When attempting to pair or back up a protected machine running Windows Server 2012, you receive the errors, "Unable to start backup because agent service is stopped, or, "Unable to start backup because agent is unreachable."
- Datto SIRIS
- Datto ALTO
- Datto Windows Agent
- Storagecraft ShadowSnap Agent
DirectAccess settings in the Group Policy are preventing communication between the backup agent and the Datto appliance. This will result in both agent pairing and backup failures.
- Verify that you have created TCP and UDP firewall rules for DirectAccess. The following steps are from Microsoft's Knowledge Base article, Configure DirectAccess in Windows Server Essentials (external link):
- On the Start page, open Group Policy Management.
- In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.
- Click Computer Configuration, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click next-level Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.
- Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.
- Repeat the same procedure for Domain Name Server (UDP-In).
- Reserve ports for the WinNat service by running the following PowerShell command:
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("192.168.1.100, 10000-47000")
By default, Microsoft recommends defining a port range of 10000-47000, which captures the ports used by the ShadowSnap Agent and the Datto Windows Agent. If you create your own range, ensure that you reference TCP port 25566 for ShadowSnap, and TCP port 25568 for the Datto Windows Agent.
- Configure DirectAccess in Windows Server Essentials (external link)