V-370-59792-00041 - How to configure ports in firewall for Backup Exec

Article: 100017208
Last Published: 2023-11-30
Ratings: 2 9
Product(s): Backup Exec

Problem

This article provides information about the ports that Backup Exec processes or features use. This information would help to ensure Backup Exec works seamlessly in an environment where a firewall exists.

 

Error Message

UMI: V-370-59792-00041, V-79-57344-3842, V-79-57344-3877

Error in Job Log

0XE0000F02 - The media server could not connect to the remote computer.

0xE0000F25 - A communication failure occurred when attempting to connect to this server. Some common causes for this error are: the computer name is typed incorrectly, the computer is not powered on, a Backup Exec agent is not installed, or the network is improperly configured.

 

Solution

Issues seen when ports are not configured properly in firewall
Backing-up systems through a firewall
Ports that need to be opened on the Firewall
Connection types in Backup Exec and what ports they use
Network and Security Settings in Backup Exec
Port requirement for Client side Deduplication
Ports required to protect M365 workloads
Firewall Settings for the Remote Administration console

Note: Veritas QuickAssist can be run on Backup Exec and remote server (whose backup is failing) and the logs can be reviewed to understand if the failure is caused due to relevant ports not being opened on the firewall.

 

Issues seen when ports are not configured properly in firewall:

The following issues can be seen in environments where Backup Exec is configured in a Firewall Environment if the ports are not configured correctly:

1. Selection list may not populate.

2. Backup or restore failures may be seen with the error message mentioned above.

 

Backing-up systems through a firewall:

Firewalls affect system communication between a media server and remote systems. Special port requirements must be considered when configuring Backup Exec for use with firewalls. If Symantec Endpoint Protection or another anti-virus software is being used as a firewall, free any 25 dynamic ports. More ports may need to be freed up depending on the number of parallel backup or restore jobs running in the environment.

 

Ports that need to be opened on the Firewall:

Service

Process

Port

Protocol 

Backup Exec Agent Browser

benetns.exe

6101

TCP

Device and Media Service

pvlsvr.exe

None

None

Backup Exec Server

beserver.exe

3527, 6106

TCP

Backup Exec Job Engine

bengine.exe

5633
by default
Can be Customized

Used for Oracle Agent

TCP

Remote Agents:
Agent for Windows
Agent for Linux and Unix

beremote.exe
or beremote

10000

Dynamic range between 1024 to 65535
by default

Can be customized

TCP

Backup Exec Management Service 

BackupExecManagementService.exe 

50104

TCP

Deduplication Engine

Spoold.exe

10082

TCP

Deduplication Manager

Spad.exe

10102

TCP

 

Connection types between Backup Exec Job Engine and Remote agent:

PORT NUMBER

TYPE OF CONNECTION

10000

CONTROL

1025-65535 (Default Dynamic Ports (*1))

DATA

(*1): A DYNAMIC PORT is a port which is not permanently assigned to any specific protocol. They are intended for temporary use.

A minimum of two ports is required per backup job through a firewall. If backups are run at the same time through the firewall, then more ports will need to be opened.

Note: It is recommended to keep a range of ports open instead of just one because other applications can engage dynamic ports. Therefore, keep at least 25 ports open for the remote system, so there is a pool of ports available for all applications needing them.

Example:

  • A control connection is always established on TCP Port 10000 from the media server to the remote server.
  • Advertising is done on port 6101 from the remote server to the media server.
  • Data connections for the backup are done to the remote server on ports within the Dynamic Port Range.

 

Network and Security Settings in Backup Exec:

When performing remote backups through a firewall, select a specific range from under Configuration and Settings -> Backup Exec Settings -> Network and security settings in the Backup Exec console. The same port range should then be opened on the Firewall as well.

The Dynamic or Private Ports are the ones from 1025 through 65535.

 

Port requirement for Client side Deduplication to work:

Open the following ports for connecting from the remote server (client) to the media server.

Purpose

Port

Protocol

The Deduplication Engine ( spoold )

10082

TCP

The Deduplication Manager ( spad )

10102

TCP

 

Ports required to protect M365 workloads:

Open the following ports for connecting from the media server to the M365 endpoints. 

Purpose                                       

Port

Protocol

Exchange Online
SharePoint Online
MS Teams
OneDrive for Business

80, 443

TCP


Refer to the link below to harden the firewall rules and restrict access to M365 endpoints.
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

 

Firewall Settings for the Remote Administration console

To detect and manage the Backup Exec services for a remote media server from the Remote Administration console, enable the following firewall inbound rules on the remote media server:

  • Remote Service Management (RPC-EPMAP)
  • Windows Management Instrumentation (WMI-In)

 

References

UMI : V-370-59792-00041

Was this content helpful?