VOX

I already have a rule to allow everything to everywhere.

I am new to TMG and am just testing etc. so not sure how to do monitoring.

Ah, now I see that you have changed the port on the remote server only, you also need to configure the port range in the backup exec media server as shown in the following article

http://www.symantec.com/business/support/index?page=content&id=TECH24256

The port which is causing the conflict (10000) is not in my dynamic range as specified in BE.

However if I change NDMP (using the services file) to a different port (I tried 9000), the agent service starts.

Do I need to add 9000 NDMP to ALL servers now? Will that allow the agent and BE server to communicate as despite the agent service being started on the TMG server the BE server cannot browse to it or select any files for backup.

Thanks

You can create a test-job for only the TMG server, change the port number in the job and see if that works.
If it's working fine you can descide if you make a separate job for the TMG server, or change the port on all remote agents.

@ Future5,

What is the solution?

We have got the same problem.

- We have change the port on the TMG server to 9000,

- TMG rule allows port 9000 - 9999 inbound and outbound,

- We have change the port range in the media server from 9000 - 9999,

TMG logging still give the warning "Unidentified IP Traffic (TCP:10000)"

@ ZeRoC00L,

any other ideas?

What if you open port 10000 from/to the backup server ?

I have change the rules.

BE server to TMG server > Outbound > allow all

TMG server tot BE server > Outboud > allow all

BE freeze when browsing to the TMG server, no errors in TMG logging.

Still searching....

If you change the NDMP Port on one server from 10000 to something else then you have to change the port on all Backup Exec Media Servers and Remote Agents (Windows and Linux) as the port has to be common across all.

If you only need to backup the configuration of TMG, you can use this script to make a backup to a (remote) folder:

Create a Script with the following content and save the script TMG2010Backup.vbs with the .VBS extension.

Dim fileName
Dim WSHNetwork
Dim shareName: shareName = WScript.Arguments(0)
Dim xmldom : set xmldom = CreateObject("Msxml2.DOMDocument")
Dim fpc : set fpc = WScript.CreateObject("Fpc.Root")
Dim array : set array = fpc.GetContainingArray
set WSHNetwork = CreateObject("WScript.Network")
fileName=shareName & "\" & WSHNetwork.ComputerName & "-" & _
Month(Now) & "-" & Day(Now) & "-" & Year(Now) & ".xml"
array.Export xmldom, 0
xmldom.save(fileName)

To execute the script, use the following syntax:

Cscript TMG2010Backup.vbs \\SERVERNAME\TMGBACKUP

Hi Colin,

according to the Symantec article posted above you do not have to change the port on all media servers and remote agents if you're using version 11d and above, which the OP is.  I am also getting this problem and finding myself increasingly frustrated with not being able to backup my TMG servers.

The quote from the article is 

Note for Backup Exec 11d and above: The steps above can be done on the only the server/s affected. All other remote servers can have the existing/default NDMP Port.

I'd appreciate any advice you can give.

Quote from the Technote:

When a media server makes a connection with a remote system, the initial connection will be initiated on port 10000. The Remote Agent will be listening for connections on this pre-defined port.

and view the section:

Setting the dynamic port range for Backup Exec 11.x and above :

You will have to create a rule to open the initial port AND the dynamic port range in order to be able to create a backup.

But TMG 2010 comes with a very good monitoring tool.
Open it, and select the backup server as source/destination and try to start a backup and you can see in the monitoring window the ports that BE is trying to use.

Thanks,

I can see that the media server is trying to access my server via port 10000, Microsoft CIFS and PING.  All of which are allowed in my rule from the media server to the TMG server.

What if you (temporary) create a rule to allow any from/to the TMG server and BE server ?

Good idea, I'll try that now.

It looks like I can only create an "All outbound traffic" rule.  Which when selected I get denied requests on port 10000, these are allowed when the rule is in place as it was initially.

I have the backup exec media servers in the from and to tabs, and also the TMG servers in the from and to tabs, so traffic should be allowed both ways.

You are right, you can only create an "All outbound traffic" rule.
This seems to be a limitation of TMG, not BE.

But what I suggested before, you better use a script to backup the TMG configuration, a new server is build faster (and restore the configuration) than a complete restore with BE.

hmm, this is bad news.

I'm ok with having a script backing up the config as a temporary measure, but ideally I'd want this in with all my other servers.  Hopefully it's something that will get fixed in a future patch, either from BE or TMG's end.

Thanks.