NetBackup Firewall Ports -...

Document revision 2 15May12 TECH178855

NetBackup Firewall Ports

Contents NetBackup Firewall Ports .............................................................................................................................. 1

1. NetBackup 52xx appliance .................................................................................................................... 2

2. NetBackup 7 .......................................................................................................................................... 2

Default ports ............................................................................................................................................. 2

Master server ports .................................................................................................................................. 3

Media server ports .................................................................................................................................... 4

EMM server ports ..................................................................................................................................... 5

Client ports ................................................................................................................................................ 5

Novell NetWare ports ............................................................................................................................... 6

Administration Console ports ................................................................................................................... 6

Java Server ports ....................................................................................................................................... 7

Java Console ports .................................................................................................................................... 7

3. NetBackup 6.x and 7.x........................................................................................................................... 7

General Considerations ............................................................................................................................. 8

4. NetBackup Enterprise Server 7.0.1 and 7.1 .......................................................................................... 8

5. Deployment Solution 6.x ....................................................................................................................... 9

6. NetBackup 5200/5220 appliance (for firewall between master and media server) .......................... 12

7. NetBackup PureDisk Release 6.6.3 ..................................................................................................... 12

Communication ports between client agents and a storage pool .......................................................... 13

Ports between the storage pool authority node and other services ...................................................... 14


2


1. NetBackup 52xx appliance http://www.symantec.com/docs/TECH178497

Which ports need to be opened on a firewall to allow access to the appliances management console and use the KVM module to access the system console.

The Remote Console window is a Java Applet that establishes TCP connections to the Intel® RMM3 module. The protocol that is used to run these connections is a unique KVM protocol and not HTTP or HTTPS

Service Port Description

TCP/IP 80 Standard

TCP/IP 443 Standard

KVM redirection 7578 Remote management/IPMI

Virtual CD-ROM redirection 5120 Remote management/IPMI

Virtual Floppy redirection 5123 Remote management/IPMI

2. NetBackup 7 http://www.symantec.com/connect/articles/symantec-netbackup-7-and-firewalls

Primarily, all communication use TCP at protocol, the exception being Granular Restore Technology (GRT) restores, where the UDP protocol is used for the NFS traffic. This is not covered in this article. So we will start with the default ports as most environments do not change the ports, then followed by each tier.

Default ports

Service Port Description


3


VNETD 13724 NetBackup Network daemon.

VERITAS_PBX 1556 VxPBX Symantec Private Branch Exchange Service

VRTS-AT-PORT 2821 VxAT Symantec authentication service

VRTS-AUTH-PORT 4032 VxAZ Symantec Authorization Service

BPCD 13782 NetBackup Connection Daemon

PDDE_CTRL 10102 PureDisk Controller

PDDE_CR 10082 PureDisk Content Router

BPRD 13720 NetBackup Request Daemon

These eight ports are the primary ports used in almost all NetBackup environments using at least version 6.0. Support for 5.x clients and servers is very limited in NetBackup 7, as the main application communication protocols has changed as of version 6.0.

Master server ports The master server needs to be able to communicate will all tiers, such as the media servers, EMM server, VxSS server, clients, as well as servers where the Java or Administration console is running. Following minimum ports are required;

Source Destination Service Port

Master Media VNETD 13724

Master Media VERITAS_PBX 1556

Master EMM VERITAS_PBX 1556

Master Client VNETD 13724

Master Admin Console VERITAS_PBX 1556

Master Java Server VERITAS_PBX 1556


4


Master Netware VNETD 13724

Master Netware BPCD 13782

Master VxSS server VRTS-AT-PORT 2821

Master VxSS server VRTS-AUTH-PORT 4032

Media server ports The media servers must be able to communicate with the master server and EMM server and obviously the clients. In secure environments the VxSS server is also required. In backup and restore operations it is primarily the media server that communicates with the clients.


Media Master VNETD 13724

Media Media VNETD 13724

Media Master VERITAS_PBX 1556

Media EMM VERITAS_PBX 1556

Media Client VNETD 13724

Media Netware VNETD 13724

Media Netware BPCD 13782

Media VxSS server VRTS-AT-PORT 2821

Media VxSS server VRTS-AUTH-PORT 4032

Media Media PDDE_CTRL 10102


5


Media Media PDDE_CR 10082

Media Client PDDE_CTRL 10102

Media Client PDDE_CR 10082

EMM server ports The Enterprise Media Manager server (EMM) is the central database for media information as well as many new features in 6.x and 7.0. The EMM server is in almost all cases installed on the master server, but for huge environments or in shared media environments, the EMM server may be a separate server.


EMM Master VERITAS_PBX 1556

EMM Media VERITAS_PBX 1556

EMM Admin Console VERITAS_PBX 1556

EMM Java Server VERITAS_PBX 1556

Client ports The client requires access to the master server for scanning of backups as well as initiating user or archive operations. The client must also be able to connect to the media servers when connect-back backup types such as Oracle and SQL backup is used. When using client side de-duplication, the client must also be able to communicate with the PDDE media servers or all servers in a PureDisk Storage Pool, including the Storage Pool Authority (SPA), and Content Routers (CR). In secure environments, the clients must also be able to authenticate against the VxSS server.


Client Master VNETD 13724

Client Media VNETD 13724

Client Media PDDE_CTRL 10102


6


Client Media PDDE_CR 10082

Client VxSS server VRTS-AT-PORT 2821

Novell NetWare ports If there are any NetWare servers being backed up, following ports must be open;


Netware Master BPRD 13720

Netware Master VNETD 13724

Netware Media VNETD 13724

Administration Console ports If you are using the Windows Administration console which is native Windows application, you first have to add the DNS name of the workstation or server to the list of "trusted" servers in the master server. The following ports must be open.


Admin Console Master VNETD 13724

Admin Console Master VERITAS_PBX 1556

Admin Console Media VNETD 13724

Admin Console EMM VERITAS_PBX 1556

Admin Console VxSS server VRTS-AT-PORT 2821


7


Java Server ports The Java server is the process running on the master server when you connect using the Java Administration Console. It needs to be able to communicate with all the core components.


Java Server Master VNETD 13724

Java Server Master VERITAS_PBX 1556

Java Server Media VNETD 13724

Java Server EMM VERITAS_PBX 1556

Java Server VxSS server VRTS-AT-PORT 2821

Java Console ports Many use the Java Console instead of the Windows native Administration Console, and as it uses the Java Server for further communication, it only requires below ports;


Java Console Master VNETD 13724

Java Console Master VERITAS_PBX 1556

Java Console Java Server VNETD 13724

3. NetBackup 6.x and 7.x Tech136090

Solution

The TCP port requirements for the default configuration, without overriding connect options in the Client Attributes (bpclient) or Firewall (CONNECT_OPTIONS) settings, or separate master and EMM servers, or


8


legacy security considerations are as follows: • Master server to media server requires the TCP ports for vnetd 13724 and PBX 1556, bidirectional. • Master server to client requires the TCP port for vnetd 13724. • Client to master server requires the TCP port for vnetd 13724 for client-initiated, not server-initiated,

operations. Accordingly, it is generally best to open vnetd bidirectional in case client-initiated operations are needed at a future date.

• Media server to client requires the TCP port for vnetd 13724. • Media server to media server requires the TCP port for vnetd 13724, bidirectional. • SAN client and master/media servers require the TCP ports for vnetd 13724 and PBX 1556, bi-

directional. • Java/Windows admin consoles to master and media servers requires the TCP ports for vnetd 13724

and PBX 1556 bidirectional. • If using VxSS and NetBackup Access Control (NBAC):

Master require the TCP ports to/for vrts-at 2821 and vrts-az 4032. Media servers require the TCP ports to/for vrts-at 2821 and vrts-az 4032. Clients require the TCP port to/for vrts-at 2821. Java/Windows admin consoles require the TCP port to/for vrts-at 2821.

• If using the OpenStorage plug-in by DataDomain:

Requires access to UDP port 111 and TCP port 2049 on the target DataDomain array. Optimized duplication hosts requires the TCP ports for 10082 and 10102 to be open. NetBackup 7.0.1 Considerations

The vnetd process is still listening on TCP port 13724. But most connections that previously used the vnetd port will now prefer to use the PBX port 1556. If the PBX port is unreachable, then the vnetd port will be used. Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections. For efficiency, internal sockets on the loopback interface to processes on the same host use the daemon ports instead of passing through vnetd or PBX.

General Considerations

Use of Network Address Translation (NAT) is not directly supported. Dynamic NAT and Port Address Translation (PAT) introduce data security risks and other failures due to the inability to uniquely and consistently identify a remote host by IP address. If static one to one NAT is used- with consistent IP to host name mapping - in an unsupported firewall environment, it is suggested that host files be used to ensure that the forward and reverse lookups are unaffected by DNS maintenance or consolidation. The NetBackup clients and servers must be to resolve the translated NAT-ed outside global IP address to the correct hostname. Most DMZ DNS servers require the reverse lookup table to be manually populated so using a host file requires little additional administration.

4. NetBackup Enterprise Server 7.0.1 and 7.1 HOWTO36321 and HOWTO43499


9


The following table shows the ports that are used for NetBackup deduplication. If firewalls exist between the various deduplication hosts, open the indicated ports on the deduplication hosts. Deduplication hosts are the deduplication storage server, the load balancing servers, and the clients that deduplicate their own data.

If you have only a storage server and no load balancing servers or clients that deduplicate their own data, you do not have to open firewall ports.

Port Usage

10082 The NetBackup Deduplication Engine (spoold). Open this port between the hosts that deduplicate data.

10085 The deduplication database (postgres). The connection is internal to the storage server, from spad to spoold. You do not have to open this port.

10102 The NetBackup Deduplication Manager (spad). Open this port between the hosts that deduplicate data.

5. Deployment Solution 6.x HOWTO46882 - Internal

About communication ports and firewall considerations for OpsCenter

Key Symantec OpsCenter components and how they communicate


10


The SMTP recipient ports can be configured from the Symantec OpsCenter console (using Settings >

Configuration > SMTP Server). The SNMP trap recipient ports can also be configured from the Symantec OpsCenter console (using Settings > Recipients > SNMP). If these ports are changed, then the appropriate hardware ports have to be opened.

Table: Communication ports used by key Symantec OpsCenter components

Source Host Destination Host Port Number

Usage (Process Name) Port Configuration

Symantec OpsCenter Server

Mail Server 25 SMTP Allow from source to destination.

Symantec SNMP Server 162 SNMP trap Allow from source to


11


Source Host Destination Host Port Number

Usage (Process Name) Port Configuration

OpsCenter Server

recipient destination.


NetBackup Master Server(s)

1556 PBX (pbx_exchange)

Allow between source and destination (bi-directional).

PBX port number configuration is supported.

Symantec OpsCenter Client


1556 PBX (pbx_exchange)

Allow between source and destination.

Some hardened servers and firewall configurations may block this port.

PBX port number configuration is not supported.

Web Browser


The following HTTP and HTTPS ports are checked for availability in the specified sequence and the first available port combination is used by default:

1. 80 (HTTP) and 443 (HTTPS)

2. 8181 (HTTP) and 8443 (HTTPS)

3. 8282 (HTTP) and 8553 (HTTPS)

HTTP and HTTPS Allow from all hosts on network.


Symantec OpsCenter Server 13786

Sybase database (dbsrv11)

Allow between source and destination.

Some hardened servers and firewall configurations may block this port.


Host where Symantec Product Authentication Service (AT) Server is installed

2821 NetBackup Product Authentication Service (vxatd)

Allow between source and destination in case NBAC is enabled on NetBackup master server.


12


6. NetBackup 5200/5220 appliance (for firewall between master and media server)

http://www.min.veritas.com/docs/manuals/netbackup/release5200/Appliance%20Getting%20Started%20Guide_202.pdf

Make sure that the following ports are open on any firewall that exists between a master server and a media server.

Port Service/Description

13724 vnetd

13720 bprd

1556 PBX

7578 Specific for 5220 when using TCP



7. NetBackup PureDisk Release 6.6.3 http://zebra.min.veritas.com/docs/manuals/puredisk/6.6.3/PureDisk_GettingStarted_Guide.pdf



http://zebra.min.veritas.com/docs/manuals/puredisk/6.6.3/PureDisk_GettingStarted_Guide.pdf


13


Communication ports between client agents and a storage pool


14


Ports between the storage pool authority node and other services


15


NetBackup Firewall Ports -...

Documents

Transcript of NetBackup Firewall Ports -...