|
|
In firewall environments, Backup Exec provides the following advantages:
The number of ports used for backup network connections is kept to a minimum.
Ports opened on the Backup Exec Server and systems using the Remote Agent for Windows Systems are dynamic and offer high levels of flexibility during browsing, backup, and restore operations.
You can set specific firewall port ranges and specify backup and restore networks within these ranges to isolate data traffic and provide high levels of reliability.
Because firewalls affect system communications between a media server and remote systems that reside outside the firewall environment, special port requirements must be considered when configuring Backup Exec for use with firewalls.
Symantec recommends having port 10000 open and available on the Backup Exec media server as well as on the remote systems. In addition, you must open the dynamic port ranges specified for communications between the media server and remote agents.
When a media server makes a connection with a remote system, the initial connection will be initiated to the well known port 10000. The Remote Agent will be listening for connections on this predefined port. The media server side of this connection will be bound to an available port. Additional connections from the media server to the Remote Agent will be initiated on any available port.
Communication between the media server and the Remote Agent will usually require up to 2 ports on the remote agent side per backup operation. If you plan on supporting multiple backups and restores occurring simultaneously, you must configure your firewall to allow a range of ports large enough to support the maximum number of simultaneous operations desired.
Should a conflict arise, the default port of 10000 can be changed to another port number by modifying the %systemroot%\System32\drivers\etc\services file, and changing the NDMP port to an alternate port number. For example, if you installed Windows 2000 to its default location, from your Windows Explorer, select C:\WINNT\System32\drivers\etc\services. Using a text editor, such as Notepad, modify your NDMP entry, or if necessary, add an NDMP entry with the new port number. This entry should be formatted as follows:
ndmp 10000/tcp #Network Data Management Protocol
|
Note: |
If the default port is changed, it must be changed on the media server and all remote systems being backed up through the firewall on this port. |
When setting up TCP dynamic port ranges, Symantec recommends using a range of 25 allocated ports for the remote computers. The number of dynamic ports used by remote systems can change based on the number of devices being protected and the number of tape devices in use. You may need to increase these port ranges to maintain the highest level of performance. Backup Exec and the firewall need to have the ranges defined (and port 10000).
Unless you specify a range, Backup Exec uses the full range of dynamic ports available. When performing remote backups through a firewall, you should select a specific range on the Network and Firewall defaults dialog box.
The following tables provide more information about which ports Backup Exec for Windows Servers and its agents and options use:
Table: Backup Exec for Windows Servers Ports
When Backup Exec is not running operations, it listens to ports for incoming communication from other services and agents. Backup Exec initially communicates with the Remote Agent using a static listening port to begin an operation. The agent and the media server then use dynamic ports to pass data back and forth.
Backup Exec uses the following listening ports:
Table: Backup Exec for Windows Servers Listening Ports
The Backup Exec Desktop and Laptop Option (DLO) additionally uses the following ports: