VOX

Unfortunately this doesn't answer\cover my original question, please read the question again. I have added all the ports listed in Document ID 244403 but the installation of the Veritas Remote Agent (as a for instance) still cannot be completed to servers behind the firewall.

This document (244403) was intended for use with Backup Exec 8.6, and I'm guessing a Windows NT 4.0 environment. I have Backup Exec. 10.1 in a Windows 2003 environment.

I believe that many ports originally used in NT 4.0 have been changed now?

I need to know which specific ports to open in my hardware firewall to allow Backup Exec 10.1 in a Windows 2003 server environment to operate properly.

Surely someone must know?

Hello,

Please note that BE v10.0 does not support the NT4 server.
It is not possible to use BE v10.0 with NT operating system.
You may refer to the following SCL for BE v10.0
Backup Exec 10.0 for Windows Servers - Software Compatibility List (SCL)
http://support.veritas.com/docs/264484


NOTE : If we do not receive your reply within two business days, this post would be marked assumed answered and would be moved to answered questions pool.

I DON'T have an NT 4.0 server environment. I'm using Backup Exec 10.1. in a Windows 2003 ONLY environment. I thought I had been quite clear on this!

I was just stating that document ID 244403 that someone suggested I look at only covers older NT 4.0 installations. I need a similar document for a BE 10.1\Windows 2003 setup.

I need to know what ports need to be open in my Cisco firewall for the Backup Exec server to be able to successfully connect to, and backup, Windows 2003 servers behind the firewall.

Hello,





Backup EXEC remote agent (RAWS) uses port 10000(NDMP) of the systems, where RAWS is installed. These errors would arise, if another application is using it. In order to check that, do the following (on media server and also on the remote servers):

You can download the TCP View utility program, from the Website "www.sysinternals.com". When you implement the utility program, you can see a list of Ports used by your system.
When you find from the list that the port 10000 is used by another application, you can implement one of the following options:

We recommend you to modify the port from these application on another.

OR

Change the Port of NDMP on all systems, so that NDMP uses the same Port on all systems where you have installed


NOTE : If we do not receive your reply within two business days, this post would be marked assumed answered
and would be moved to answered questions pool.

*************************************************
************************************************

Man do i understand your frustration with Veritas "answers" - i use the term loosely! - that seem to ignore all the detailed information you have provided!

I am working with this same thing right now.

To get the agent onto the isolated server, I put the agent file set there (ftp) and ran the install locally. On your media server, you need the files in "...\program files\veritas\backup exec\nt\agents\rant32". You can't run setup.exe in Windows, but the two *.cmd files do it for you - setupaa.cmd for just the agent, setupaofo.cmd for the agent + AOFO.

Next, you need to run the installed "...\program files\veritas\backup exec\RANT\vxmon.exe". This puts an icon in the system tray. Right-click and choose options. On the 'advertising' tab, add the IP address of your media server. Apply. (Naturally you need to have in place all the routing to get to that server). Also re-start the Backup Exec remote agent service.

I believe you need the ports specified in that earlier document you referenced.

In addition, on your media server, under 'Tools | Options | Network & Firewall', you want to enable a selected dynamic port range. The help file and wording are a little confusing here. AND, this is where i'm having trouble.

For the media server range, I have 50101 - 50120
For the remote agent range, I have 10000 - 10010

Now, as I understand it, when the connection is first made (on port 10000), that packet should contain the "port to use" for the reply (from my 50101-50120 range). This does not appear to be working - the reply comes back on a random port.
Again, when the data transfer takes place, the remote agent server correctly uses port 10001, the next in the range, but again, the reply comes back on a random port. (You can see all this info in the job log).

I'm working on this today, and will be opening a support call if I can't get it to work.

Hi,

From Media Server to Remote Server 50 Ports should be open and Port 10000
From Remote Server to Media Server 25 Ports should be open and Port 10000

Update us on the same and revert for any further Query
Hope this will help you


Thank you
Gauri


NOTE : If we do not receive your reply within two business days, this post would be marked "assumed answered" and would be moved to "answered questions" pool.

Oh for heavens sake, Gauri

- you're not 'listening' to what we're saying.
YES, we have port 10000 open, both directions. You do not NEED 25/50 ports open to make this work - that is only a recommendation. If I am doing only ONE backup stream at a time - one tape drive, one target server - I don't NEED that many.
- in any case, even if i needed 25 and had it set to 10, it should start by using my specified 10 and then move on to random after that.

The problem is, it works according to my specified ports in one direction, BUT NOT IN THE OTHER.

There has been another post in this very same forum, from another user, stating that it used to work according to the user settings, but STOPPED WORKING after upgrade to 10.0(d).

Gauri - for you benefit, I'm going to cut the relevant part from my earlier post.
This is the heart of the problem ...
--------------------
For the media server range, I have 50101 - 50120
For the remote agent range, I have 10000 - 10010

Now, as I understand it ...

when the connection is first made (correctly on port 10000), that packet should contain the "port to use" for the reply (from my 50101-50120 range). This does not appear to be working - the reply comes back on a random port.

Again, when the data transfer takes place, the remote agent server correctly uses port 10001, the next in the range, but again, the reply comes back on a random port. (You can see all this info in the job log).
--------------------

Do I have the correct understanding of the data transfer sequence??

Thanks

Hello Robert,

As per your post, it seems that the media server correctly uses the ports from the defined range, however the reply that you get comes from another port, not in the range.That is because the reply comes from the remote server and it uses any available port from the range defined on the remote server. It thus refers to a port on that server and not the media server.

Hope that clarifies your doubt. For more information on backing up servers behind firewall, refer to the following technote:

Backup Exec cannot view or back up servers on the far side (outside) of a firewall or in DMZ environment, even though the proper IP ports are open.
http://support.veritas.com/docs/194182


Note : If we do not receive your reply within two business days, this post would be marked �assumed answered� and would be moved to �answered questions� pool.

Regards.

I'm not going into a detailed discussion here, but please don't quote me yet another help document or simply say " ... the reply that you get comes from another port ... "

My point is, the product has 2 settings: "Enable media server ... port range" AND "Enable remote agent ... port range".

I have carefully read through your own support doc 255831.

In the eighth paragraph, it clearly says: "The media server first attempts to connect to the remote server via the NDMP port. The remote server will then respond back to the media server with a port specified in the Enable media server ... port range option.

So, once again:

What is the purpose of each of the settings?
Do they work as specified in the support documents?
Is there a bug in ver. 10.1 with the flow in one of the directions?

Thank you.

We are not alone !!

http://forums.veritas.com/discussions/thread.jspa?threadID=63971&tstart=0

Hi,

Is the issue still persists?

Could you please update us on the same?


Thanks.


Note : If we do not receive your reply within two business days, this post would be marked ?assumed answered? and would be moved to ?answered questions? pool.

Carl - you started this thread, so guess it's up to you to say if you consider the problem resolved.

For my part, I don't consider this situation completely satisfactory.

When a media server targets a remote host, it definitely targets the remote IP address + a port in the "remote agent" range.
So, I can restrict traffic through the firewall by DESTINATION address AND PORT.

BUT, no matter what I set in the "media server" port range, the media server always uses a random port. This means I can restrict traffic through the firewall ONLY by SOURCE address, and have to leave the full port range open.

Once again, are we misunderstanding the settings and help file, or is there a bug in 10.1?
Please don't just point us to yet another doc file. Read and consider what we have written.

Thanks

Hello,

You had mentioned that you have sepecified a port range of 10000-10010 for the remote agent. Try to keep atleast 25 ports in this range starting from 10001, eg 10001-10025. You can keep those many ports open on the remote server behind firewall. Check if the remote server replies on the ports specified.

Revert with results.

Note : If we do not receive your reply within two business days, this post would be marked �assumed answered� and would be moved to �answered questions� pool.

Regards.