How to configure Backup Exec with Firewalls.
|Article:TECH43579|||||Created: 2010-01-02|||||Updated: 2013-04-02|||||Article URL http://www.symantec.com/docs/TECH43579|
How to configure Backup Exec with Firewalls.
Note: To check if this document describes the computer in question, download and run a health check with SymHelp.
In a Firewall Environment, ensure ports settings are configured correctly or else Backup Exec may get interrupted on following actions:
1. Browsing to remote machines through a firewall via the Backup Selections List.
2. Backing up and restoring machines through a firewall.
Browsing systems through firewall:
Because most firewalls do not allow a remote system to be displayed in the Microsoft Network Neighborhood, additional steps need to be performed to select these remote systems in the Backup Exec Administration Console.
Use "User-Defined-Selection" to view systems behind a firewall.
1. On the navigation bar, click on the Backup Button in the Backup Exec Interface.
2. Right click on User-Defined Selection Folder.
3. In the "Define a selection", Name Field, after the \\, type the name or IP Address of the remote system, click Add, then Close.
Backing systems through a firewall/TCP Filtered environment:
Because Firewalls affect system communication between a media server and remote systems outside the firewall environment, special port requirements must be considered when configuring Backup Exec for use with firewalls. If you are using Symantec endpoint protection for firewall you can also free any 25 random ports from the console.
Which PORTS needs to be opened on the FIREWALL.
|PORT NUMBER||TYPE OF CONNECTION|
|49152 onwards (Example-Dynamic Ports)||DATA|
Note: A DYNAMIC PORT is a Port which is not permanently bound to any connection (once the backup is complete, the port is released).
A minimum of two ports are required per backup job through a firewall. If backups will be run at the same time through the firewall then more ports will need to be opened.
Note: It is recommended to keep a range of ports opened instead of just one because a dynamic port can be engaged by any other application and cause can cause data connection issues. Therefore keep at least 25 ports opened for the remote system. For example:
|NUMBER OF SIMULTANEOUS BACKUPS||NUMBER OF PORTS REQUIRED FOR DATA|
The example only lists five ports, but make sure at least "10-25" ports are opened for the remote system Firewall/TCP Filters.
A Control connection is always established on TCP Port 10000 between the media server and remote machine. Once the connection is established the port is free to listen to another connection from the media server, but the subsequent data backups will need extra port for the data to pass through because the previous is engaged by first backup job.
Recommended PORT consideration for a Firewall/TCP Filtered environment.:
When performing remote backups through a firewall, select a specific range under Network & Firewall defaults dialog box in the Backup Exec console and open the exact range on the Firewall/TCP Filtering, as shown in figure below.
Note:According to IANA (INTERNET ASSIGNED NUMBERS AUTHORITY), Ports which are believed to be Dynamic and Free are not. The list of ports given by the IANA authority show most ports assigned are either well known ports or registered ports. Therefore when specifying the ports in the Backup Exec Console (under Network & Firewall) the rule is not followed and the connection is rejected/refused by the remote server.
IANA Information :
The port numbers are divided into three ranges:
1. The Well Known Ports.
2. The Registered Ports.
3. The Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535 (search for unassigned ports)
The port between 1024 and 49151 is registered and therefore even when specifying this range in Backup Exec (under Tools--Options--Network & Firewall) and a similar range on the remote server, Firewall/TCP Filtering may not allow a backup or "refuse to communicate" as seen in the following SGMON Log Error:
Error Traced in SGMON:
bengine:  09/12/05 11:53:47 TF_InitMediaServerReverseConnection: Data Connection: Failed to connect to remote address 126.96.36.199:3189,
system error message: "No connection could be made because the target machine actively refused it".
This is an example of ports that have been blocked on the TCP Filtering/Firewall, except for Port 10000, which is usually the only port opened by network administrator(s) and used for the control connection.
Specify a maximum free (UNASSIGNED Dynamic Port) range available and stated by the IANA and as per the IANA information (maximum range available is :5204-5221) which is 17 ports. Either open all "17" ports or just assign "10" ports. Refer to the IANA website to allocate an alternate range.
Specify the range as shown in the figure below:
Enable Remote Agent TCP dynamic port range:
If a port range is not specified, Backup Exec attempts to use the full range of dynamic ports available the backups or restores may fail in Firewall/TCP Filtered Domain Environment because of it.
- For Deduplication Storage option, the deduplication option will require the following UDP and TCP ports.
The Deduplication Engine (spoold). Open this port between the hosts that deduplicate data.
The deduplication database (postgres).
The Deduplication Manager (spad).
BE_ST Report - "Are Backup Exec network ports configured correctly?"
Made it BE instead of BEWS
Article URL http://www.symantec.com/docs/TECH43579