17/8/22, 1:30 Using Backup Exec with firewalls

Using Backup Exec with firewalls

In firewall environments, Backup Exec provides the following advantages:

The number of ports used for backup network connections is kept to a minimum.

Ports opened on the Backup Exec Server and systems using the Remote Agent for Windows Systems are
dynamic and offer high levels of flexibility during browsing, backup, and restore operations.

You can set specific firewall port ranges and specify backup and restore networks within these ranges to
isolate data traffic and provide high levels of reliability.

Note: The Remote Agent for Windows Systems is required to perform remote backups and restores.

Because firewalls affect system communications between a media server and remote systems that reside
outside the firewall environment, special port requirements must be considered when configuring Backup Exec
for use with firewalls.

Symantec recommends having port 10000 open and available on the Backup Exec media server as well as on
the remote systems. In addition, you must open the dynamic port ranges specified for communications
between the media server and remote agents.

When a media server makes a connection with a remote system, the initial connection will be initiated to the
well known port 10000. The Remote Agent will be listening for connections on this predefined port. The media
server side of this connection will be bound to an available port. Additional connections from the media server
to the Remote Agent will be initiated on any available port.

Communication between the media server and the Remote Agent will usually require up to 2 ports on the
remote agent side per backup operation. If you plan on supporting multiple backups and restores occurring
simultaneously, you must configure your firewall to allow a range of ports large enough to support the
maximum number of simultaneous operations desired.

Should a conflict arise, the default port of 10000 can be changed to another port number by modifying the
%systemroot%\System32\drivers\etc\services file, and changing the NDMP port to an alternate port number.
For example, if you installed Windows 2000 to its default location, from your Windows Explorer, select
C:\WINNT\System32\drivers\etc\services. Using a text editor, such as Notepad, modify your NDMP entry, or if
necessary, add an NDMP entry with the new port number. This entry should be formatted as follows:

ndmp 10000/tcp #Network Data Management Protocol

Note: If the default port is changed, it must be changed on the media server and all remote systems being
backed up through the firewall on this port.

When setting up TCP dynamic port ranges, Symantec recommends using a range of 25 allocated ports for the
remote computers. The number of dynamic ports used by remote systems can change based on the number of
devices being protected and the number of tape devices in use. You may need to increase these port ranges to
maintain the highest level of performance. Backup Exec and the firewall need to have the ranges defined (and
port 10000).

Unless you specify a range, Backup Exec uses the full range of dynamic ports available. When performing
remote backups through a firewall, you should select a specific range on the Network and Firewall defaults
dialog box.

The following tables provide more information about which ports Backup Exec for Windows Servers and its
agents and options use:

Table: Backup Exec for Windows Servers Ports

Port
Service or Process Port
Type

Backup Exec Agent Browser (process=benetns.exe) 6101 TCP

Backup Exec Remote Agent for Windows Systems 10000 TCP

(process=beremote.exe)

Backup Exec Server (process=beserver.exe) 3527, 6106 TCP

systemmanager.ru/bkupexec.en/ch07s06.htm 1/3
17/8/22, 1:30 Using Backup Exec with firewalls

Port
Service or Process Port
Type

MSSQL$BKUPEXEC (process=sqlservr.exe) 1125 TCP

1434 (ms-sql-m) UDP

Backup Exec Remote Agent for NetWare 10000 (Backup Exec 10.x), 6102 TCP
(Backup Exec 9.x)

Oracle Agent for Windows and Linux Servers Random port unless configured
otherwise

DB2 Agent for Windows and Linux Servers Random port unless configured
otherwise

Remote Agent for Linux or Unix Servers (RALUS) Default NDMP port, typically TCP
10000

Kerberos 88 UDP

NETBIOS 135 TCP,

UDP

NETBIOS Name Service 137 UDP

NETBIOS Datagram Service 138 UDP

NETBIOS Session Service 139 TCP

NETBIOS (Windows 2000) 445 TCP

DCOM/RPC 3106 TCP

Backup Exec Remote Agent 6103 TCP

Push Install - Check for conflicts in message queue for CASO 103x TCP
which is part of beserver.exe

Push Install 441 TCP

SMTP email notification 25 outbound from media server TCP

SNMP 162 outbound from media server TCP

When Backup Exec is not running operations, it listens to ports for incoming communication from other
services and agents. Backup Exec initially communicates with the Remote Agent using a static listening port to
begin an operation. The agent and the media server then use dynamic ports to pass data back and forth.

Backup Exec uses the following listening ports:

Table: Backup Exec for Windows Servers Listening Ports

Service Port Port Type

Backup Exec Agent Browser (benetns.exe) 6101 TCP

Backup Exec Remote Agent for Windows Server (beremote.exe) 10000 TCP

Backup Exec Server (beserver.exe) 3527, 6106 TCP

MSSQL$BKUPEXEC (sqlsevr.exe) 1125 TCP

1434 UDP

Backup Exec Remote Agent for NetWare 10000, 6102 TCP

Remote Agent for Linux and UNIX Servers (RALUS) 10000 TCP

DBA-initiated backups for Oracle and DB2 5633 TCP

The Backup Exec Desktop and Laptop Option (DLO) additionally uses the following ports:

Table: Backup Exec Desktop and Laptop Option Ports

Service or Process Port Port Type

Server Message Block (SMB) communication 135-139 TCP/UDP

systemmanager.ru/bkupexec.en/ch07s06.htm 2/3
17/8/22, 1:30 Using Backup Exec with firewalls

Service or Process Port Port Type

Server Message Block (SMB) communication without NETBIOS 445 TCP/UDP

SQL 1434 TCP/UDP

DLOAdminSvcu.exe (DLO admin service) 3999 in listening mode TCP/UDP

English-to-Russian translation

systemmanager.ru/bkupexec.en/ch07s06.htm 3/3