When performing remote backups through a firewall, one should select a specific range under Network & Firewall defaults dialog box in the Backup Exec console and open the exact range on the Firewall/TCP Filtering.
Note: According to IANA (INTERNET ASSIGNED NUMBERS AUTHORITY),Ports which we think is Dynamic and Free are not TRUE, Infact when we go through the List of ports given by IANA authority we will find that most ports which we assign are either well known ports OR registered ports and therefore when we specify them in Backup Exec console (Under Network & Firewall) option it does not follow the rule and often get rejected/Refused by the remote server.
According to IANA :
http://www.iana.org/assignments/port-numbers
PORT NUMBERS =(Last update 2006-11-17)
The port numbers are divided into three ranges:
1.The Well Known Ports.
2.The Registered Ports.
3.The Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535 (Here we need to search for unassigned ports)
As we can see port between 1024 and 49151 is registered and therefore even if we specify these range on the Backup Exec(under tools--options--network & firewall) and similar range on the remote server Firewall/TCP Filerting it may not backup or "refuse to communicate" as seen in the SGMON error.
Backup Exec error Traced in SGMON:
bengine: [3044] 09/12/05 11:53:47 TF_InitMediaServerReverseConnection: Data Connection: Failed to connect to remote address 170.140.236.128:3189,system error message: "No connection could be made because the target machine actively refused it".
This is an clear example of ports been blocked on the TCPFilterting/Firewall except for Port 10000 which is usually the only port opened by network administrator(s) which is used for control connection.
Solution:
To overcome this problem, its recommended to specify maximum FREE (UNASSINGED Dynamic Port) range available and stated by IANA and as per the IANA information it looks like the maximum range available is :5204-5221 which is about 17 ports. Its up to the system administrator to open all the "17" ports or just assign "10" ports. You may refer to IANA website to refer other range.
Specify the range as shown below:
Enable Remote Agent TCP dynamic port range:
5204- 5221
Unless you specify range, Backup Exec uses full range of dynamic ports available which may not work in Firewall/TCP Filtered domain/Environment.
Note: Its recommended to keep range of ports opened instead of just one because being a dynamic port it can be engaged by any other application can cause data connection issues, Therefore atleast keep "10-25" ports opened on the Remote system.
For Ex-
NUMBER OF SIMULTANIOUS BACKUPS =5
NUMBER OF PORTS REQUIRED FOR DATA = 5
Its just an example but make sure at least "10-25" ports opened on remote system Firewall/TCP Filters.
Control connection is always established on port 10000 and once the connection is established the port is FREE to listen to another connection from media server, but the subsequent data backups will need extra port for data pass-through because the previous port is engaged by the first backup job.
No comments:
Post a Comment