How to configure Backup Exec with Firewalls.

Article:TECH43579  |  Created: 2010-01-02  |  Updated: 2014-05-14  |  Article URL http://www.symantec.com/docs/TECH43579
Article Type
Technical Solution

Product(s)

Issue



How to configure Backup Exec with Firewalls.


Solution



Note: To check if this document describes the computer in question, download and run a health check with SymHelp.

 

In a Firewall Environment, ensure ports settings are configured correctly or else Backup Exec may get interrupted on following actions:

1. Browsing to remote machines through a firewall via the Backup Selections List.
2. Backing up and restoring machines through a firewall.


Browsing systems through firewall:

Because most firewalls do not allow a remote system to be displayed in the Microsoft Network Neighborhood, additional steps need to be performed to select these remote systems in the Backup Exec Administration Console.

Use "User-Defined-Selection"  to view systems behind a firewall.

1. On the navigation bar, click on the Backup Button in the Backup Exec Interface.
2. Right click on User-Defined Selection Folder.
3. In the "Define a selection", Name Field, after the \\, type the name or IP Address of the remote system, click Add, then Close.  

Backing  systems through a firewall/TCP Filtered environment:

Because Firewalls affect system communication between a media server and remote systems outside the firewall environment, special port requirements must be considered when configuring Backup Exec for use with firewalls.  If you are using Symantec endpoint protection for firewall you can also free any 25 random ports from the console.

Which PORTS needs to be opened on the FIREWALL.
 

PORT NUMBER TYPE OF CONNECTION
10000 CONTROL
1025-65535 (Default Dynamic Ports) DATA


Note:  A DYNAMIC PORT is a Port which is not permanently assigned to any specific protocol. They are intended for temporary use.
A minimum of two ports are required per backup job through a firewall.  If backups will be run at the same time through the firewall then more ports will need to be opened.

Note: It is recommended to keep a range of ports opened instead of just one because a dynamic ports can be engaged by  other applications. Therefore keep at least 25 ports opened for the remote system so there is a pool of ports available to all applications needing them..  For example:
 
A Control connection is always established on TCP Port 10000 between the media server and remote machine. 

Advertising is done on port 6101 from the remote server to the Backup Exec server.

Data connections for the backup are done on ports within the Dynamic Port Range. 

Recommended PORT consideration for a Firewall/TCP Filtered environment.:

When performing remote backups through a firewall, select a specific range under Network & Firewall defaults dialog box in the Backup Exec console.  Open the same range on your  Firewall/PORT
The Dynamic and/or Private Ports are those from 1025 through 65535

  • For Deduplication Storage option, the deduplication option will require the following UDP and TCP ports.
 

10082

The Deduplication Engine (spoold). Open this port between the hosts that deduplicate data.

10085

The deduplication database (postgres).

10102

The Deduplication Manager (spad).

 Firewall Settings for the Remote Administrator (running on Windows 2008 R2)

To detect and manage the Backup Exec services for a remote Backup Exec server running Windows 2012 R2 from the Remote Administrator running on a Windows 2008 R2 computer, enable the following firewall inbound rules on the remote Backup Exec server:

- Remote Service Management (RPC-EPMAP)
- Windows Management Instrumentation (WMI-In)


Supplemental Materials

SourceUMI
ValueV-370-59792-00041
Description

BE_ST Report - "Are Backup Exec network ports configured correctly?"

 

Made it BE instead of BEWS



Legacy ID



278944


Article URL http://www.symantec.com/docs/TECH43579


Terms of use for this information are found in Legal Notices