Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall Ports?

Status
Not open for further replies.
Mrmark68

Mrmark68

MIS
May 3, 2002
35
0
0
US
Does any one know what ports I need to use to back up remote servers that are on the other side of our firewall?

I'm using Backup Exec v9.

Thanks in advance,

Mark
 
Sort by date Sort by votes
Through trial and error I set this up for a client two weeks ago.

Say you have 1 BE media server and 1 remote server. 2 ports are required on the backup server side and 2 ports on the remote server/remote agent side. If you need to do multiple simultaneous backups, this will require more ports.

The remote agent is listening on port 10000 which is a well known port for NDMP. The media server will make a connection with a remote system which it initiates on port 10000. In addition, the media server will bind to ports on the remote server in a range you can specify if you want in Backup Exec. Similiarly, the remote agent will bind to a range of configurable ports as well.
If you don't change anything at all, BE will use any ports in a range between 1025-65535 (which would be a problem w/firewall config).
So you can specify a small # of specific ports for media server and remote server to use.

So, set firewall up to allow port 10000 and a range of say 5 ports going out. Then allow a different range of 5 ports coming in from remote server. The manual recommends a range of 50 ports, but a min of 5 ports is a must or none of this will work.

Cheers!
 
Upvote 0 Downvote
Thanks Fuubar,

I'm able to see the computer now but when I go try and do a backup of it. I'm getting the following error message

Job ended: Monday, March 03, 2003 at 11:02:58 AM
Completed status: Failed
Final error code: a00084f9 HEX
Final error description: A communications failure has occurred between the Backup Exec job engine and the remote agent.

Final error category: Resource Errors


Any ideas on why i might be getting this.

Thanks in advance,

Mark
 
Upvote 0 Downvote
hope this helps

How to configure Backup Exec 8.6 to protect servers on secured (firewalled) networks.
TechNote ID: 243104 Last Updated: January 29 2002 07:59 PM GMT
E-Mail this document to a colleague
Subscribe to this document

Caution! The information in this TechNote is based upon certain assumptions, including product, operating system and platform versions. You can review this information in the TechNote Summary portion of this document. This document ( 243104 ) is provided subject to the disclaimer at the end of this document.
--------------------------------------------------------------------------------

Symptom:
How to configure Backup Exec 8.6 to protect servers on secured (firewalled) networks.

Solution:

This TechNote is a courtesy from VERITAS to our customers who wish to backup through a firewall. This TechNote will describe step-by-step how to configure such a firewall and server(s) to support Backup Exec for Windows NT and Windows 2000 in this environment. When implementing changes contained in this TechNote, please be aware that these are only suggestions from our customers and, as such, are not supported or endorsed by VERITAS Software.

The information provided in this TechNote will not be supported by VERITAS Technical Support Engineers. Our customers have graciously submitted the following information that, when implemented, is reported to provide varying levels of success in using Backup Exec in a firewall environment.


This technote also makes certain assumptions, listed here:

A working knowledge of what a firewall is
How to properly use and configure a firewall
Detailed knowledge of TCP/IP
7 7 Backup Exec is installed and properly licensed

Section I : Backup Exec Server DCOM/RPC Configuration

VERITAS Backup Exec uses several NetBIOS ports as well as DCOM/RPC to back up a remote server. By default, RPC will use a random available port to communicate to other clients and servers. The document listed below explains how to force RPC to use a specific range of ports:


Limiting the amount of RPC ports available also limits the amount of connections the server can have (inbound and outbound) to other clients and servers. A range of ports that is too restrictive (less than 20 RPC ports) can cause applications to function improperly or not function at all. Please test all configurations thoroughly.

To begin the configuration process of the Backup Exec server:

1. Go to Start -> Run, type DCOMCNFG, and press Enter. The following image will be displayed (Figure 1):

Figure 1

(The screen may differ slightly, as what is seen here depends largely on what applications are installed).

2. Select the tab marked 'Default Protocols' (Figure 2).

Figure 2

(The screen may differ slightly)

3. Select 'Connection Oriented TCP/IP' and click the 'Move Up' button until it is located at the top of the list.
4. Click the 'Properties' button.
5. Click the 'Add' button to specify a port range (Figure 3).

Figure 3


6. Specify a port range for DCOM/RPC to use. As an example, this shows the 25 ports between 24001 and 24025 will be reserved for DCOM/RPC. Notice that there are no spaces in between the range specification. 24001-24025 is a valid selection whereas 24001 - 24025 is an invalid selection (Figure 4).

Figure 4


Choose any ports between 5000 and 65535, however, applications installed that require the use of certain local ports may be unable to bind to those ports if they are reserved for DCOM/RPC. Research the server application configuration before specifying a port range. VERITAS recommends that a minimum of 20 ports are used for DCOM/RPC.

7. Once the port range is specified, click the 'OK' button (Figure 5).

Figure 5


8. Verify that 'Port Range Assignment' and 'Default Dynamic Port Allocation' have 'Internet Range' selected.
9. Click 'OK' to close the properties window and click 'OK' again to close DCOMCNFG. Once these changes are complete, reboot the computer so these changes take effect.

Section II : Firewall Configuration

To allow Backup Exec to protect servers on a firewalled network, the following ports MUST be open:

Port Number Protocol Direction Description
88 UDP Inbound/Outbound Kerberos (Windows 2000)
135 TCP Inbound/Outbound NetBIOS
135 UDP Inbound/Outbound NetBIOS
137 UDP Inbound/Outbound NetBIOS Name Services
138 UDP Inbound/Outbound NetBIOS Datagram Service
139 TCP Inbound/Outbound NetBIOS Session Service
445 TCP Inbound/Outbound NetBIOS (Windows 2000)
6103 TCP Inbound/Outbound Backup Exec Remote Agent
DCOM/RPC Ports (from above) TCP Inbound/Outbound DCOM/RPC
DCOM/RPC Ports (from above) UDP Inbound/Outbound DCOM/RPC

(If the environment does not contain Windows 2000 servers, the Windows 2000 ports can remain closed)

Here is an example of how a firewall would be used to protect a network (Figure 6):

Figure 6


In this situation, all required ports would be open for Inbound/Outbound connections, but specific firewall rules can allow packets with a source or destination port listed above and a source address of 192.168.2.2 and a destination address of 4.3.10.56 or a source address of 4.3.10.56 and a destination address of 192.168.2.2 to pass through the firewall. All other packets with a source or destination port listed above can be dropped, protecting the security of the environment.

For assistance in configuring the firewall, please contact your firewall manufacturer.

Section III : Name Resolution Configuration (WINS/DNS)

VERITAS Backup Exec needs a functional name resolution structure in place before attempting a backup. This structure can consist of a DNS server, a WINS server, or simply modifying the LMHOSTS and HOSTS files. VERITAS recommends using a name server if DHCP is used on the network and at least one of the target servers are using DHCP. Without functioning name resolution, successful and consistent backups of a protected resource cannot be achieved.

For more information on setting up and configuring name resolution, please read the following Microsoft technote articles:
DNS and Active Directory - How Browsing a Wide Area Network Works - NetBIOS Name Resolution Using DNS and the HOSTS File - NetBIOS over TCP/IP Name Resolution and WINS - Recommended Practices for WINS -
Section IV : Backup Exec Service Account Configuration

More than likely, servers located on the external network have not joined the Windows domain of the internal network (and may even be members of their own domain). To authenticate properly to the servers located on the external network, multiple user accounts must be created. In the following example (Figure 7):

Figure 7


Create an account within the internal domain COMPANY:
Username: VERITAS
Password: MYPASSWORD
Group Memberships: Administrators (local group), Domain Admins (global group)

If the target server(s) are in a domain and there is no trust relationship, create a domain account on the external domain FWNET:
Username: VERITAS
Password: MYPASSWORD
Group Memberships: Administrators (local group), Domain Admins (global group)

If the target server(s) are in a workgroup, an account must be created on each target server:
Username: VERITAS
Password: MYPASSWORD
Group Memberships: Administrators (local group)

Note : The password for this account must be identical on each domain and workgroup server.

Once complete, all Backup Exec services must be set to log on as COMPANY\VERITAS.

Section V : Backup Exec Application Configuration

To back up the servers located within your external network, specify a User-Defined Selection for each server.

1. Open the Backup Exec application and select the 'Backup Selections' tab.
2. Expand the 'Remote Selections' tree.
3. Right-click 'User-Defined Selections'
4. Select the option for 'User-Defined Selections' as seen in this image (Figure 8):

Figure 8


5. The 'User-Defined Selections' menu appears (Figure 9):

Figure 9


6. Add the target server to the list of User-Defined selections by typing the name or IP address of the target server and clicking 'Add' (Figure 10):

Figure 10


7. Repeat this procedure to add all target servers located on the external network.
8. Click 'Close' to close the 'User-Defined Selections' menu.

The target servers are now be protected by Backup Exec and can be added to any new or existing backup jobs.

Section VI : Installing Agents onto Target Servers

Backup Exec agents such as the Backup Exec Remote Agent and the Backup Exec Open File Option must be installed locally onto all target servers. For instructions on installing the Backup Exec Remote Agent and the Backup Exec Open File Option locally, refer to the technotes listed in the Related Documents section located at the bottom of this technote.

Section VII : Configuration Completed!

Congratulations, VERITAS Backup Exec is now configured to protect servers on a secured network.
Remember : Test backups and restores of the target server(s) to verify the integrity (and security) of the environment!
Related Documents:
230790: How to perform a silent installation of the Backup Exec Remote Agent for Windows NT and 2000, previously known as the Agent Accelerator, from a Command Prompt.
239914: How to perform a silent installation of the VERITAS Backup Exec Open File Option Agent from the command prompt
243218: How to configure Backup Exec 8.6 to protect SQL 7.0 and SQL 2000 servers on secured (firewall) networks.
243598: How to configure Backup Exec 8.6 to protect Exchange 5.5 and Exchange 2000 servers on secured (firewall) networks.
243611: How to configure Backup Exec 8.6 to protect UNIX-based servers on secured (firewall) networks.
243622: How to configure Backup Exec 8.6 to protect Lotus Domino servers on secured (firewall) networks.
243624: How to configure Backup Exec 8.6 to protect SharePoint Portal Server on secured (firewall) networks.
243639: How to configure Backup Exec 8.6 to protect Oracle servers on secured (firewall) networks.
243716: How to configure Backup Exec 8.6 to protect Novell NetWare 5.1 servers on secured (firewall) networks.




--------------------------------------------------------------------------------
TechNote Summary:
TechNote Title: How to configure Backup Exec 8.6 to protect servers on secured (firewalled) networks.
TechNote ID: 243104
Last Updated: January 29 2002 07:59 PM GMT
Document Expires:
This information in this TechNote applies to:
Products: Backup Exec for Windows Servers (All Versions) 8.6 for Windows NT and 2000

Subject: Application - Agent Support
Application - Backup
Application - How To
Application - Remote Agent For Nt
Application - Restore

Languages: English

Operating Systems: Windows 2000 Server 5.00.2195 SP 2
Windows 2000 Advanced Server 5.00.2195 SP 2
Windows NT 4.0 Serv SP6a


--------------------------------------------------------------------------------

VERITAS Software, 1600 Plymouth Street, Mountain View, California 94043 World Wide Web: Tech Support Web: E-Mail Support: FTP: ftp://ftp.support.veritas.com or
THE INFORMATION PROVIDED IN THE VERITAS SOFTWARE KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. VERITAS SOFTWARE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL VERITAS SOFTWARE OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,EVEN IF VERITAS SOFTWARE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
 
Upvote 0 Downvote
ih8MSos 's post would be relevant if you were using Backup Exec 8.x; but BE 9 isn't using Netbios or RPC to talk on the network. Additionally, logon credentials are only used by the remote agent on the remote server; not from the BE server anymore.

I had to work on this w/V support to get it to work and thru trial and error.

MrMark68, you're error is just what it sts, communication is not happening between the job engine service on the BE server and the remote agent. Does the backup job log show the Data and Control connection made in the "Job Operation - Backup" like:

Network control connection is established between 10.0.0.1:1136 <--> 10.0.0.2:10000
Network data connection is established between 10.0.0.1:1139 <--> 10.0.0.2:1111

If it doesn't you don't have the Data / Control connections being made that are required.

Put the remote agent on the remote server in debug mode, do the same for the Job Engine service and then run a test backup.
1. Double-click the 'Backup Exec Remote Agent for Windows Servers' service on the remote server.
2. Click the 'Stop' button.
3. Type '-debug' (w/o quotes) in 'Start Parameters'
4. Click the Start button to start this service.
-This will create a beremote.log file in the \Program Files\Veritas\BE\RANT\Logs folder.
--Do the same thing for the Backup Exec Job Engine service on the BE server. It will put a log file in the \Program Files\Veritas\BE\NT\Logs folder.
-Run a test backup. You should see connections made in these debug logs. If not, there is a problem with the ports used possibly.
--Make sure you are forcing BE server and the remote agent to used a specified range of ports that you config'd firewall to allow in and out. Do this in Tools|Options|Network in BE.

Good luck!
 
Upvote 0 Downvote
Any one use Backup Exec v9 along with MS ISA2000. I'm starting to wondering if we got the ports set up right on ISA.

Any input would be great.

Thanks in Advance,

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

keyz933
  • Locked
  • Question
Netbackup firewall problems
Replies
0
Views
7
keyz933
keyz933
Techgoober
  • Locked
  • Question
Having issue with firewall and need to know what port needs to be open
Replies
1
Views
19
TechyMcSe2k
TechyMcSe2k
cjaschick
  • Locked
  • Question
Brightstor r12 ports
Replies
1
Views
28
davidmichel
davidmichel
jhulbe
  • Locked
  • Question
Netbackup 6.5.2 firewall problems
Replies
3
Views
28
Skywalker1957
Skywalker1957
Shuegli
  • Locked
  • Question
What TCP/IP Ports are needed
Replies
5
Views
47
605
605

Part and Inventory Search

Sponsor

Back
Top