This is a Firewall Configuration Example with NetBackup Clients Outside the Firewall.

Article:TECH15008  |  Created: 2001-01-23  |  Updated: 2013-10-24  |  Article URL
Article Type
Technical Solution



This is a Firewall Configuration Example with NetBackup Clients Outside the Firewall.


VERITAS provides this documentation for customers who wish to configure NetBackup to use TCP/IP port ranges other than the default port ranges for use where a firewall is involved.  Although information is provided to assist in creating the appropriate firewall rules, the designing, testing and  implementation of a firewall solution is the customer's responsibility.  If  problems are encountered where a firewall is involved, VERITAS will assist  in identifying whether or not the firewall is the point of failure.

After choosing the port ranges desired for use by NetBackup, both the firewall and NetBackup must be configured to use those port ranges.  The following examples are based on having chosen to use a server reserved port window of ports 800-899, a client reserved port window of ports 900-999, a server port window of ports 4800-4899, and a client port window of ports 4900-4999.

Configure the firewall to allow TCP/IP network connections as follows.  In these example rules, "Master" refers to not only the NetBackup Master server, but also any NetBackup Media servers located inside the firewall which will be used to backup clients outside the firewall.

SourcePortsData FlowDestinationPorts
Client900-999, 4900-4999---->Master800-899, 4800-4899, 13720-13721
Master900-999, 4900-4999---->Client13782-13783

Configure the bp.conf files as follows.  The bp.conf files on the Master, Media server, and clients will share the same settings, except for CLIENT_NAME which is of course specific to each particular machine.

SERVER = master
SERVER = media
CLIENT_NAME = <insert name of host where this bp.conf is located>

For Windows NT/2000 machines, all configuration is normally done via the NT NetBackup Configuration GUI, but the NT GUI will not be able to configure clients outside the firewall if the firewall blocks the Windows NT functions used for remote registry changes.  Instead, "regedit" or "regedt32" must be used on each Windows NT/2000 client that cannot be configured using the NT NetBackup Configuration GUI.  Launch "regedit" or "regedt32" on the Windows NT/2000 client and go to [HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\NetBackup\CurrentVersion\Config]. Make changes to CLIENT_RESERVED_PORT_WINDOW, CLIENT_PORT_WINDOW, and ALLOW_NON_RESERVED_PORTS as necessary.

The CLIENT_PORT_WINDOW and CLIENT_RESERVED_PORT_WINDOW settings define port ranges used to originate connections to NetBackup on other computers. These settings apply to both servers and clients.  By default, CLIENT_PORT_WINDOW is chosen by the operating system, and CLIENT_RESERVED_PORT_WINDOW is set to ports 512 through 1023.  See pages 330-331 in the "NetBackup DataCenter System Administrator's Guide for Unix, version 3.4" for more information.

The SERVER_PORT_WINDOW and SERVER_RESERVED_PORT_WINDOW settings define port ranges used for accepting connections from NetBackup on other computers.  An example is where the server chooses the port on which it will listen for the connection coming back from the client.  The server connects to the client's bpcd service and tells the client to connect back to the server on the chosen port.  By default, SERVER_PORT_WINDOW is set to ports 1025 through 5000, and SERVER_RESERVED_PORT_WINDOW is set to ports 512 through 1023.  See page 342 in the "NetBackup DataCenter System Administrator's Guide for Unix, version 3.4" for more information.

Be sure to specify "reserved" ports less than 1024 for the SERVER_RESERVED_PORT_WINDOW and CLIENT_RESERVED_PORT_WINDOW  settings, and be sure to specify "non reserved" ports greater than 1024 for the SERVER_PORT_WINDOW and CLIENT_PORT_WINDOW settings.

By default, the NetBackup client daemon (bpcd) only allows incoming connections from reserved ports (ports below 1024).  By adding ALLOW_NON_RESERVED_PORTS to bp.conf, bpcd will accept connections from non-reserved ports (ports above 1024).  This is useful if a security policy discourages allowing ports below 1024 through the firewall.  To have NetBackup use a non-reserved port to originate all connections to the client, execute the following commands as root on the Master:

   cd /usr/openv/netbackup/bin/admincmd
   ./bpclient -client clientname -add -connect_nr_port 1

Substitute the client's name in place of "clientname".  Repeat this command for each client outside the firewall.  See page 344 in the "NetBackup DataCenter System Administrator's Guide for Unix 3.4" for more information.

The server and client port window settings should all be present in the bp.conf files of each of the NetBackup servers and clients.  Note that all servers and clients must have the same port window settings, regardless of where a particular machine is located on the network with regard to the firewall.

When choosing the size of the port ranges, keep in mind that the chosen range limits the number of ports available for all NetBackup uses, not merely the clients on the other side of the firewall.  Each backup needs one port for the initial connection, plus two ports for each data stream. For example, a backup with three data streams uses seven ports (1 + 2*3 = 7).  Email notifications and logs being updated on remote hosts also use ports.  Add together the number of ports needed for backups on each of the clients, plus more ports for any restores that may be running, plus about 50 more ports for various internal NetBackup server communications to get an estimate of how many total ports should be specified in the port ranges. If problems result, such as Status 46 errors for no apparent reason, increase the number of ports open through the firewall and update the bp.conf files to reflect the larger port ranges.

If use of the Java GUI is desired outside the firewall, port 13722 must also be open.  However, it is not a good idea to allow an administrative GUI to be used on a client that is inherently not trusted since it is on the other side of a firewall.  If an administrative GUI will be used across a firewall, there should be at least 200 ports in the ranges specified, due to the large number of network connections used by the admin GUI.  If an insufficient number of ports is available, the GUI will exhibit strange problems when no more ports are available for use.

By default, NetBackup 3.4 chooses ports randomly from within the specified port ranges.  To choose ports sequentially working downward from the top of the range (NetBackup 3.2 behavior), add "RANDOM_PORTS = NO" to all bp.conf files.

The NetBackup 3.4 Global Data Manager (GDM) manual includes a chapter on firewall configuration.  See the "Related Documents" section of this TechNote for links to more information.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices