Backup Exec System Recovery (BESR) or Symantec Livestate Recovery (LSR) agent does not properly communicate with the console when a client side firewall is enabled

Article:TECH53249  |  Created: 2009-01-01  |  Updated: 2013-10-24  |  Article URL http://www.symantec.com/docs/TECH53249
Article Type
Technical Solution

Product(s)

Issue



Backup Exec System Recovery (BESR) or Symantec Livestate Recovery (LSR) agent does not properly communicate with the console when a client side firewall is enabled


Solution



When using the built-in Microsoft Windows Firewall or a software client side based firewall, some application exceptions will need to be made and/or modified in order for a Backup Exec System Recovery (BESR) or Symantec Livestate Recovery (LSR) Agent to properly communicate with the console.  
 
Please follow the steps outline within each section on the client/agent system experiencing connecting/re-connecting issues to the console. 
Section 1: Creating Application firewall exceptions 
1. Go into Windows Control Panels and double click the icon for Windows Firewall or launch the local software client side base firewall user interface. 
2. On the General tab of the Windows Firewall pop-up screen make sure that the, 'Don't allow exceptions,' check box is unchecked.  
3. Click on the Exceptions tab. 
4. Check within the list of exceptions in the Programs and Services field if one or both of the following executables are listed: 
VProSvc.exe 
VProTray.exe 
5. If one or both of the executables are listed from step 4, perform one of the following steps listed below.  If no executable are listed from step 4 skip to step #6.
Choice #1 - Delete the executables listed and add new ones: Choose this one if planning not to install an earlier version of Livestate Recovery AND and it is desired to minimize the number of exceptions to the firewall. 
a. Single left click on one of them. If one is shown on the list from step 4 single left click on it. 
b. Click the Delete button. 
c. Repeat steps a through b on the remaining items listed from step 4 when finished go to step d. 
d. Skip to Step #6
 
Choice #2 - Modify the executables listed to correct settings: Perform this procedure if the required permissions are now available to create new exceptions or delete exceptions that have already been made. 
a. Single left click on one of them. If one is shown on the list from step 4 single left click on it. 
b. Click the Edit button 
c. Change the path to the executable to: C:\Program Files\Symantec\Backup Exec System Recovery\Agent\ 
d. Repeat steps a through b on the remaining items listed from step 4 when finished go to step e. 
e. Skip to Step #10
 
Choice #3 - Add additional executables to the list: Do this when planning to install or have installed an earlier version of Livestate Recovery on this system AND it is not needed to minimize the number of exceptions to the firewall to handle AND have permissions to create new exceptions. 
a. Skip to Step #6
 
6. Click the Add Program button. On the window that appear click the Browse button. 
7. Fill in the Filename field with the following path and filename value and click the open button: 
    C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe  
8. Fill in the Filename field with the following path and filename value and click the open button:  
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe 
9. Click OK
 
NOTE: Click the change scope button to narrow down the range of IP addresses capable of accessing this application/service for greater security. Please review the following Microsoft Article for more details: 
 
How to Configure Windows Firewall on a Single Computer
 
10. Repeat steps 6 through 9 for the following filename and path: 
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe 
11. Reboot. Try to connect to the modified agent. If a connection still cannot be made, follow the steps outlined in the section titled, ' Create restrictions for DCOM,' listed below.
 
NOTE: Reboot for these changes to take affect or Windows will not allow the RPC Service to start.
 
Network administrators:
 
Below is an example batch script that will delete any previous Microsoft Windows firewall application exceptions for default installs of Symantec Livestate Recovery version 6.x. In their place this batch will create simple application exceptions for the Vprosvc.exe and Vprotray.exe applications. To change the scope - to specify the set of computers for which this program is unblocked - consult the documentation on the netsh command.
 
Netsh firewall add allowedprogram "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe" VProTray.exe ENABLE Netsh firewall add allowedprogram "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe" VProSvc.exe ENABLE Netsh firewall delete allowedprogram "c:\program files\symantec\liveState Recovery\Desktop 6.0\Agent\VProSvc.exe"
 
Netsh firewall delete allowedprogram "c:\program files\symantec\liveState Recovery\Standard Server 6.0\Agent\VProSvc.exe"
 
Netsh firewall delete allowedprogram "c:\program files\symantec\liveState Recovery\Advanced Server 6.0\Agent\VProSvc.exe"
 
Netsh firewall delete allowedprogram "c:\program files\symantec\liveState Recovery\Desktop 6.0\Agent\VProTray.exe"
 
Netsh firewall delete allowedprogram "c:\program files\symantec\liveState Recovery\Standard Server 6.0\Agent\VProTray.exe"
 
Netsh firewall delete allowedprogram "c:\program files\symantec\liveState Recovery\Advanced Server 6.0\Agent\VProTray.exe"
  
Create restrictions for DCOM
 
By default, DCOM is free to use any port between 1024 and 65535 when it dynamically selects a port for an application like Backup Exec System Recovery (BESR). Reduce this range by creating registry keys on the computer that hosts the DCOM service; the firewall router can then be configured to forward only these TCP ports. Open up a range of ports above port 5000. Port numbers below port 5000 may already be in use by other applications and can cause conflicts with DCOM applications. At least 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
  
To allow management of BESR agents behind a firewall, restrict DCOM to using a manageable range of dynamic ports and then create an explicit firewall rule to open those ports.
  
NOTE: The BESR console must be able to reach the server by its actual IP address. DCOM cannot be used through firewalls that do address translation. For more information, read the Microsoft article PRB: DCOM Does Not Work over Network Address Translation-Based Firewall



Legacy ID



290775


Article URL http://www.symantec.com/docs/TECH53249


Terms of use for this information are found in Legal Notices