Veritas Access Appliance Initial Configuration Guide
- Getting to know the Access Appliance
- Preparing to configure the appliance
- Configuring the appliance for the first time
- Getting started with the Veritas Access GUI
- Storage management
- Network connection management- Configuring network address settings on the appliance nodes
- About VLAN tagging on the appliance
- Configuring static routes on the appliance
- Configuring DNS settings on the appliance
- Configuring host name on the appliance
- About the maximum transmission unit size on the appliance
- About the Veritas Remote Management Console
- Setting the date and time on the appliance
 
- Monitoring the appliance
- Resetting the appliance to factory settings
- Appliance security- About Access Appliance security
- About Access appliance user account privileges
- Changing the Maintenance user account password
- About the Access Appliance intrusion detection system
- About Access appliance operating system security
- About data security on the Access appliance
- About data integrity on the Access appliance
- Recommended IPMI settings on the Access appliance
 
- Troubleshooting
Network and firewall requirements
Ensure that your network firewall can accommodate the necessary services on the Veritas Access Appliance.
In addition to the ports that are used by the Veritas Access software, the appliance also provides for both in-band and out-of-band management. The out-of-band management is through a separate network connection, the Remote Management Module (RMM), and the Intelligent Platform Management Interface (IPMI). Open these ports through the firewall as appropriate to allow access to the management services from a remote laptop or KVM (keyboard, video monitor, mouse).
Table: Inbound ports lists the ports open for inbound communication to the appliance.
Table: Inbound ports
| Port | Service | Description | 
|---|---|---|
| 22 | ssh | In-band management CLI | 
| 443 | HTTPS | In-band management GUI | 
| 5900 | KVM | CLI access, ISO & CDROM redirection | 
| 623 | KVM | (optional, used if open) | 
| 2049 | HTTPS | NFS++ | 
| 445 | CIFS (for the Log/Install shares) | |
| 10082 | spoold | Veritas Data Deduplication engine | 
| 10102 | spad | Veritas Data Deduplication manager | 
* Veritas Remote Management - Remote Console
++ Once the NFS service is shut down, the vulnerability scanners do not pick up these ports as threats.
Table: Outbound ports lists the ports outbound from the appliance to allow alerts and notifications to the indicated servers.
Table: Outbound ports
| Port | Service | Description | 
|---|---|---|
| 443 | HTTPS | Call Home notifications to Veritas Download SDCS certificate | 
| 162** | SNMP | Traps sent by SNMP agents | 
| 22 | SFTP | Log uploads to Veritas | 
| 25 | SMTP | Email alerts | 
| 389 | LDAP | |
| 636 | LDAPS | |
| 514 | rsyslog | Log forwarding | 
| 10082 | spoold | Veritas Data Deduplication engine | 
| 10102 | spad | Veritas Data Deduplication manager | 
** This port number can be changed within the appliance configuration to match the remote server.
Table: Out of band management ports lists the out of band management ports on the appliance.
Table: Out of band management ports
| 80 | HTTP | Out-of-band management (ISM+ or RM*) | 
| 443 | HTTP | Out-of-band management (ISM+ or RM*) | 
| 5900 | KVM | CLI access, ISO & CDROM redirection | 
| 623 | KVM | (optional, used if open) | 
| 7578 | RMM | CLI access | 
| 5120 | RMM | ISO & CD-ROM redirection | 
| 5123 | RMM | Floppy redirection | 
| 7582 | RMM | KVM | 
| 5124 | HTTPS | CDROM | 
| 5127 | USB or floppy | |
| 2049 | HTTPS | NFS ++ | 
| 445 | CIFS (for the Log/Install shares) | 
+ NetBackup Integrated storage manager
* Veritas Remote Management - Remote Console
++ Once the NFS service is shut down, the vulnerability scanners do not pick up these ports as threats.
Note:
Ports 7578, 5120, and 5123 are for the unencrypted mode. Ports 7582, 5124, and 5127 are for the encrypted mode.
Table: Default Veritas Access ports displays the default ports that Access uses to transfer information.
Table: Default Veritas Access ports
| Port | Protocol or Service | Purpose | Impact if blocked | 
|---|---|---|---|
| 21 | FTP | Port where the FTP server listens for connections. Note: Users can configure another port if desired. | FTP features are blocked. | 
| 22 | SSH | Secure access to the Access server | Access is not accessible. | 
| 25 | SMTP | Sending SMTP messages. | The SMTP messages that are sent from Access are blocked. | 
| 53 | DNS queries | Communication with the DNS server | Domain name mapping fails. | 
| 111 | rpcbind | RPC portmapper services | RPC services fail. | 
| 123 | NTP | Communication with the NTP server | Server clocks are not synchronized across the cluster. NTP-reliant features (such as DAR) are not available. | 
| 139 | CIFS | CIFS client to server communication | CIFS clients cannot access the Access cluster | 
| 161 | SNMP | Sending SNMP alerts | SNMP alerts cannot be broadcast. | 
| 445 | CIFS | CIFS client to server communication | CIFS clients cannot access the Access cluster. | 
| 514 | syslog | Logging program messages | Syslog messages are not recorded. | 
| 756, 757, 755 | statd | NFS statd port | NFS v3 protocol cannot function correctly. | 
| 2049 | NFS | NFS client to server communication | NFS clients cannot access the Access cluster. | 
| 3172, 3173 | ServerView | ServerView port | ServerView cannot work. | 
| 3260 | iSCSI | SCSI target and initiator communication | Initiator cannot communicate with the target. | 
| 4001 | mountd | NFS mount protocol | NFS clients cannot mount file systems in the Access cluster. | 
| 4045 | lockd | Processes the lock requests | File locking services are not available. | 
| 5634 | HTTPS | Management Server connectivity | Web GUI may not be accessible. | 
| 56987 | Replication | File synchronization, Access replication | Access replication daemon is blocked. Replication cannot work. | 
| 8088 | REST server | REST client to server communication | REST client cannot access REST API of Access. | 
| 8143 | S3 | Data port for Veritas Access S3 server | User will not able to use Veritas Access object server. | 
| 8144 | ObjectAccess service | Administration port for Veritas Access S3 server. | User cannot create access or secret keys for using Objectaccess service. | 
| 11211 | Memcached port | CLISH framework | CLISH cannot function correctly, and cluster configuration may get corrupted. | 
| 30000:40000 | FTP | FTP passive port | FTP passive mode fails. | 
| 14161 | HTTPS | Access Veritas Access GUI | User is unable to accessVeritas Access GUI | 
| 51001 | UDP | LLT over RDMA | LLT is not working. | 
| 51002 | UDP | LLT over RDMA | LLT is not working. | 
NetBackup uses TCP/IP connections to communicate between one or more TCP/IP ports. Depending on the type of operation and configuration on the environment, different ports are required to enable the connections. NetBackup has different requirements for operations such as backup, restore, and administration.
Table: Default NetBackup TCP and UDP ports shows some of the most-common TCP and UDP ports that NetBackup uses to transfer information. For more information, see the Veritas NetBackup Security and Encryption Guide.
Table: Default NetBackup TCP and UDP ports
| Port Range | Protocol | 
|---|---|
| 1556 | TCP, UDP | 
| 13701-13702, 13705-13706 | TCP | 
| 13711, 13713, 13715-13717, 13719 | TCP | 
| 13720-13722 | TCP, UDP | 
| 13723 | TCP | 
| 13724 | TCP, UDP | 
| 13782-13783 | TCP, UDP | 
| 13785 | TCP | 
For the CIFS service to work properly in an Active Directory (AD) domain environment, the following protocols and firewall ports need be allowed or opened to enable the CIFS server to communicate smoothly with Active Directory Domain Controllers and Windows/CIFS clients.
Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the CIFS server to the domain controllers. Enable "Allow incoming echo request" is required for running the CIFS service.
Table: Additional CIFS ports and protocols lists additional CIFS ports and protocols.
Table: Additional CIFS ports and protocols
| Port | Protocol | Purpose | 
|---|---|---|
| 53 | TCP, UDP | DNS | 
| 88 | TCP, UDP | Kerberos | 
| 139 | TCP | DFSN, NetBIOS Session Service, NetLog | 
| 445 | TCP, UDP | SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc | 
| 464 | TCP, UDP | Kerberos change or set a password | 
| 3268 | TCP | LDAP GC | 
| 4379 | TCP | CTDB in CIFS | 
Table: LDAP with SSL ports lists the ports that are required for LDAP with SSL.
Table: LDAP with SSL ports
| Port | Protocol | Purpose | 
|---|---|---|
| 636 | TCP | LDAP SSL | 
| 3269 | TCP | LDAP GC SSL | 
More Information