Backup Exec (tm) 9.x for Windows Servers has greater flexibility at defining what ports can be specified for backups. Therefore, backing up secured networks through firewalls is much simpler. In Backup Exec 9.x, the dynamic ports, in which browsing, backups, and restores will occur, can be defined.

To define what ports Backup Exec 9.x will use, click Tools | Options | Network. From here, the following options can be enabled: Enable media server TCP dynamic port range and Enable remote agent TCP dynamic port range. In addition to these ports, Backup Exec 9.0 for Windows Servers uses the standard Network Data Management Protocol (NDMP) port, which is 10,000, for its initial communication to each remote agent. This port can be changed if it conflicts with existing applications in the environment, but that is not recommended. For more information on how to perform this operation, see the Related Documents section of this TechNote.

The option Enable media server TCP dynamic port range means that these ports are what the Backup Exec media server will use to communicate with each Backup Exec Remote Agent for Windows Servers (the Backup Exec job engine binds to these ports).

The option Enable remote agent TCP dynamic port range means that these ports are what the Backup Exec Remote Agent for Windows Servers will use to communicate with the Backup Exec media server (the Backup Exec Remote Agent for Windows Servers binds to these ports).

When specifying these ports, it is not recommended that they overlap and there should be two ports opened per resource in the backup/restore job. A resource is considered a drive, an information store, a SQL server, and so on. The C drive, D drive, Exchange 2000 Information Store, SQL Server, and System State would be considered five resources.  

The number of ports varies, and it is recommend that two ports be opened per resource. One port should be opened for the media server, and one port for the remote server.  

Note: If the ports that are specified are in use by another application, the resource that is being backed up will be skipped in the backup set as the resource does not bind to another port. The backup job will fail with the error: Communication Failure has occurred between the Job Engine and Remote Agent.

When communication takes place between the Backup Exec media server and the Remote Agent for Windows Servers during a backup operation or restore operation, a control connection is first established. The media server first attempts to connect to the remote server via the NDMP port. The remote server will then respond back to the media server with a port specified in the Enable media server TCP dynamic port range option. The control connection is responsible for any traffic that is not related to the data stream (what resources to back up, credentials to login to the resources, selection lists).

Once the control connection has been established, a second connection is then established between the remote server and the media server. This is called the data connection. If there are multiple resources being backed up then there will be multiple data connections, one for each resource. The media server first binds itself to a port specified in the Enable media server TCP dynamic port range option. It will then attempt to attach to the remote server using a port specified in the Enable remote agent TCP dynamic port range option. Once this connection is established, data will be sent over it for the backup/restore operation.

After each session is finished, the ports are left open for sixty seconds, making sure there is no activity on them.

An example of how Backup Exec communication takes place is given below. It is using the default ports of 1025-65535 (Figure 1).

Figure 1
 

1. When browsing, backing up, or restoring data to/from a remote server, an initial control session is established from the media server to the remote server over the specified port for NDMP (by default this is port 10,000). Part of this packet is information as to which port the Backup Exec job engine is bound, so that the control session can be completed

2. The remote server sends back a packet acknowledging the job engine's control session to this port (port 1025 in Figure 1)

3. The job engine then communicates over the control session with information as to what port the remote agent should be listed so as to begin the data transfer (port 1026 in Figure 1)

4. The job engine binds to the next available port (port 1027 in the diagram), and sends a request to the remote agent on the port defined for data transmission, stating that the job engine is ready to receive data

5. The remote agent responds back by sending data to the job engine to be placed onto the tape


What ports should be opened on a Firewall?

When backing up a server through a firewall with Backup Exec 9.x, there are several ports that need to be opened on the firewall.  

First, the NDMP port (port 10000 by default) needs to be opened on the firewall. This is an outbound port only, and the media server is talking to the remote agent on this port.

Second, all ports specified in the Enable media server TCP dynamic port range option need to be opened in the incoming range on the firewall.

Third, all ports specified in the Enable remote agent TCP dynamic port range option need to be opened in the outgoing range on the firewall.

Note: If there are problems attaching to a server behind a firewall, it is recommended that the logs on the firewall be examined for any "access denied" messages for communicating over these ports.