Backups know no bounds. Servers with data to backup are often located behind firewalls, requiring Backup Exec to cross that barrier. Windows XP's internal firewall adds to the complexity, with settings of its own. The default out-of-the-box settings for the Backup Exec server won't work in a firewwalled environment. This article will provide details on getting Backup Exec working in an environment with firewalls, and some helpful tips along the way.
In general with any network process, one way to open up the bare minimum number ports is to watch your firewall's failed access log while attempting to connect. Depending on the agents and options you have installed, you may need to resort to this process. Before we do that, there are some settings we need to change on the Backup Exec server.
== Typical Ports == For a typical Windows only setup, the following is the bare minimum list of ports to open between the BE Server and the Agents:
TCP 10000 (Server to Agent, initiate communications)
TCP 6101 (Server to Agent, browse resources)
TCP ?-? (Agent ports, as defined on the BE server - see below)
There are a number of other ports, including NETBIOS ports, that can be opened - but are not required to get good backups.
== For Firewalls between the BE Server and the Agents == By default, backup Exec will use random TCP ports when communicating to the agents. This obviously won't work with a firewall in the mix. Here is the process to configure BE to use a specific range of TCP ports:
-Open the Backup Exec Administrator
-From the "Tools" menu, select "Options"
-Select "Network and Security"
-Select "Enable remote agent TCP dymanic port range"
-Enter a start & stop value for TCP ports
-Make the range at least 25 ports, or 2 ports per active backup operation- whichever is larger
-Make the ports a large value, and unused by anything else on the server. For example: ports 20,000 - 20,024
You will then need to open these ports on your firewall for communication between all Backup Exec Media Servers and all Agents.
== Media Server Considerations == If you have more than one Media Server, remember that any agent can connect to any media server. Any firewall rules you create for a BackupExec server should be applied to all Media Servers. If your firewall supports creating rules with groups, you will probably want to make a "Backup Exec Servers" group for the rules you create.
Another option is to force a given job to use a specific media server, thus simplifying your firewall rules.
-Open the Job's properties
-Select the "Device and Media" settings.
-Check "Restrict backup of the selection..."
-Select a specific Media Server from the pull-down list under the check box.
== Domain/Workgroup Considerations ==
If your firewalled agents are not on the same domain as your BE server, you'll need to specify some security information.
Create a local account on the Agent server that will be used for Backup Exec and enter the same information within Backup Exec under "Network-logon accounts" for that server's job.
== Local XP/Vista/7 Firewall ==
If you're running the local Windows firewall (installed on all XP SP2 computers and above), or a 3rd party local firewall, you will need to add an exception for the program "beremote.exe".
In corporate environment, this is likely best done with Group Policy.
To do this manually on a typical XP computer, this is done via:
-Open Control Panel
-Open "Windows Firewall"
-Select the "Exceptions" tab
-The path depends on the version you're using, but it's probably:
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
-The Scope, depending on how secure you want to be, should probably be: