NetBackup 6.x and 7.x and 8.x firewall port requirements

NetBackup 6.x and 7.x and 8.x firewall port requirements

Article: 100002391
Last Published: 2019-03-06
Ratings: 19 4
Product(s): NetBackup

Problem

Which TCP ports must be open through a firewall for NetBackup (NBU) 6.x, 7.x and 8.x hosts to communicate with each other?

This does not include port requirements for communication with services that run on previous version hosts; NetBackup 5.x services, remote EMM Server, or other legacy processes. Those details are covered in the NetBackup (tm) 6.0 Port Usage Guide for Windows and UNIX Platforms and the NetBackup 7.0.1 Security and Encryption Guide, see the Related Articles.

Cause

NA.

 

Solution

The TCP ports used by NetBackup in the default configuration are as follows; without overriding connect options in the Client Attributes (bpclient) or Firewall (CONNECT_OPTIONS) settings:
  • Master server to/from media servers requires the TCP port for PBX/1556, bi-directional.
  • Master server to client requires the TCP port for PBX/1556 if performing stream discovery, application discovery, or if the clients perform user-directed backup/archive/restore, or client-directed application backup/list/restore.
  • TLS/SSL protocol must be allowed on the TCP port for PBX/1556 inbound to the master server (new in 8.0).
     
  • Media server to media server requires the TCP port for PBX/1556, bi-directional.
  • Media server to client requires the TCP port for PBX/1556.
     
  • Client to master server requires the TCP port for PBX/1556 for client-initiated (user or application), but not server-initiated, operations.
  • Client to master server requires the TCP port for PBX/1556 for Client Direct restores (new in 7.6).
  • Client to storage/media server requires the TCP ports for spad/10102 and spoold/10082 for Client Direct backup and restore (new in 7.6).
  • Clients require the TCP port for PBX/1556 to be open either to the master server or to a media server that can act as a http proxy tunnel for web service calls (new in 8.1). 
     
  • SAN Client to/from master/media servers requires the TCP port for PBX/1556, bi-directional.
     
  • Java/Windows admin consoles to master and media servers requires the TCP port for PBX/1556, bi-directional.
     
  • Hosts running NetBackup 7.0.1 - 8.0 will retry connections to legacy services via the TCP port for vnetd/13724 if the connection cannot be established via the TCP port for PBX/1556.
    • If the service cannot be reached via the TCP port for PBX/1556 and the TCP port for vnetd/13724 is blocked by a firewall which silently discards the TCP SYN packet, then the operating system connect() API will wait for TCP SYN retry/timeout before failing the connection attempt.  This will introduce delays before NetBackup can detect a connection failure.
    • If the firewall returns an immediate TCP RESET, there will be minimal delay before the connction failure is detected.
       
  • Note:  The firewall behaviors described in the bullet above also apply to any other TCP port that is blocked, but attempted to be used.
    • For that reason, it is recommended that the TCP port for vnetd/13724 remain open bi-directional between NetBackup hosts.
       
  • Hosts running NetBackup 5.x - 7.0 target the TCP port for vnetd/13724 when connecting to legacy services (instead of PBX/1556).
     
  • Hosts running NetBackup 4.5 target the TCP daemon ports for the legacy services (instead of vnetd/13724), unless the connect options have been changed to 'x x 0|1'.
     
  • Hosts running NetBackup 3.x - 4.0 target the TCP daemon ports for the legacy services (instead of vnetd/13724).
     
  • If using an Automatic Cartridge System (ACS):
    • The ACS configuration must be matched by the configuration in the vm.conf file on NetBackup media servers.
    • ACS_SSI_INET_PORT defines destination ports inbound to the media server from the ACS host.
    • ACS_CSI_HOSTPORT defines the destination ports outbound from the media server to the ACS hosts.
  • If using the Resilient Network/Client feature for connections to legacy services:  (new in 7.5)
    • It must be configured on both the connecting and accepting hosts; master, media server, and/or client.
    • The TCP port for vnetd/13724 must be open bi-directional between the hosts.
       
  • To backup and restore VMWare:
    • Backup host to vCenter requires TCP port 443.
    • If using query builder (VIP), master server to vCenter requires TCP port 443.
    • If using the nbd transport type, backup host to ESX host requires TCP port 902.
       
  • If using the NetBackup plugins for VMware or Hyper-V:
    • The master server must have TCP port 8443 open inbound from the hosts running the plugin (vCenter, vSphere web client, etc).
       
  • To backup and restore SharePoint:
    • Front End to/from SQL client hosts requires legacy service connectivity, bi-directional; PBX/1556.
    • Front End to/from SQL client hosts also use the "remote registry service" which requires TCP ports 135, 137, 138, 139 and 445.
    • See Microsoft article: Plan security hardening for SharePoint Server
  • If using Granular Restore Technology (GRT):
    • Clients need to connect to the media server on portmap/111 and nbfsd/7394.
       
  • If using OpsCenter:
    • Web browsers require TCP ports http/80 and https/443 to the OpsCenter Web GUI with either 8181 and 8443 or 8282 and 8553 used as alternates.
    • Custom report generators require TCP port 13786 to the OpsCenter Server.
    • Open port 1556 (pbx) between the OpsCenter server and master server.
    • OpsCenter Server also uses UDP port 162 outbound for SNMP trap protocol.
       
  • To backup and restore NDMP filers:
    • Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000.
    • The SERVER_PORT_WINDOW is used inbound from the filer to the media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP.
    • If using shared drives and Automatic Volume Recognition, open the ICMP protocol from the media server scan host that is hosting the avrd process to the NDMP filers hosting the tape drives.
       
  • If using VxSS with NetBackup pre-7.1 Access Control (NBAC):
    • Master servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
    • Media servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
    • Clients require the TCP port vrts-at-port/2821 to the VxSS server.
    • Java/Windows admin consoles require the TCP port vrts-at-port/2821 to the VxSS server.
       
  • If using the OpenStorage plug-in by DataDomain:
    • Requires access to TCP port 2049, UDP/TCP port 111, and the mountd port on the target DataDomain array.
    • For optimized duplication access to TCP port 2051 is also required.
       
  • If using Optimized Duplication (including Automatic Image Replication):
    • For MSDP-to-MSDP, the source storage server needs access to spad/10102 and spoold/10082 on the destination server.
    • For MSDP-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.
    • For PDDO-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.
       
  • For Automatic Image Replication (AIR)
    • In addition to the ports for Optimized Duplication, also open the TCP port for PBX/1556 between the master servers.
       
  • For NetBackup Copilot
    • Open 8446 from the master server to the NetBackup appliance media server hosting the co-pilot NFS shares, for web service reqeusts.
    • Open 2049 and 111 from the client to the NetBackup appliance media server, so it can mount the NFS share.
       
  • For NetBackup 5xxx Appliances:
    • Open ssh/22, http/80, and https/443 inbound for in-band administration.
    • Open http/80 and https/443 inbound to the Intelligent Platform Management Interface (IPMI) for out-of-band administration.
    • Open 5900 inbound to the IPMI for KVM remote console/CLI and virtual ISO/CDROM redirection from NetBackup Integrated Storage Manager (5020/5200 appliances).
      • Port 623 will also be used if open.
    • Open 7578 inbound to the IPMI for Remote Console CLI access (5220/5x30 appliances).
    • Open 5120 inbound to the IPMI for Remote Console virtual ISO/CD-ROM redirection (5220/5x30 appliances).
    • Open 5123 inbound to the IPMI for Remote Console virtual floppy redirection (5220/5x30 appliances).
    • Open 111, 867, 2049, and 20048 inbound for portmapper, NFS, and mountd.
    • Open 139 and 445 inbound for samba/netbios, including the Log/Install shares.
    • Open 27017 inbound between nodes in an Appliance High Availability cluster.
    • Open https/443 outbound to the Veritas Call Home server for proactive hardware monitoring and messaging.
    • Open https/443 outbound to the Veritas Critical System Protection (SCSP) server to download SCSP certificates.
    • Open snmp/162 outbound to the SNMP server for SNMP traps and alerts, and to the download server for appliance updates.  Must match the port number on which the server is listening, if non-default.
    • Open smtp/25 outbound for email alerts.
    • Open sftp/22 outbound for log uploads to Veritas.
    • Open 389 and 636 outbound for LDAP and LDAPS respectively.
    • Open rsyslog/514 outbound for log forwarding.
    • Open 11111 between PureDisk 50x0 appliances and NetBackup 5[2-3]x0 MSDP appliances for multi-node topology discovery.
       
  • For CloudStore open port 5637 inbound to master and media servers from other NB servers and OpsCenter hosts (new in 8.1).
     
  • For CloudCatalyst, open port 443 from the media server to the cloud server.

Local/Internal Listening Ports

NetBackup processes also use TCP ports for intra-host connects that are internal to the host.  These ports do not need to be open externally.  The ports may be bound and listening only for connections to the loopback interface (127.0/8, or ::1) or for all network interfaces (0.0.0.0, *.*.*.*, or:::) depending on the hostname targeted by the connecting process; localhost or other hostname local to the host.

  • port 1557 (PBX)
  • port 3652 (nbwmc)
  • port 8205 (nbwmc)
  • port 9284 (nbsl NBSL_NCWS_PORT)
  • port 13785 (NB_dbsrv <--> nbwmc)

Note: These ports need to be available when/if the service starts, or functionalitly will be impaired.

Legacy Daemon Ports

The NetBackup legacy daemons continue to listen on the legacy ports for both intra-host connections from other processes on the same host and inter-host connections from previous version hosts.  These ports do not need to be open through the firewall unless previous version hosts are present that cannot connect via PBX/1556.

  • port 13701 (vmd, media servers)
  • port 13702 - 13719 (robotic and control daemons, media servers)
  • port 13720 (bprd, master server)
  • port 13721 (bpdbm, master server) 
  • port 13722 (bpjava-msvc, master server)
  • port 13723 (bpjobd, master server)
  • port 13782 (bpcd, master and media servers, clients)
  • port 13783 (nbatd, master server)
  • port 13786 (OpsCenter report generation, master server) 

Note: These ports need to be available when/if the service starts, or functionality will be impaired.

NetBackup 8.1 Considerations

The secure communication feature requires that all NB 8.1 or higher hosts (including clients) can connect to web services on the master server. The connection is via port 1556/PBX, either direct to the master server or indirectly via a media server acting as a proxy tunnel. The media server already has/requires access to the master server on port 1556/PBX.

The secure communication feature also deprecates the use of Connect Options from NB 8.1 or higher hosts to any other host. Options settings that enable legacy daemon ports, vnetd connect-back, legacy call-back, and reserved port use are ignored.

The CloudStore feature introduces a new service (nbcssc) which runs on master and media servers. The new service listens, by default, on port 5637 which must be open inbound from the other NB servers and the OpsCenter hosts.

Network Address Translation (NAT) and Port Address Translation (PAT) Considerations
The use of NAT and PAT is not supported with NetBackup. Please refer: Veritas NetBackup does not support Network Address Translation and Port Address Translation for the details.

NetBackup 8.0 Considerations

The new web service feature runs on the master server and registers with PBX which listens on port 1556/PBX on behalf of web services and other daemon listeners.  Like NBAC and other older features, web services utilizes Transport Layer Security (TLS) / Secure Sockets Layer (SSL).  Unlike the older features, the TLS protocol occurs immediately upon connection establishment.  Firewalls may detect and block this initial protocol and prevent connections to the web service.  Be sure that TLS/SSL protocol is permitted on port 1556.

NetBackup 7.7.1 Considerations

The Co-Pilot feature requires the TCP port for 8446 to be open inbound to the NetBackup appliance from the master server to manage the NFS shares.  The standard NFS ports, 2049 and 111 must be open inbound from the clients so that they can mount the NFS shares.

NetBackup 7.6 Considerations

The Client Direct feature requires the TCP ports for spad/10102 and spoold/10082 to be open from the client to the storage server, which is typically a media server hosting MSDP.  The Client Direct restore feature also requires the TCP ports for PBX/1556 and vnetd/13724 to be open from the client to the master server for the file list port connection; regardless of whether the restore is server or client initiated.

NetBackup 7.5 Considerations

The Resilient Network feature requires vnetd/13724 to be open bi-directional for connection to legacy services on any host specified by the configuration of the feature.  This is meant primarily for media server to client.  But can also be configured for client-directed operations between the client and the master server, or between master and media server. This feature cannot use PBX/1556.

NetBackup 7.1 Considerations

NetBackup Access Control (NBAC) has been integrated with NetBackup and the processes nbatd and nbazd will be used in place of vxatd and vxazd. These processes are registered with PBX for inbound connections via the PBX port 1556, removing the need to have ports open to the VxSS server.

The processes are also listening on TCP ports 13783 and 13722 respectively. These port numbers are registered with IANA using the original service names of 'vopied' and 'bpjava-msvc', and resolved by NetBackup using those original names. Previous version hosts are unaware of the new processes available via port 1556 and will continue to contact vxatd and vxazd via vrts-at-port/2821 and vrts-at-auth/4032.

Snapshot backups may experience a small delay during snapshot deletion if port 1556 is not open from the client to the master server.

NetBackup 7.0.1 Considerations

The bpcd and vnetd processes now run standalone. They and the other legacy processes now register with PBX at startup. Connections to legacy processes that previously contacted the vnetd port will now prefer to use PBX port 1556. If the PBX port is unreachable, then the vnetd port will be used. If the vnetd port is unreachable, then the daemon port will be used. Opening TCP port 1556 outbound from NetBackup servers to NetBackup clients will prevent delays that occur while attempting to use PBX. Similarly, opening TCP port 1556 inbound will prevent delays for client-initiated requests to the master server.

Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections.

For efficiency the upgrade/install also adds Connect Options of '1 0 2' for localhost. Internal sockets on the loopback interface to processes on the same host will use the daemon ports instead of passing through vnetd or PBX.

(For details, please refer to Veritas NetBackup™NetworkPorts Reference Guide)

References

Etrack : 3332635

Was this content helpful?