cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Backup through firewall issue

pie8ter
Level 3

‎10-16-2009 03:38 PM

Backup Exec 11d media server in the LAN
A windows 2003 SP2 server in the DMZ. 
A hardware firewall is in between the BE media server and the windows 2003 server.
Data needs to be backed up from the 2003 server via Firewall


I am reading the documentation on what ports needs to be opened on the firewall so the remote agent on the 2003 server and the media server in the LAN can communicate.  May be it's me but I just couldn't follow the article.  I come away with more questions than solving the issue. Since we are dealing with the firewall, I should try my best not to leave any room for error.  Among other responsibilities, I manage PIX, Sonicwall and ISA firewalls.  I am not sure why Symantec can't wrap all the backup exec or remote agent traffics (at least the control channel traffics) inside the ubiquiteous HTTP packets and help the admins.  The firewall would look like a Swiss cheese by the time you allow all the ports required for this backup, but I digress.  

My problem is the article lists bunch of ports without discussing who uses what ports for listening or responding.  Can someone please explain to me what's going on?  I do just the backup or restore of files from Windows 2003 servers, nothing else.

For the Backup Exec Media server (the server with the backup tape library):
What are the outbound ports?  In the worst case scenerio, I will allow all the traffic from this server to the windows 2003 server (DMZ). 

What are the inbound ports?  (i.e. what ports do this server listen on?)


For the Windows 2003 server (the one with the Backup Exec's  Remote agent):
What are the outbound ports?  (i.e. remote agent initiated connection to the media server in the LAN)

What are the inbound ports?  (i.e. what ports do the remote agent service listen on?)



Assume I have only two servers in my backup daily backup plan, one in the LAN and one in the DMZ.  I understood I need to configure a range of static ports in BE.  Say I configure ports 40000 through 40020.  Still I am not sure what service uses these ports range and why.

Do I need to allow the insecure NetBIOS and CIFS traffics through my firewalls? Is there a way to get around from allowing these traffic through the firewall.


I appreciate your help.
0 Kudos
2 REPLIES 2

pie8ter
Level 3

‎10-19-2009 08:49 AM

Anyone?

I have one client whoes IT admin just opened all the traffic in both direction between his DMZ and LAN for servers needing backup/restore.  In another instance, firewall had way more than the absolute minimum number of ports needed for backup/restore.  I want to avoid those mistakes. 

I have seen yet another admin's setup for DMZ and LAN backup/restore.  He claims he didn't need to allow NetBIOS or CIFS traffis and back ups work fine.   Can someone confirm the one below work or not?

BACKUP Server  --> DMZ Server TCP:10000 (NDMP)
BACKUP Server --> DMZ Server TCP:10021-10022 (Set at the Media Server Dynamic Port Range)
DMZ Server --> BACKUP Server TCP:6101 (Remote Agent Advertising)  

Thank you
0 Kudos

KSADrew
Level 2

‎03-16-2010 08:01 AM

pei8ter,

I too have a similar situation. 

The above ports is how our firewall is configured as well.  However, our backup is "unable to attach to a resource" when trying to get to the DMZ server.

Also, according to IANA, the ports 40001-40840 are Unassigned.  They are a dynamic range not bound to any specific service/program.  If something is listening and using those ports, they'll be freed up when it's done using them.  If I get mine working, I'll let you know what we did to resolve it and see if it helps your situation.

0 Kudos