cancel
Showing results for 
Search instead for 
Did you mean: 

Backup Exec 2012 RALUS through firewall required ports

Artegic
Level 6

I'm running Backup Exec 2012 SP4 running on Windows Server 2008 R2 to back up, among others, a Red Had Enterprise Linux server with RALUS. The two are separated by a firewall which I control. I have read

http://www.symantec.com/docs/HOWTO73383

http://www.symantec.com/docs/HOWTO73384

http://www.symantec.com/docs/TECH43579

http://www.symantec.com/docs/TECH48490

http://www.symantec.com/docs/TECH49563

http://www.symantec.com/docs/TECH190459

but am still somewhat unsure which ports I need to open in which direction on the firewall. My current idea is to enable the "Dynamic TCP Port Range" option in Backup Exec Network and Security settings, set the range to, say, 57344-57375 for a total of 32 ports, and then in the firewall open

  • TCP port 6101 (agent discovery) from RALUS to media server
  • TCP port 10000 (control port) from media server to RALUS
  • TCP port range 57344 to 57375 (dynamic ports) from media server to RALUS

Is that correct, or is it the opposite direction for the dynamic ports? Is port 10000 required in the opposite direction (RALUS to media server) too? What about the deduplication ports (10082, 10102 and possibly 10085 depending on which article you consult) - who needs those and when?

aTdHvAaNnKcSe,
Tilman

1 ACCEPTED SOLUTION

Accepted Solutions

CraigV
Moderator
Moderator
Partner    VIP    Accredited

Port 10000 is required in both directions.

Thanks!

View solution in original post

5 REPLIES 5

Artegic
Level 6

Anyone?

CraigV
Moderator
Moderator
Partner    VIP    Accredited

It's easy enough...port 10000 needs to be opened on any firewall where a RAWS/RALUS agent and media server will be communicating. If you only open the port on 1 firewall (say the media server) but leave it blocked on the other (remote Windows/Linux server) then you should end up with disrupted traffic.

You can either open them on both servers, or open them on the media server and see the impact. My suggestion would be on both servers if your policy allows this.

Thanks!

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

The deduplication ports probably relate to performing client side deduplication where the remote agent directly access the deduplictaion storage on the media server , Those ports would therefore not be needed if you are not configuring deduplicatioon or client side operations with deduplication.

 

I believe your other ports are correct, just be aware that name resolution may need to work in both directions (use hosts files if necessary) and if the router/firewall is not the default gateway for the subnet containing either the media server or your linux hosts then you may need static routes as well.  Also you need to open 10000 plus the range you configure on your firewall , not just the range.

 

I assum this firewall is not also providing NAT as it is difficult to get the outbound NDMP traffic and the inbound RAWS adverting traffic both working if NAT is involved.

 

 

Artegic
Level 6

Thanks for your replies.

@CraigV: I'm not concerned about the host firewalls of the participating servers, but about the network firewall connecting the network on which the media server is residing to the one with the Linux server to be backed up.

@Colin: The firewall is the default gateway for both of these networks, and is not doing NAT between them, so no worries in that respect. DNS resolution through the internal nameserver is also available in both networks.

So I gather TCP port 10000 is needed in both directions, from media server to RALUS and from RALUS to media server. Correct?

We do use deduplication, preferably client side. Because of the problem reported here, the Linux servers are currently set to server side deduplication, but I hope to sort that out eventually. So the deduplication ports might still be relevant. Is there any information source on these beyond the technotes I cited?

CraigV
Moderator
Moderator
Partner    VIP    Accredited

Port 10000 is required in both directions.

Thanks!