cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Backup Exec agent on TMG 2010

John_Fedor
Level 4
Partner

‎02-15-2012 12:36 PM

We have on the TMG servers the following modification made in SERVICES.

ndmp 10101/tcp # For Backup exec remote agent - http://www.symantec.com/business/support/index?page=content&id=TECH24256

Restarting the BE Remote agent, we can confirm the agent is now listening on TCP 10101.

This has been in place for awhile and working fine. However, along the way of BE updates, backups stopped using it. We can watch the server always trying to talk to the agent over TCP 10000 instead of TCP 10101.

As noted in that article, it should only need to occur on the servers affected, we never had to do it to the BE server itself, just the remote agents.

Firewall configuration is fine on the TMG server.

If we change the SERVICES on the BE Server itself and restart, we can now communicate with the agent properly. However, we now have issues communicating with other servers that do not have the SERVICES file modified since they are all talking on TCP 10000 still. Would rather not have to change all of our servers, would rather the BE server make use of the agent's configuration.

I've also tried re-establishing the trust on the agent.  From the agent, removed the publishing destination, then re-added it with the proper credentials to access the BE server.  However, packet captures of this show that the BE Server insists on sending traffic with a destination port of TCP 10000 to the BE agent, when it clearly needs to be TCP 10101.

Is there some setting/adjustment/tweak that we could do to make this work? Is this a known issue? I've seen this before as well: https://www-secure.symantec.com/connect/forums/backup-exec-2010-and-threat-management-gateway-2010

But making the server listen on a different port isn't practical and wasn't necessary in the past.

Thanks.

UPDATE: Looks like it is fixed. Disabled security (https://www-secure.symantec.com/connect/forums/ssl-handshakes-fails) on the agent & the server, and was able to talk properly over the correct port.

Which will make sense with an update breaking it. Will push out a GPO to push the setting out to all domain machines and tweak the non-domain machines manually.

0 Kudos
1 REPLY 1

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎02-16-2012 01:09 AM

In the past BE required that all remote agents and media servers were on the same NDMP port, the system that allows different NDMP ports on different servers requires remote agent publishing to be working and this process can be broken by our current security handshaking defect. Details of defect are here http://www.symantec.com/docs/TECH168154

 

Your choices are

1) set all of the media and remote servers running BE Components to use the same ndmp port (so in your case change them all to 10101)

2) Wait for the hotfix for the Handshaking issue (which I believe will be released relatively soon but can't put an ETA on, due to be Hotfix 180429, but this number may be subject to change)

3) Disable the TLS security, which takes you back to the same levels of security as seen in 2010 R2 and introduces the possibility of a "Man in the Middle" security breach. (google that term for more info on what it means) For how to disable it look at the solution post in http://www.symantec.com/connect/forums/ssl-handshakes-fails

0 Kudos