Having trouble with pbm-agent and PBM_MONGODB_URI settings

We have a MongoDB cluster in version 4.4.4, comprised of 9 servers, config1/2/3, router1/2/3, and shard1/2/3.
The 3 config servers run mongod, each has pbm-agent installed.
On each config server, TLS required, we have /etc/default/pbm-agent like this,

PBM_MONGODB_URI="mongodb://pbmuser:PASSWORD@config1:27019/?authSource=admin&tls=true&authenticationMechanism=MONGODB-X509&tlsCAFile=/ssl/ca.pem&tlsCertificateKeyFile=/ssl/key.pem"

We also have a separate backup server with PBM installed, and /etc/default/pbm-agent,

PBM_MONGODB_URI="mongodb://pbmuser:PASSWORD@config1,config2,config3:27019/?authSource=admin&tls=true&authenticationMechanism=MONGODB-X509&tlsCAFile=/ssl/ca.pem&tlsCertificateKeyFile=/ssl/key.pem"

Is it the right setup? pbm-agent runs and remains active on config servers, so I assume PBM_MONGODB_URI is correct on them.
But if I run pbm status on backup server, it got connection refused on all 3 config servers, because they don’t accept external connections, only router servers do.
What did I miss? How should PBM connect to the cluster?

Hello, you don’t need a separate backup server. Usually you issue pbm commands directly on any of the 3 existing config servers. The idea is pbm agent connects to the local mongod process.

Thank you! I ran pbm status on config server, got error of Authentication failed to shard server. Do we need to install pbm-agent on all shard servers as well?

Another question is, if there is no need for a separate backup server, on each config server, should the PBM_MONGODB_URI include all config servers and shard servers?

Yes, pbm agent should be deployed on all config and shard servers. Regarding PBM_MONGODB_URI, the agent should be configured to connect to the local mongod only.