Using Backup Exec with firewalls

In firewall environments, Backup Exec provides the following advantages:

Note:

The Remote Agent for Windows Systems is required to perform remote backups and restores.

Because firewalls affect system communications between a media server and remote systems that reside outside the firewall environment, special port requirements must be considered when configuring Backup Exec for use with firewalls.

Symantec recommends having port 10000 open and available on the Backup Exec media server as well as on the remote systems. In addition, you must open the dynamic port ranges specified for communications between the media server and remote agents.

When a media server makes a connection with a remote system, the initial connection will be initiated to the well known port 10000. The Remote Agent will be listening for connections on this predefined port. The media server side of this connection will be bound to an available port. Additional connections from the media server to the Remote Agent will be initiated on any available port.

Communication between the media server and the Remote Agent will usually require up to 2 ports on the remote agent side per backup operation. If you plan on supporting multiple backups and restores occurring simultaneously, you must configure your firewall to allow a range of ports large enough to support the maximum number of simultaneous operations desired.

Should a conflict arise, the default port of 10000 can be changed to another port number by modifying the %systemroot%\System32\drivers\etc\services file, and changing the NDMP port to an alternate port number. For example, if you installed Windows 2000 to its default location, from your Windows Explorer, select C:\WINNT\System32\drivers\etc\services. Using a text editor, such as Notepad, modify your NDMP entry, or if necessary, add an NDMP entry with the new port number. This entry should be formatted as follows:

ndmp	10000/tcp		#Network Data Management Protocol

Note:

If the default port is changed, it must be changed on the media server and all remote systems being backed up through the firewall on this port.

When setting up TCP dynamic port ranges, Symantec recommends using a range of 25 allocated ports for the remote computers. The number of dynamic ports used by remote systems can change based on the number of devices being protected and the number of tape devices in use. You may need to increase these port ranges to maintain the highest level of performance. Backup Exec and the firewall need to have the ranges defined (and port 10000).

Unless you specify a range, Backup Exec uses the full range of dynamic ports available. When performing remote backups through a firewall, you should select a specific range on the Network and Firewall defaults dialog box.

The following tables provide more information about which ports Backup Exec for Windows Servers and its agents and options use:

Table: Backup Exec for Windows Servers Ports

Service or Process

Port

Port Type

Backup Exec Agent Browser (process=benetns.exe)

6101

TCP

Backup Exec Remote Agent for Windows Systems (process=beremote.exe)

10000

TCP

Backup Exec Server (process=beserver.exe)

3527, 6106

TCP

MSSQL$BKUPEXEC (process=sqlservr.exe)

1125

1434 (ms-sql-m)

TCP

UDP

Backup Exec Remote Agent for NetWare

10000 (Backup Exec 10.x), 6102 (Backup Exec 9.x)

TCP

Oracle Agent for Windows and Linux Servers

Random port unless configured otherwise

DB2 Agent for Windows and Linux Servers

Random port unless configured otherwise

Remote Agent for Linux or Unix Servers (RALUS)

Default NDMP port, typically

10000

TCP

Kerberos

88

UDP

NETBIOS

135

TCP, UDP

NETBIOS Name Service

137

UDP

NETBIOS Datagram Service

138

UDP

NETBIOS Session Service

139

TCP

NETBIOS (Windows 2000)

445

TCP

DCOM/RPC

3106

TCP

Backup Exec Remote Agent

6103

TCP

Push Install - Check for conflicts in message queue for CASO which is part of beserver.exe

103x

TCP

Push Install

441

TCP

SMTP email notification

25 outbound from media server

TCP

SNMP

162 outbound from media server

TCP

When Backup Exec is not running operations, it listens to ports for incoming communication from other services and agents. Backup Exec initially communicates with the Remote Agent using a static listening port to begin an operation. The agent and the media server then use dynamic ports to pass data back and forth.

Backup Exec uses the following listening ports:

Table: Backup Exec for Windows Servers Listening Ports

Service

Port

Port Type

Backup Exec Agent Browser (benetns.exe)

6101

TCP

Backup Exec Remote Agent for Windows Server (beremote.exe)

10000

TCP

Backup Exec Server (beserver.exe)

3527, 6106

TCP

MSSQL$BKUPEXEC (sqlsevr.exe)

1125

1434

TCP

UDP

Backup Exec Remote Agent for NetWare

10000, 6102

TCP

Remote Agent for Linux and UNIX Servers (RALUS)

10000

TCP

DBA-initiated backups for Oracle and DB2

5633

TCP

The Backup Exec Desktop and Laptop Option (DLO) additionally uses the following ports:

Table: Backup Exec Desktop and Laptop Option Ports

Service or Process

Port

Port Type

Server Message Block (SMB) communication

135-139

TCP/UDP

Server Message Block (SMB) communication without NETBIOS

445

TCP/UDP

SQL

1434

TCP/UDP

DLOAdminSvcu.exe (DLO admin service)

3999 in listening mode

TCP/UDP