cancel
Showing results for 
Search instead for 
Did you mean: 

NBU ports discussion

Elango_G1
Level 4

Hi,

Here i am coming with some sort of confusion in NBU ports betwen backup server and client. it would be great thankful if i get answer for the following questions.

 

1. Whats are the ports required to be enabled between media server and client?

2. Do we require all the ports like bpcd,vnetd & PBx between each other shoudl be open?

3. we have managed to see PBx is not connecting from client to media server but backups are working fine. if that is the case may i know the reason?

4. client is under firewall but none of te required ports are enabled but backups are working fine. may i know the reason behind this confused methods under firewall?

still lots of questions running in my mind and i will get back to you depneding on the ansers. thanks in advance.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

In NBU 6.x - 7.0, PBX was only used for comms between master and media server(s).
Servers used vnetd to connect to clients. If vnetd failed, it would fail back to bpcd.

From NBU 7.0.1 onwards, comms to 7.x and 6.x clients will be tried as per the section under this topic in above TN:
NetBackup 7.0.1 Considerations 

This means that 7.1 server connecting to 6.x client will be exactly the same - 1st try pbx (which will fail), then fail back to vnetd. If still not successful, it will try bpcd.

Exact same ports will be used for clients behind firewall.

In a production environment, it is very easy to see port connection attempts with bptestbpcd command on master and/or media server:

Connection test to a client:
bptestbpcd -client <client-name> -verbose -debug

Connection test to a media server:
bptestbpcd -host <server-name> -verbose -debug

View solution in original post

7 REPLIES 7

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified
You forgot to mention NBU version on servers and clients. After 6.0 up to 7.0 clients and server used vnetd. Since 7.0.1, pbx is tried first. If that fails, vnetd will be tried, then bpcd.

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

Review the and then ask again (https://support.symantec.com/en_US/article.TECH136090.html).

The TCP port requirements for the default configuration; without overriding connect options in the Client Attributes (bpclient), or Firewall (CONNECT_OPTIONS) settings, or separate master and EMM servers, or legacy security considerations are as follows: 

  • Master server to/from media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.
  • Master server to client requires the TCP ports for PBX/1556 and vnetd/13724 if the clients perform client-directed operations;  user backup/restore, user archive, or application backup/restore.
     
  • Media server to client requires the TCP port for vnetd/13724 and PBX/1556.
  • Media server to media server requires the TCP port for vnetd/13724 and PBX/1556, bi-directional.
     
  • Client to master server requires the TCP ports for PBX/1556 and vnetd/13724 for client-initiated (user or application), but not server-initiated, operations.
  • Client to master server requires TCP ports for PBX/1556 and vnetd/13724 for Client Direct restores (new in 7.6). 
     
  • SAN Client to/from master/media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional. 
     
  • Java/Windows admin consoles to master and media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.  
     
  • To backup and restore VMWare:

    Backup host to vCenter requires TCP port 443.

    If using query builder (VIP), master server to vCenter requires TCP port 443.

    If using the nbd transport type, backup host to ESX host requires TCP port 902.

     
  • To backup and restore SharePoint:

    Front End to/from SQL client hosts requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.

    Front End to/from SQL client hosts also use the "remote registry service" which requires TCP ports 135, 137, 138, 139 and 445.
    See Microsoft article: http://msdn.microsoft.com/en-us/library/cc288143.aspx 
     
     
  • If using Granular Restore Technology (GRT):

    Clients need to connect to the media server on portmap/111 and nbfsd/7394.
     
  • If using OpsCenter:

    Web browsers require TCP ports http/80 and https/443 to the OpsCenter Web GUI with either 8181 and 8443 or 8282 and 8553 used as alternates.

    Custom report generators require TCP port 13786 to the OpsCenter Server.

    OpsCenter Server also uses UDP port 162 outbound for SNMP trap protocol.
     
  • To backup and restore NDMP filers:

    Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000.

    The SERVER_PORT_WINDOW is used inbound from the filer to the media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP. 
     
  • If using VxSS with NetBackup Access Control (NBAC):

    Master servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server. 

    Media servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server. 

    Clients require the TCP port vrts-at-port/2821 to the VxSS server.

    Java/Windows admin consoles require the TCP port vrts-at-port/2821 to the VxSS server.
       
  • If using the OpenStorage plug-in by DataDomain:

    Requires access to TCP port 2049, UDP/TCP port 111, and the mountd port on the target DataDomain array.

    For optimized duplication access to TCP port 2051 is also required.

        
  • If using Optimized Duplication (including Automatic Image Replication):

    For MSDP-to-MSDP, the source storage server needs access to spad/10102 and spoold/10082 on the destination server.

    For MSDP-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.

    For PDDO-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.
     
  • For Automatic Image Replication (AIR)

    In addition to the ports for Optimized Duplication, also open the TCP port for PBX/1556 between the master servers.
     
  • For NetBackup 5xxx Appliances:

    Open ssh/22, http/80, and https/443 inbound for in-band administration.

    Open http/80 and https/443 inbound to the Intelligent Platform Management Interface (IPMI) for out-of-band administration.

    Open 5900 inbound to the IPMI for KVM remote console/CLI and virtual ISO/CDROM redirection from NetBackup Integrated Storage Manager (5020/5200 appliances).  
                   Port 623 will also be used if open.

    Open 7578 inbound to the IPMI for Remote Console CLI access (5220/5x30 appliances).

    Open 5120 inbound to the IPMI for Remote Console virtual ISO/CD-ROM redirection (5220/5x30 appliances).

    Open 5123 inbound to the IPMI for Remote Console virtual floppy redirection (5220/5x30 appliances).

    Open https/443 outbound to the Symantec Call Home server for proactive hardware monitoring and messaging.

    Open https/443 outbound to the Symantec Critical System Protection (SCSP) server to download SCSP certificates.

    Open snmp/162 outbound to the SNMP server for SNMP traps and alerts.

    Open 11111 between PureDisk appliances for multi-node topology discovery.

 

NetBackup 7.0.1 Considerations

The bpcd and vnetd processes now run standalone.  They and the other legacy processes now register with PBX at startup.  Connections to legacy processes that previously contacted the vnetd port will now prefer to use PBX port 1556.  If the PBX port is unreachable, then the vnetd port will be used.  If the vnetd port is unreachable, then the daemon port will be used.  Opening TCP port 1556 outbound from NetBackup servers to NetBackup clients will prevent delays that occur while attempting to use PBX.  Similarly, opening TCP port 1556 inbound will prevent delays for client-initiated requests to the master server. 

Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections. 

For efficiency the upgrade/install also adds Connect Options of '1 0 2' for localhost.  Internal sockets on the loopback interface to processes on the same host will use the daemon ports instead of passing through vnetd or PBX.

 

NetBackup 7.1 Considerations

NetBackup Access Control (NBAC) has been integrated with NetBackup and the processes nbatd and nbazd will be used in place of vxatd and vxazd.  These processes are registered with PBX for inbound connections via the PBX port 1556, removing the need to have ports open to the VxSS server.

The processes are also listening on TCP ports 13783 and 13722 respectively.  These port numbers are registered with IANA using the original service names of 'vopied' and 'bpjava-msvc', and resolved by NetBackup using those original names.  Back level hosts are unaware of the new processes available via port 1556 and will continue to contact vxatd and vxazd via vrts-at-port/2821 and vrts-at-auth/4032.

Snapshot backups may experience a small delay during snapshot deletion if port 1556 is not open from the client to the master server.


NetBackup 7.5 Considerations

The Resilient Client feature requires vnetd/13724 to be open bi-directional between the media server and client hosts.  If utilizing client-directed operations, then vnetd/13724 must be open bi-directional between the client and the master server.  This feature cannot use PBX/1556.

Snapshot backups may experience delays before and after the data transfer if port 1556 is not open from the client to the master server.


NetBackup 7.6 Considerations

The Client Direct restore feature requires the TCP ports for PBX/1556 and vnetd/13724 to be open from the client to the master server for the file list port connection; regardless of whether the restore is server or client initiated.


Network Address Translation (NAT) and Port Address Translation (PAT) Considerations

The use of NAT and PAT is not supported with NetBackup.  See TECH15006 in the Related Articles section for details.

Elango_G1
Level 4

Hi Marianne,

 

thanks for the reply.

1.NBU version - 6.0 to 7.0 - if it uses vnetd then what is the purspose of bpcd and PBx services for taking backup?

 

i can clearly understand since NBU 7.0.1, it uses PBx then vnetd and bpcd.

2. What is going on with the backups of client under firewall?

Master server - 7.1

Client - what is the case if it is 6.5 and 7.1 please?

 

Elango_G1
Level 4

Hi Riaan,

Thanks for sharing this arcticle and it helps me to direct in a right way.

i am under confusion after reading so many post, article & tech notes about the port requirements while going for a hands on experience.

so i have many specific questions to be cleared in order to understand the reason behind opening those ports depending on the NetBackup verisons.

 

Regards

Elango

 

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

In NBU 6.x - 7.0, PBX was only used for comms between master and media server(s).
Servers used vnetd to connect to clients. If vnetd failed, it would fail back to bpcd.

From NBU 7.0.1 onwards, comms to 7.x and 6.x clients will be tried as per the section under this topic in above TN:
NetBackup 7.0.1 Considerations 

This means that 7.1 server connecting to 6.x client will be exactly the same - 1st try pbx (which will fail), then fail back to vnetd. If still not successful, it will try bpcd.

Exact same ports will be used for clients behind firewall.

In a production environment, it is very easy to see port connection attempts with bptestbpcd command on master and/or media server:

Connection test to a client:
bptestbpcd -client <client-name> -verbose -debug

Connection test to a media server:
bptestbpcd -host <server-name> -verbose -debug

Elango_G1
Level 4

thanks Marianne, now i able to understand the concept of communication

Elango_G1
Level 4

Marianne, do we have an option to check the RANDOM PORTS in windows 2003 R2 client under firewall?