When attempting to pair or back up a protected machine running Windows Server 2012, you receive the errors, "Unable to start backup because agent service is stopped, or, "Unable to start backup because agent is unreachable."
- Datto SIRIS
- Datto ALTO
- Datto Windows Agent
- StorageCraft ShadowSnap Agent
DirectAccess settings in the Group Policy are preventing communication between the backup agent and the Datto appliance, which can cause agent pairing and backup failures.
- Verify that you have created TCP and UDP firewall rules for DirectAccess. The following steps are from Microsoft's Knowledge Base article, Configure DirectAccess in Windows Server Essentials (external link):
- On the Start page, open Group Policy Management.
- In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.
- Click Computer Configuration, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click next-level Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.
- Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.
- Repeat the same procedure for Domain Name Server (UDP-In).
- Reserve ports for the WinNat service by running the following PowerShell command:
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("192.168.1.100, 10000-47000")
By default, Microsoft recommends defining a port range of 10000-47000, which captures the ports used by the ShadowSnap Agent and the Datto Windows Agent. If you create a custom range, ensure that you reference TCP port 25566 for ShadowSnap and TCP port 25568 for the Datto Windows Agent.
- Configure DirectAccess in Windows Server Essentials (external link)