Backing Up 2k8 R2 Server with TMG 2010 Installed

The way I finally got it to work was to change the NDMP port to 9000 by adding the line:

ndmp 9000/tcp

to the end of the services file in c:\windows\system32\drivers\etc on the TMG server.

Then create a rule in TMG to allow traffic from the backup exec media server and localhost, to localhost and the backup exec media server.  You need to allow port 9000, and also any ports you have declared in the dynamic range on your BE media server Options>Network&Security Page (all TCP outbound).

I also restarted the backup exec remote agent on the TMG server and made sure only one instance of the process was running using task manager.

Did you end up making the ndmp change on all your other remote servers?  Reason I ask is I'm right in the middle of this process and BE support says I must do this on all my servers which is not an option so I'm looking to perform the following to resolve this:

posts regarding this http://forums.isaserver.org/changing_dynamic_port_starting_point_for_TMG/m_2002110012/tm.htm and

http://forums.isaserver.org/TMG_2010_blocking_Backup_Exec_Remote_Agent/m_2002102772/tm.htm

1. netsh int ipv4 set dynamicport tcp start=10201 num=55334
2. netsh int ipv4 set dynamicport udp start=10201 num=55334

TMG current settings:

C:\>netsh int ipv4 show dynamicportrange tcp

Protocol tcp Dynamic Port Range

---------------------------------

Start Port      : 10000

Number of Ports : 55535

C:\>netsh int ipv4 show dynamicportrange udp

Protocol udp Dynamic Port Range

---------------------------------

Start Port      : 10000

Number of Ports : 55535

On BackupExec Sever:

In the C:\Windows\System32\Drivers\Etc\Services file added the line:

ndmp 12000/tcp #RAWS

(did not have to reboot server)

Under tool/options set the 'Network and Security' to 'Enable remote agent TCP dynamic port range to 1065-65535 (i suppose i could try dropping it to 10000-120000 but it's working so i'm not keen to test it out yet.

On TMG itself:

In the C:\Windows\System32\Drivers\Etc\Services file added the line:

ndmp 12000/tcp #RAWS

and setup a TMG rule to allow all outbound protocols from Backexec Servers to Localhost

 

On each of the servers that need backing up i had to configure:

In the C:\Windows\System32\Drivers\Etc\Services file added the line:

ndmp 12000/tcp #RAWS

and setup a domain only windows firewall outbound rule to allow all outbound protocols

and reboot each machine for this to work.

 

Ran test run on each of the jobs and made sure the result came back passed with an indication of the data amount on the server being scanned.

 

I don't know why it won't just allow me to set the dynamic port range to 10000-12000 and set TMG on port 12000 and leave the others as the standard 10000, but it took a bit of work and now it is backing everything up again happily.

 

Cheers,
Rob

Hi All

The change in NDMP Port requirements from all servers must be same to you can use different setting on a per server was a change that for some reason had not been widely published to the support staff - hence my mistake earlier in this thread that someone corrected.

However I have found out since then that for different NDMP ports on a server by server basis to work, then remote agent publishing/advertsing must be working and the remote servers concerned must show correctly in favorite resources. Along with this if you run a BE Diagnotics Report (bediag.txt) the resulting text file contains a section called
"Backup Exec Agents seen by "

If you check this section it will show you the NDMP port that the media server thinks each remote server is using. ( Network address parameter: --> Port: )

Be aware that agent publishing can be broken by our TLS Handshaking / Certificate issue that is ongoing and pending  a Hotfix