NetBackup 6.x and 7.x firewall port requirements
|Article:TECH136090|||||Created: 2010-01-17|||||Updated: 2013-04-16|||||Article URL http://www.symantec.com/docs/TECH136090|
Which TCP ports must be open through a firewall for NetBackup (NBU) 6.x and 7.x hosts to communicate with each other?
This does not include port requirements for communication with NetBackup 5.x hosts, remote EMM Server, or other legacy processes. Those details are covered in the NetBackup (tm) 6.0 Port Usage Guide for Windows and UNIX Platforms and the NetBackup 7.0.1 Security and Encryption Guide, see the Related Articles.
The main changes in NetBackup 6.0 are the introduction of PBX to support CORBA connections and vnetd forwarding sockets.
- PBX listens on port 1556 for inbound CORBA connections to the new processes which are multi-threaded, much like vnetd does for the single-threaded legacy processes. Thus all of the new process can be reached via port 1556 and each new process does not need to listen on a unique port.
- The vnetd forwarding sockets replace the prior callback mechanism used to open additional sockets to bpcd and other legacy client processes. The forwarding socket, like the service socket, is opened from the server host to the client host, thus removing the need to accept TCP SYN packets inbound from NetBackup clients if only server-initiated standard backup and restore operations are performed.
By default, there isn't a client connect back so that outbound port is the only requirement. However, if the Client Attributes have been modified to disable vnetd, then the Server Port Window and/or Server Reserved Port Window may need to be open inbound from the client host to the server host(s) for callback connections from bpcd and other client processes.
If the security policy allows TCP SYN requests inbound, open the vnetd port bi-directionally. That way the configuration will not need to be modified when/if the site utilizes client initiated NetBackup features that initiate connections from the client hosts to the master server. E.g.
- user-directed standard backup/list/restore operations
- stream-based database (DataSore/DB2/Informix/Oracle/SAP/SQL-Server/Sybase/Teradata/XBSA) application backup/restore operations. These types of client-initiated operations require that the client host connect to the master server to queue requests.
- SAN Client operations
For server to server communications, the TCP port for PBX (1556) must be opened bi-directionally along with the TCP port for vnetd (13724). If Firewall connect options are configured on the master server for the media server(s), then the Server Port Window and/or Server Reserved Port Window may need to be open inbound from the media server host(s) to the master server host for callback connections and TCP port 13782 for bpcd may need to be open outbound from the master server to the media server host(s) for daemon connections. If Firewall connect options are configured on the media server for the master or other media servers, then the daemon ports (bpdbm, bpjobd, robotic control, etc) may need to be open from those hosts to the master server.
The TCP port requirements for the default configuration; without overriding connect options in the Client Attributes (bpclient), or Firewall (CONNECT_OPTIONS) settings, or separate master and EMM servers, or legacy security considerations are as follows:
- Master server to/from media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.
- Master server to client requires the TCP port for vnetd/13724.
- Media server to client requires the TCP port for vnetd/13724 and PBX/1556.
- Media server to media server requires the TCP port for vnetd/13724 and PBX/1556, bi-directional.
· Client to master server requires the TCP port for vnetd/13724 for client-initiated, not server-initiated, operations.
- SAN Client to/from master/media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.
- Java/Windows admin consoles to master and media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.
- If using SharePoint:
The front end and SQL client hosts require vnetd/13724 and PBX/1556 between them, bi-directional.
- If using Granular Restore Technology (GRT):
Clients need to connect to the mediaserver on portmap/111 and nbfsd/3794.
- If using OpsCenter:
Web browsers require TCP ports http/80 and https/443 to the OpsCenter Web GUI with either 8181 and 8443 or 8282 and 8553 used as alternates.
Custom report generators require TCP port 13786 to the OpsCenter Server.
OpsCenter Server also uses UDP port 162 outbound for SNMP trap protocol.
- If using NDMP:
Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000.
SERVER_PORT_WINDOW is used inbound from filer to media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP.
- If using VxSS with NetBackup Access Control (NBAC):
Master servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
Media servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
Clients require the TCP port vrts-at-port/2821 to the VxSS server.
Java/Windows admin consoles require the TCP port vrts-at-port/2821 to the VxSS server.
- If using the OpenStorage plug-in by DataDomain:
Requires access to TCP port 2049, UDP/TCP port 111, and the mountd port on the target DataDomain array.
For optimized duplication access to TCP port 2051 is also required.
- If using Optimized Duplication, including Automatic Image Replication (AIR):
For MSDP-to-MSDP, spad on the source needs access to spad/10102 and spoold/10082 on the destination.
For MSDP-to-PDDO, spad on the source needs access to SPA/443 and spoold/10082 on the destination.
For PDDO-to-PDDO, SPA on the source needs access to SPA/443 and spoold/10082 on the destination.
- For NetBackup 5xxx Appliances:
Open ssh/22, http/80, and https/443 inbound for in-band administration.
Open http/80 and https/443 inbound to the Intelligent Platform Management Interface (IPMI) for out-of-band administration.
Open 5900 inbound to the IPMI for KVM remote console/CLI and virtual ISO/CDROM redirection from NetBackup Integrated Storage Manager (5020/5200 appliances).
Port 623 will also be used if open.
Open 7578 inbound to the IPMI for Remote Console CLI access (5220/5x30/5400 appliances).
Open 5120 inbound to the IPMI for Remote Console virtual ISO/CD-ROM redirection (5220/5x30/5400 appliances).
Open 5123 inbound to the IPMI for Remote Console virtual floppy redirection (5220/5x30/5400 appliances).
Open https/443 outbound to the Symantec Call Home server for proactive hardware monitoring and messaging.
Open https/443 outbound to the Symantec Critical System Protection (SCSP) server to download SCSP certificates.
Open snmp/162 outbound to the SNMP server for SNMP traps and alerts.
Open 11111 between PureDisk appliances for multi-node topology discovery.
NetBackup 7.0.1 Considerations
The bpcd and vnetd processes now run standalone. They and the other legacy processes now register with PBX at startup. Connections to legacy processes that previously contacted the vnetd port will now prefer to use PBX port 1556. If the PBX port is unreachable, then the vnetd port will be used. If the vnetd port is unreachable, then the daemon port will be used. Opening TCP port 1556 outbound from NetBackup servers to NetBackup clients will prevent delays that occur while attempting to use PBX. Similarly, opening TCP port 1556 inbound will prevent delays for client-initiated requests to the master server.
Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections.
For efficiency the upgrade/install also adds Connect Options of '1 0 2' for localhost. Internal sockets on the loopback interface to processes on the same host will use the daemon ports instead of passing through vnetd or PBX.
NetBackup 7.1 Considerations
NetBackup Access Control (NBAC) has been integrated with NetBackup and the processes nbatd and nbazd will be used in place of vxatd and vxazd. These processes are registered with PBX for inbound connections via the PBX port 1556, removing the need to have ports open to the VxSS server.
The processes are also listening on TCP ports 13783 and 13722 respectively. These port numbers are registered with IANA using the original service names of 'vopied' and 'bpjava-msvc', and resolved by NetBackup using those original names. Back level hosts are unaware of the new processes available via port 1556 and will continue to contact vxatd and vxazd via vrts-at-port/2821 and vrts-at-auth/4032.
NetBackup 7.5 Considerations
The Resilient Client feature requires vnetd/13724 to be open bi-directional between the media server and client hosts. This feature cannot use PBX/1556.
Network Address Translation (NAT) and Port Address Translation (PAT) Considerations
The use of NAT and PAT is not supported with NetBackup. See TECH15006 in the Related Articles section for details.
Article URL http://www.symantec.com/docs/TECH136090