About using Backup Exec with firewalls

Article:HOWTO22990  |  Created: 2010-01-01  |  Updated: 2014-03-27  |  Article URL http://www.symantec.com/docs/HOWTO22990
Article Type
How To

Product(s)

Environment

Subject


About using Backup Exec with firewalls

In firewall environments, Backup Exec provides the following advantages:

  • The number of ports that are used for backup network connections is kept to a minimum.

  • Open ports on the Backup Exec media server and remote systems are dynamic and offer high levels of flexibility during browsing, backup, and restore operations.

  • You can set specific firewall port ranges and specify backup and restore networks within these ranges. You can use specific ranges to isolate data traffic and provide high levels of reliability.

Note:

The Remote Agent for Windows Systems is required to perform remote backups and restores.

Firewalls affect system communication between a media server and any remote systems that reside outside the firewall environment. You should consider special port requirements for your firewall when you configure Backup Exec.

Symantec recommends that you open port 10000 and make sure that it is available on the Backup Exec media server and any remote systems. In addition, you must open the dynamic port ranges that Backup Exec uses for communications between the media server and remote agents.

See Backup Exec Ports.

When a media server connects to a remote system, it initially uses port 10000. The Remote Agent listens for connections on this predefined port. The media server is bound to an available port, but additional connections to the Remote Agent are initiated on any available port.

When you back up data, up to two ports may be required on the computer on which the Remote Agent is installed. To support simultaneous jobs, you must configure your firewall to allow a range of ports large enough to support the number of simultaneous operations desired.

If there is a conflict, you can change the default port to an alternate port number by modifying the %systemroot%\System32\drivers\etc\services file. You can use a text editor such as Notepad to modify your NDMP entry or add an NDMP entry with a new port number. You should format the entry as follows:

ndmp    10000/tcp        #Network Data Management Protocol

Note:

If you change the default port, you must change it on the media server and all remote systems that are backed up through the firewall.

When you set up TCP dynamic port ranges, Symantec recommends that you use a range of 25 allocated ports for the remote computer. The number of ports that remote computers require depends on the number of devices you protect and the number of tape devices you use. You may need to increase these port ranges to maintain the highest level of performance.

Unless you specify a range, Backup Exec uses the full range of dynamic ports available. When performing remote backups through a firewall, you should select a specific range on the Network and Firewall defaults dialog box.

See Backup Exec Listening Ports

See Backup Exec Desktop and Laptop Option ports



Legacy ID



id-SF700155293_be2010_adm


Article URL http://www.symantec.com/docs/HOWTO22990


Terms of use for this information are found in Legal Notices