NetBackup 6.x and 7.x firewall port requirements

Article:TECH136090  |  Created: 2010-01-17  |  Updated: 2014-12-09  |  Article URL http://www.symantec.com/docs/TECH136090
Article Type
Technical Solution

Product(s)

Issue



Which TCP ports must be open through a firewall for NetBackup (NBU) 6.x and 7.x hosts to communicate with each other?

This does not include port requirements for communication with NetBackup 5.x hosts, remote EMM Server, or other legacy processes.  Those details are covered in the
NetBackup (tm) 6.0 Port Usage Guide for Windows and UNIX Platforms and the NetBackup 7.0.1 Security and Encryption Guide, see the Related Articles.


Cause



The main changes in NetBackup 6.0 are the introduction of PBX to support CORBA connections and vnetd forwarding sockets. 

  • PBX listens on port 1556 for inbound CORBA connections to the new processes which are multi-threaded, much like vnetd does for the single-threaded legacy processes.  Thus all of the new process can be reached via port 1556 and each new process does not need to listen on a unique port. 
  • The vnetd forwarding sockets replace the prior callback mechanism used to open additional sockets to bpcd and other legacy client processes.  The forwarding socket, like the service socket, is opened from the server host to the client host, thus removing the need to accept TCP SYN packets inbound from NetBackup clients if only server-initiated standard backup and restore operations are performed.

    By default, there isn't a client connect back so that outbound port is the only requirement. However, if the Client Attributes have been modified to disable vnetd, then the Server Port Window and/or Server Reserved Port Window may need to be open inbound from the client host to the server host(s) for callback connections from bpcd and other client processes.

If the security policy allows TCP SYN requests inbound, open the vnetd port bi-directionally. That way the configuration will not need to be modified when/if the site utilizes client initiated NetBackup features that initiate connections from the client hosts to the master server.  E.g.

  • user-directed standard backup/list/restore operations
  • stream-based database (DataSore/DB2/Informix/Oracle/SAP/SQL-Server/Sybase/Teradata/XBSA) application backup/restore operations.  These types of client-initiated operations require that the client host connect to the master server to queue requests.
  • SAN Client operations

For server to server communications, the TCP port for PBX (1556) must be opened bi-directionally along with the TCP port for vnetd (13724).  If Firewall connect options are configured on the master server for the media server(s), then the Server Port Window and/or Server Reserved Port Window may need to be open inbound from the media server host(s) to the master server host for callback connections and TCP port 13782 for bpcd may need to be open outbound from the master server to the media server host(s) for daemon connections.  If Firewall connect options are configured on the media server for the master or other media servers, then the daemon ports (bpdbm, bpjobd, robotic control, etc ) may need to be open from those hosts to the master server.



Solution



The TCP port requirements for the default configuration; without overriding connect options in the Client Attributes (bpclient), or Firewall (CONNECT_OPTIONS) settings, or separate master and EMM servers, or legacy security considerations are as follows: 

  • Master server to/from media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.
  • Master server to client requires the TCP ports for PBX/1556 and vnetd/13724 if the clients perform client-directed operations;  user backup/restore, user archive, or application backup/restore.
     
  • Media server to client requires the TCP port for vnetd/13724 and PBX/1556.
  • Media server to media server requires the TCP port for vnetd/13724 and PBX/1556, bi-directional.
     
  • Client to master server requires the TCP ports for PBX/1556 and vnetd/13724 for client-initiated (user or application), but not server-initiated, operations.
  • Client to master server requires TCP ports for PBX/1556 and vnetd/13724 for Client Direct restores (new in 7.6). 
     
  • SAN Client to/from master/media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional. 
     
  • Java/Windows admin consoles to master and media servers requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.  
     
  • To backup and restore VMWare:

    Backup host to vCenter requires TCP port 443.

    If using query builder (VIP), master server to vCenter requires TCP port 443.

    If using the nbd transport type, backup host to ESX host requires TCP port 902.
     
  • To backup and restore SharePoint:

    Front End to/from SQL client hosts requires the TCP ports for vnetd/13724 and PBX/1556, bi-directional.

    Front End to/from SQL client hosts also use the "remote registry service" which requires TCP ports 135, 137, 138, 139 and 445.
    See Microsoft article: http://msdn.microsoft.com/en-us/library/cc288143.aspx 
     
     
  • If using Granular Restore Technology (GRT):

    Clients need to connect to the media server on portmap/111 and nbfsd/7394.
     
  • If using OpsCenter:

    Web browsers require TCP ports http/80 and https/443 to the OpsCenter Web GUI with either 8181 and 8443 or 8282 and 8553 used as alternates.

    Custom report generators require TCP port 13786 to the OpsCenter Server.

    OpsCenter Server also uses UDP port 162 outbound for SNMP trap protocol.
     
  • To backup and restore NDMP filers:

    Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000.

    The SERVER_PORT_WINDOW is used inbound from the filer to the media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP. 
     
  • If using VxSS with NetBackup Access Control (NBAC):

    Master servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server. 

    Media servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server. 

    Clients require the TCP port vrts-at-port/2821 to the VxSS server.

    Java/Windows admin consoles require the TCP port vrts-at-port/2821 to the VxSS server.
       
  • If using the OpenStorage plug-in by DataDomain:

    Requires access to TCP port 2049, UDP/TCP port 111, and the mountd port on the target DataDomain array.

    For optimized duplication access to TCP port 2051 is also required.

        
  • If using Optimized Duplication (including Automatic Image Replication):

    For MSDP-to-MSDP, the source storage server needs access to spad/10102 and spoold/10082 on the destination server.

    For MSDP-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.

    For PDDO-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.
     
  • For Automatic Image Replication (AIR)

    In addition to the ports for Optimized Duplication, also open the TCP port for PBX/1556 between the master servers.
     
  • For NetBackup 5xxx Appliances:

    Open ssh/22, http/80, and https/443 inbound for in-band administration.

    Open http/80 and https/443 inbound to the Intelligent Platform Management Interface (IPMI) for out-of-band administration.

    Open 5900 inbound to the IPMI for KVM remote console/CLI and virtual ISO/CDROM redirection from NetBackup Integrated Storage Manager (5020/5200 appliances).  
                   Port 623 will also be used if open.

    Open 7578 inbound to the IPMI for Remote Console CLI access (5220/5x30 appliances).

    Open 5120 inbound to the IPMI for Remote Console virtual ISO/CD-ROM redirection (5220/5x30 appliances).

    Open 5123 inbound to the IPMI for Remote Console virtual floppy redirection (5220/5x30 appliances).

    Open https/443 outbound to the Symantec Call Home server for proactive hardware monitoring and messaging.

    Open https/443 outbound to the Symantec Critical System Protection (SCSP) server to download SCSP certificates.

    Open snmp/162 outbound to the SNMP server for SNMP traps and alerts.

    Open 11111 between PureDisk appliances for multi-node topology discovery.

NetBackup 7.0.1 Considerations

The bpcd and vnetd processes now run standalone.  They and the other legacy processes now register with PBX at startup.  Connections to legacy processes that previously contacted the vnetd port will now prefer to use PBX port 1556.  If the PBX port is unreachable, then the vnetd port will be used.  If the vnetd port is unreachable, then the daemon port will be used.  Opening TCP port 1556 outbound from NetBackup servers to NetBackup clients will prevent delays that occur while attempting to use PBX.  Similarly, opening TCP port 1556 inbound will prevent delays for client-initiated requests to the master server. 

Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections. 

For efficiency the upgrade/install also adds Connect Options of '1 0 2' for localhost.  Internal sockets on the loopback interface to processes on the same host will use the daemon ports instead of passing through vnetd or PBX.

NetBackup 7.1 Considerations

NetBackup Access Control (NBAC) has been integrated with NetBackup and the processes nbatd and nbazd will be used in place of vxatd and vxazd.  These processes are registered with PBX for inbound connections via the PBX port 1556, removing the need to have ports open to the VxSS server.

The processes are also listening on TCP ports 13783 and 13722 respectively.  These port numbers are registered with IANA using the original service names of 'vopied' and 'bpjava-msvc', and resolved by NetBackup using those original names.  Back level hosts are unaware of the new processes available via port 1556 and will continue to contact vxatd and vxazd via vrts-at-port/2821 and vrts-at-auth/4032.

Snapshot backups may experience a small delay during snapshot deletion if port 1556 is not open from the client to the master server.


NetBackup 7.5 Considerations

The Resilient Client feature requires vnetd/13724 to be open bi-directional between the media server and client hosts.  If utilizing client-directed operations, then vnetd/13724 must be open bi-directional between the client and the master server.  This feature cannot use PBX/1556.

Snapshot backups may experience delays before and after the data transfer if port 1556 is not open from the client to the master server.


NetBackup 7.6 Considerations

The Client Direct restore feature requires the TCP ports for PBX/1556 and vnetd/13724 to be open from the client to the master server for the file list port connection; regardless of whether the restore is server or client initiated.


Network Address Translation (NAT) and Port Address Translation (PAT) Considerations

The use of NAT and PAT is not supported with NetBackup.  See TECH15006 in the Related Articles section for details.

 


Supplemental Materials

SourceETrack
Value3332635
Description

(primary) Delays during snapshot backup if port 1556 is not open from client to master server.



Legacy ID



355736


Article URL http://www.symantec.com/docs/TECH136090


Terms of use for this information are found in Legal Notices