Problem
This article provides information about the ports that Backup Exec processes or features use. This information would help to ensure Backup Exec works seamlessly in an environment where a firewall exists.
Error Message
UMI: V-370-59792-00041, V-79-57344-3842, V-79-57344-3877
Error in Job Log
0XE0000F02 - The media server could not connect to the remote computer.
0xE0000F25 - A communication failure occurred when attempting to connect to this server. Some common causes for this error are: the computer name is typed incorrectly, the computer is not powered on, a Backup Exec agent is not installed, or the network is improperly configured.
Solution
Issues seen when ports are not configured properly in firewall
Backing-up systems through a firewall
Ports that need to be opened on the Firewall
Connection types in Backup Exec and what ports they use
Network and Security Settings in Backup Exec
Port requirement for Client side Deduplication
Ports required to protect M365 workloads
Firewall Settings for the Remote Administration console
Note: Veritas QuickAssist can be run on Backup Exec and remote server (whose backup is failing) and the logs can be reviewed to understand if the failure is caused due to relevant ports not being opened on the firewall.
Issues seen when ports are not configured properly in firewall:
The following issues can be seen in environments where Backup Exec is configured in a Firewall Environment if the ports are not configured correctly:
1. Selection list may not populate.
2. Backup or restore failures may be seen with the error message mentioned above.
Backing-up systems through a firewall:
Firewalls affect system communication between a media server and remote systems. Special port requirements must be considered when configuring Backup Exec for use with firewalls. If Symantec Endpoint Protection or another anti-virus software is being used as a firewall, free any 25 dynamic ports. More ports may need to be freed up depending on the number of parallel backup or restore jobs running in the environment.
Ports that need to be opened on the Firewall:
Service |
Process |
Port |
Protocol |
Backup Exec Agent Browser |
benetns.exe |
6101 |
TCP |
Device and Media Service |
pvlsvr.exe |
None |
None |
Backup Exec Server |
beserver.exe |
3527, 6106 |
TCP |
Backup Exec Job Engine |
bengine.exe |
5633 Used for Oracle Agent |
TCP |
Remote Agents: |
beremote.exe |
10000 Dynamic range between 1024 to 65535 Can be customized |
TCP |
Backup Exec Management Service |
BackupExecManagementService.exe |
50104 |
TCP |
Deduplication Engine |
Spoold.exe |
10082 |
TCP |
Deduplication Manager |
Spad.exe |
10102 |
TCP |
Connection types between Backup Exec Job Engine and Remote agent:
PORT NUMBER |
TYPE OF CONNECTION |
|---|---|
10000 |
CONTROL |
1025-65535 (Default Dynamic Ports (*1)) |
DATA |
(*1): A DYNAMIC PORT is a port which is not permanently assigned to any specific protocol. They are intended for temporary use.
A minimum of two ports is required per backup job through a firewall. If backups are run at the same time through the firewall, then more ports will need to be opened.
Note: It is recommended to keep a range of ports open instead of just one because other applications can engage dynamic ports. Therefore, keep at least 25 ports open for the remote system, so there is a pool of ports available for all applications needing them.
Example:
- A control connection is always established on TCP Port 10000 from the media server to the remote server.
- Advertising is done on port 6101 from the remote server to the media server.
- Data connections for the backup are done to the remote server on ports within the Dynamic Port Range.
Network and Security Settings in Backup Exec:
When performing remote backups through a firewall, select a specific range from under Configuration and Settings -> Backup Exec Settings -> Network and security settings in the Backup Exec console. The same port range should then be opened on the Firewall as well.
The Dynamic or Private Ports are the ones from 1025 through 65535.
Port requirement for Client side Deduplication to work:
Open the following ports for connecting from the remote server (client) to the media server.
Purpose |
Port |
Protocol |
The Deduplication Engine ( spoold ) |
10082 |
TCP |
The Deduplication Manager ( spad ) |
10102 |
TCP |
Ports required to protect M365 workloads:
Open the following ports for connecting from the media server to the M365 endpoints.
Purpose |
Port |
Protocol |
Exchange Online |
80, 443 |
TCP |
Refer to the link below to harden the firewall rules and restrict access to M365 endpoints.
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
Firewall Settings for the Remote Administration console
To detect and manage the Backup Exec services for a remote media server from the Remote Administration console, enable the following firewall inbound rules on the remote media server:
- Remote Service Management (RPC-EPMAP)
- Windows Management Instrumentation (WMI-In)
Related Knowledge Base Articles
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.