name, use the Windows ping command to check that the correct IP address is returned for the agent computer from the server and vice-versa. 

Enabling Remote Installation of the Agent on client computers

Computers connected to a domain

To enable remote installation of the Macrium Agent using domain user account credentials, the firewall on the client computer must be configured to allow appropriate inbound traffic. Since standard technologies are used for this communication, the built-in Windows Firewall has predefined rules for all necessary traffic.

Firewall Configuration

Any installed firewall (including the built-in Windows Firewall) needs to be configured to allow remote WMI (Windows Management Instrumentation). This is achieved by enabling the predefined inbound rules “Windows Management Instrumentation (WMI-In)”, “Windows Management Instrumentation (DCOM-In)” and “Windows Management Instrumentation (Async-In)” for the active profile as shown below:

 

The above can also be achieved by running the command below from an elevated command prompt

Windows XP and Server 2003
Windows Vista and Later

Note that the predefined rules in the Windows Firewall apply only to 'Private' and 'Domain' network connections, not 'Public' ones.

Computers not connected to a domain

Non-domain networks require additional steps to enable the appropriate services and functions required to remote install the Macrium Agent. Each client computer must be configured with the steps below to allow remote installation. 

Note that these steps are not required to manually install the Macrium Agent. 

Firewall Configuration

The firewall must be configured to allow Windows Management Instrumentation (WMI) traffic. See the domain computer configuration section above for details.

Enable File Sharing

In order to perform the install, file and printer sharing must be turned on. This is found in the Network and Sharing Center -> Advanced sharing settings as shown below.

 

Enabling Remote Management Users

Outside a domain, users connecting to a computer remotely have reduced privileges. This is part of built-in Windows security measures. The reduced privileges mean that Local Administrator accounts do not have sufficient privileges to install the Macrium Agent when connecting remotely.

To allow remote users to connect with their full Administrator privileges, the following registry entry must be set on the client computer:

  
KeyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
NameLocalAccountTokenFilterPolicy
TypeDWORD
Value1


See https://support.microsoft.com/en-us/kb/951016 for more information on this registry setting. 

 

  • No labels