NetBackup 7.x/8.x/9.x/10.x firewall port requirements

Article: 100002391
Last Published: 2023-04-17
Ratings: 24 12
Product(s): NetBackup & Alta Data Protection

Problem

Which TCP ports must be open through a firewall for NetBackup (NB) 7.x, 8.x and 9.x hosts to communicate with each other?

This does not include port requirements for communication with services that run on previous version hosts, remote EMM Server, or other legacy processes.

Solution

The TCP ports used by NetBackup in the default configuration are as follows:
  • Primary server to/from media servers requires the TCP port for PBX/1556, bi-directional.
  • Primary server to client requires the TCP port for PBX/1556 if performing stream discovery, application discovery, or if the clients perform user-directed backup/archive/restore, or client-directed application backup/list/restore.
  • TLS/SSL protocol must be allowed on the TCP port for PBX/1556 inbound to the primary server (new in 8.0).
     
  • Media server to media server requires the TCP port for PBX/1556, bi-directional.
  • Media server to client requires the TCP port for PBX/1556.
     
  • Client to primary server requires the TCP port for PBX/1556 for client-initiated (user or application), but not server-initiated, operations.
    Note: This includes all XBSA-based agents (e.g policy types DataStore, DB2, Informix, Oracle, SAP, SQL-Server, Sybase, Teradata, etc) and any clients that backup to schedules of type Application Backup, User Backup, or User Archive.
  • Client to primary server requires the TCP port for PBX/1556 for Client Direct restores.
  • Clients require the TCP port for PBX/1556 to be open either to the primary server or to a media server that can act as a http proxy tunnel for web service calls (new in 8.1)
  • Client to storage server requires the TCP ports for spad/10102 and spoold/10082 for Client Direct backup and restore.
     
  • SAN Client to/from primary/media servers requires the TCP port for PBX/1556, bi-directional.
     
  • Java/Windows admin consoles to primary and media servers requires the TCP port for PBX/1556, bi-directional.
     
  • Hosts running NetBackup 7.x - 8.x will retry connections to legacy services via the TCP port for vnetd/13724 if the connection cannot be established via the TCP port for PBX/1556.
    • If the service cannot be reached via the TCP port for PBX/1556 and the TCP port for vnetd/13724 is blocked by a firewall which silently discards the TCP SYN packet, then the operating system connect() API will wait for TCP SYN retry/timeout before failing the connection attempt.  This will introduce delays before NetBackup can detect a connection failure.
    • If the firewall returns an immediate TCP RESET, there will be minimal delay before the connction failure is detected.

Note:  The firewall behaviors described in the bullet above also apply to any other TCP port that is blocked, but attempted to be used.  For that reason, it is recommended that the TCP port for vnetd/13724 remain open bi-directional between NetBackup hosts.
 

  • If using the Resilient Network/Client feature for connections to legacy services:  (7.5) 
    • It must be configured on both the connecting and accepting hosts; primary, media server, and/or client.
    • The TCP port for vnetd/13724 must be open bi-directional between the hosts.
       
  • If using HTTP or HTTPS to access web services on the primary server:  (new in 8.0)
    • Open TCP port 8080 inbound to java nbwmc on the primary server (8.0 - 8.1.1)
    • Open TCP  port 8443 inbound to java nbwmc on the primary server (8.0 - 9.1)
    • Open TCP port 443 inbound to vnet HTTP API tunnel on the primary server (8.1.2+)
      On appliance primary servers, open TCP port 8989 inbound to sign-in with certificate (8.1.2 - 9.0) changed to 13731 (9.1+)
      (Changed via NB_WEBUI_PORT, disabled by -1.)
       
  • If using the Network Address Translation (NAT) feature:  (new in 8.2)
    • The TCP port used by the MQBroker must be open from the clients to the primary server; default is port 13781 unless changed using the configureMQ program.
    • The direction of connection initiation between servers and clients is reversed.  The TCP port for PBX/1556 must be open from the client to the servers and need not be open from servers to clients.
       
  • If using an Automatic Cartridge System (ACS):
    • The ACS configuration must be matched by the configuration in the vm.conf file on NetBackup media servers.
    • ACS_SSI_INET_PORT defines destination ports inbound to the media server from the ACS host.
    • ACS_CSI_HOSTPORT defines the destination ports outbound from the media server to the ACS hosts.
       
  • If using CloudCatalyst, open port 443 from the media server to the cloud server.
     
  • If using CloudStore, open port 5637 inbound to primary and media servers from other NB servers and OpsCenter hosts (applicable only when media servers are 7.7.1 - 8.1.2).
     
  • If using Copilot:
    • Open TCP port 8446 from the primary server to the NetBackup Appliance (NBA) media server hosting the co-pilot NFS shares, for web service requests. (new in 8.1.1 / NBA 3.1.1)
    • Open TCP port 443 from the primary server to the NBA hosting the Co-pilot NFS share. (changed in 8.2 / NBA 3.2)
    • Open 2049 and 111 from the client to the NetBackup appliance media server, so it can mount the NFS share.
       
  • If using Instant Access or Universal Shares:
    • Open TCP port 8446 from the primary server to the deduplication media server (8.1*).
    • Open TCP port 443 from the primary server to the deduplication media server. (changed in NB 8.2 / NBA 3.2).
       
  • If using the OpenStorage plug-in by DataDomain:
    • Requires access to TCP port 2049, UDP/TCP port 111, and the mountd port (default 2052 but often changed), on the target DataDomain array.
    • For optimized duplication access to TCP port 2051 is also required.
       
  • If using Optimized Duplication (including Automatic Image Replication):
    • For MSDP-to-MSDP, the source storage server needs access to spad/10102 and spoold/10082 on the destination storage server.
    • For MSDP-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination storage server.
    • For PDDO-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination storage server.
       
  • To backup and restore Hadoop:  (new in 8.1)
    • Backup host to the Hadoop cluster requires TCP port 50070 by default.
    • The port number is configurable.  See the http address parameter in the core-site.xml file on the Hadoop cluster.  The number must also match the port parameter configured in the /usr/openv/var/global/hadoop.conf file on the NetBackup backup host.
       
  • To backup and restore Kubernetes:  (new in 9.1)
    • Primary server to the Kubernetes cluster typically requires TCP port 443.
    • Media servers to the Kubernetes cluster typically requires TCP port 443. (new in 10.0)
    • Review the Kubernetes configuration to ensure that the Kubernetes API server port has not been changed to a non-default port; often 6443 or 8443.
    • Kubernetes cluster to the primary server requires TCP port 443.  (in 9.1, but not in 10.0+)
    • The NetBackup Kubernetes Operator (KOps) and datamover pods have additional requirements.  (new in 10.0)
      • Kubernetes cluster to primary server requires TCP port 1556 outbound.
      • Kubernetes cluster to media server requires TCP port 1556 outbound.
      • Kubernetes cluster to primary and media servers requires TCP port 13724 bi-directional if using Resilient Network.
         
  • To backup and restore MongoDB:  (new in 8.2)
    • Backup host to the MongoDB workload node requires TCP port 22 (ssh).
    • Backup host to the MongoDB workload node requires TCP ports 11000 - 11009 by default.  Note that this range is configurable via the mongodb.conf file; mdbserver_port and mdbserver_port_range.
       
  • To backup and restore NDMP filers:
    • Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000.
    • The SERVER_PORT_WINDOW is used inbound from the filer to the media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP.
    • If using shared drives and Automatic Volume Recognition, open the ICMP protocol from the media server scan host that is hosting the avrd process to the NDMP filers hosting the tape drives.
       
  • To backup and restore Nutanix AHV cluster:  (new in 8.1)
    • AHV Access Host to Nutanix AHV cluster requires TCP port 9440 (default).
    • AHV Access Host to/from Nutanix AHV cluster requires TCP ports 111 (portmapper) and 2049 (NFS) must be open bi-directional.
    • AHV Access Host to/from Nutanix AHV cluster requires TCP ports 860 and 3260 must be open bi-directional for iSCSI block-level access to storage devices.
    • AHV Access Host to/from Nutanix AHV cluster requires TCP port 3205 must be open bi-directional for iSNS management of both iSCSI and fiber channel devices.

Note: The AHV Access Hosts are the NetBackup backup and recovery hosts with access to the Nutanix AHV cluster.
 

  • To backup and restore SharePoint:
    • Front End to/from SQL client hosts requires legacy service connectivity, bi-directional; PBX/1556.
    • Front End to/from SQL client hosts also use the "remote registry service" which requires TCP ports 135, 137, 138, 139 and 445.
    • See Microsoft article: Plan security hardening for SharePoint Server
       
  • To backup and restore VMWare:
    • Backup host to vCenter requires TCP port 443.
    • If using query builder (VIP), primary server to vCenter requires TCP port 443.
    • If using the nbd transport type, backup host to ESX host requires TCP port 902.
       
  • If using the NetBackup plugins for VMware or Hyper-V:
    • The primary server must have TCP port 8443 open inbound from the hosts running the plugin (vCenter, vSphere web client, etc).
    • NetBackup 10.0+ primary servers are accessed by vCenter/vSphere plug-in versions <7.0 via TCP port 433.
    • NetBackup 10.0+ primary servers are accessed by vCenter/vSphere plug-in versions 7.0+ via TCP port 1556.
       
  • If using Automatic Image Replication (AIR):  (new in 8.1)
    • In addition to the ports for Optimized Duplication, also open the TCP port for PBX/1556 between the primary servers, and from the Source MSDP server to the target primary for the CA certificate.
       
  • If using Granular Restore Technology (GRT):
    • Clients need to connect to the media server on portmap/111 and nbfsd/7394.
       
  • If using OpsCenter:
    • Web browsers require TCP port https/443 to the OpsCenter Web GUI with either 8181 and 8443 or 8282 and 8553 used as alternates.
    • Custom report generators require TCP port 13786 to the OpsCenter Server.
    • Open port 1556 (pbx) between the OpsCenter server and primary server.
    • OpsCenter Server also uses UDP port 162 outbound for SNMP trap protocol.
       
  • If using VxSS with NetBackup pre-7.1 Access Control (NBAC):
    • Primary servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
    • Media servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
    • Clients require the TCP port vrts-at-port/2821 to the VxSS server.
    • Java/Windows admin consoles require the TCP port vrts-at-port/2821 to the VxSS server.
  •  
  • For NetBackup Appliances (NBA) 5xxx:
    • Open ssh/22, and https/443 inbound for in-band administration.
    • Open https/443 inbound to the Intelligent Platform Management Interface (IPMI) for in-band and out-of-band administration.
    • Open https/443 inbound on media servers for Copilot, Universal Shares, and Instant Access.
    • Open 5900 inbound to the IPMI for KVM remote console/CLI and virtual ISO/CDROM redirection from NetBackup Integrated Storage Manager (5020/52x0/53x0 appliances).
      • Port 623 will also be used if open.
    • Open 5902 inbound to the IPMI for Secured KVM remote console/CLI (5340 appliances).
    • Open 7578 inbound to the IPMI for Remote Console CLI access (5220/5x30/5x40 appliances).
      • Open 7582 inbound for encrypted access (5230/5240/5330/5430 appliances).
    • Open 5120 inbound to the IPMI for Remote Console virtual ISO/CD-ROM redirection (5220/5x30/5x40 appliances).
      • Open 5124 inbound for encrypted access (5230/5240/5330/5430 appliances).
    • Open 5123 inbound to the IPMI for Remote Console virtual floppy redirection or USB (5220/5x30/5x40 appliances).
    • Open 5621 inbound to provide IPMI support for HTML 5 Virtual Media.
      • Open 5127 inbound for encrypted access (5230/5240/5330/5430 appliances).
    • Open 111, 867, 2049, and 20048 inbound for portmapper, NFS, and mountd.
    • Open 139 and 445 inbound for samba/netbios, including the Log/Install shares.
    • Open 27017 inbound between nodes in an Appliance High Availability cluster.
    • Open https/443 outbound to the Veritas Call Home server for proactive hardware monitoring and messaging.
    • Open https/443 outbound to the Veritas Critical System Protection (SCSP) server to download SCSP/SDSP certificates.
    • Open snmp/162 outbound to the SNMP server for SNMP traps and alerts, and to the download server for appliance updates.  Must match the port number on which the server is listening, if non-default.
    • Open smtp/25 outbound for email alerts.
    • Open sftp/22 outbound for log uploads to Veritas.
    • Open 389 and 636 outbound for LDAP and LDAPS respectively.
    • Open rsyslog/514 outbound for log forwarding.
    • Open 11111 between PureDisk 50x0 appliances and NetBackup 52x0/53x0 MSDP appliances for multi-node topology discovery.
  •  
  • For NetBackup Virtual Appliances (NBVA)  primary and media servers:
    • Same ports requirements as other appliance based primary and media servers, mainly these.
      • Open PBX/1556 bi-directional between primary and media servers.
      • Open vnetd/13724 bi-directional between primary and media servers.
      • Open https/443 bi-directional between primary and media servers.
      • Open 7578 inbound to the IPMI for Remote Console CLI access.
    • In some cases updates may also be needed to: Settings -> Security -> Port -> Modify NBUPortRange.

       
  • For NetBackup Flex WORM containers:
    • Open PBX/1556 and vnetd/13724 outbound to the primary server.
    • Open PBX/1556 and vnetd/13724 bi-directional with media servers.
    • Open spad/10102 and spoold/10082 inbound from the media servers.

 

Local/Internal Listening Ports

NetBackup processes also use TCP ports for intra-host connects that are internal to the host.  These ports do not need to be open externally.  The ports may be bound and listening only for connections to the loopback interface (127.0/8, or ::1) or for all network interfaces (0.0.0.0, *.*.*.*, or:::) depending on the hostname targeted by the connecting process; localhost or other hostname that is local to the host.

  • port 1557 (PBX, 6.0x only)
  • port 3652 (java nbwmc <--> gateway/tunnel, 8.0+)
  • port 8205 (java nbwmc shutdown, 8.0+)
  • port 9284 (nbsl NBSL_NCWS_PORT, 8.1.2+)
  • port 13777 (java nbwmc <--> MQBroker for STOMP comms, 10.0+, unless changed) 
  • ports 13778 - 13780 (MQBroker, 8.2+, unless changed using the configureMQ program)
  • port 13785 (java nbwmc <--> NB_dbsrv [8.0 - 10.1] / postgres [10.2+])
  • port 13787 (pgbouncer pooler port, unless changed via pgbouncer.ini & vxdbms.conf & web.conf, 10.2+)

Note: The ports above need to be available when/if the service starts, or functionality will be impaired.

In addition, some NetBackup processes also bind and listen on a random TCP port for local inter-process communication.  Those port numbers will change each time the service is restarted, and also do not need to be open through the firewall.

  • java nbwmc (8.1.2+)
  • PBX (6.0+, two random ports)
  • vnetd -proxy inbound_proxy (8.1+)
  • vnetd -proxy outbound_proxy (8.1+)

Legacy Daemon Ports

The NetBackup legacy daemons continue to listen on the legacy ports for both intra-host connections from other processes on the same host and inter-host connections from previous version hosts.  These ports do not need to be open through the firewall unless pre-7.1 hosts are present; they cannot connect via PBX/1556.

  • port 13701 (vmd, media servers)
  • port 13702 - 13719 (robotic and control daemons, media servers)
  • port 13720 (bprd, primary server)
  • port 13721 (bpdbm, primary server) 
  • port 13722 (nbazd, primary server, previously bpjava-msvc)
  • port 13723 (bpjobd, primary server)
  • port 13782 (bpcd, primary and media servers, clients)
  • port 13783 (nbatd, primary server, previously vopied)
  • port 13786 (OpsCenter report generation, primary server) 

Note: These ports need to be available when/if the service starts, or functionality will be impaired.

Relocating, Blocking, and Disabling Ports

Most NetBackup service ports are registered with IANA, and except as noted above cannot be relocated to different port numbers.  See the related article on minimizing port bind conflicts.

NetBackup features/services that do not need to be accessed from remote hosts can be blocked by firewalls between the hosts while the services remain running to accept connections from processes on the local host.  Stopping the services is the only way to disable port use, but also makes the service and associated feature unavailable.

On NetBackup Appliances, most external users will connect to web services securely via TCP port 443, but the nginx service may be listening on port 80 to support users connecting unsecurely.  The latter port can be disabled by making a backup copy of the configuration file, truncating it, and then restarting the service.

$ truncate -s 0 /etc/nginx/conf.d/default.conf 
$ service nginx restart

 

NetBackup 8.2 Considerations

The Network Address Translation (NAT) feature requires that NetBackup client hosts - typically located behind a NAT gateway - be able to connect to the message queue broker (MQBroker) on the primary server.  By default, the MQBroker is listening on TCP port 13781, but this port number can be changed using the configureMQ command.  The MQBroker is implemented by several third-party processes; beam.smp/nbmqbroker, epmd[.exe], erl_child_setup, and inet_gethost[.exe].

Further, this feature reverses the direction of connection establishment between NetBackup servers and NetBackup clients.  Instead of having 1556/PBX open from the media servers and/or primary server to the clients, that port must instead be open from the clients to the servers.

Not all NetBackup features are compatible with NAT clients;  SAN client, Client-side deduplication, NDMP client, Snapshot management server, Bare metal restore, Throttle/Limit bandwidth, Resilient network.

NetBackup 8.1 Considerations

The secure communication feature requires that all NB 8.1 or higher hosts (including clients) can connect to web services on the primary server. The connection is via port 1556/PBX, either direct to the primary server or indirectly via a media server acting as a proxy tunnel. The media server already has/requires access to the primary server on port 1556/PBX.

Note: The web service proxy tunnel only transports communications for web services.  It is intended for certificate and CRL requests from clients - configured only for server-initiated file system backups - that do not have a network route to the primary server but do have a network route to a media server.  It does not transport communications for legacy services (bprd, bpcd, vnetd, etc) or CORBA services (nbdisco, SAN Client, Client Direct, etc).  Hence it is not a substitute for opening TCP port 1556 bi-directional between the primary server and clients that are running NetBackup database agents or performing user backup/archive operations.  Nor is it a substitute for opening TCP port 13724 when Resilient Network is in use.

The secure communication feature also deprecates the use of Firewall or Connect Options settings from NB 8.1 or higher hosts to any other host. Those settings previously could be used to enable legacy daemon ports, vnetd connect-back, legacy call-back, and reserved port use; but those settings are now ignored.

NetBackup 8.0 Considerations

The new web service feature runs on the primary server and registers with PBX which listens on port 1556/PBX on behalf of web services and other daemon listeners.  Like NBAC and other older features, web services utilizes Transport Layer Security (TLS) / Secure Sockets Layer (SSL).  Unlike the older features, the TLS protocol occurs immediately upon connection establishment.  Firewalls may detect and block this initial protocol and prevent connections to the web service.  Be sure that TLS/SSL protocol is permitted on port 1556.

The CloudStore feature introduces a new service (nbcssc) which runs on primary and media servers. The new service listens, by default, on port 5637 which must be open inbound from the other NB servers and the OpsCenter hosts.

NetBackup 7.7.1 Considerations

The Co-Pilot feature requires the TCP port for 8446 to be open inbound to the NetBackup appliance from the primary server to manage the NFS shares.  The standard NFS ports, 2049 and 111 must be open inbound from the clients so that they can mount the NFS shares.

NetBackup 7.6 Considerations

The Client Direct feature requires the TCP ports for spad/10102 and spoold/10082 to be open from the client to the storage server, which is typically a media server hosting MSDP.  The Client Direct restore feature also requires the TCP ports for PBX/1556 and vnetd/13724 to be open from the client to the primary server for the file list port connection; regardless of whether the restore is server or client initiated.

NetBackup 7.5 Considerations

The Resilient Network feature requires vnetd/13724 to be open bi-directional for connection to legacy services on any host specified by the configuration of the feature.  This is meant primarily for media server to client.  But can also be configured for client-directed operations between the client and the primary server, or between primary and media server. This feature cannot use PBX/1556.

NetBackup 7.1 Considerations

NetBackup Access Control (NBAC) has been integrated with NetBackup and the processes nbatd and nbazd will be used in place of vxatd and vxazd. These processes are registered with PBX for inbound connections via the PBX port 1556, removing the need to have ports open to the VxSS server.

The processes are also listening on TCP ports 13783 and 13722 respectively. These port numbers are registered with IANA using the original service names of 'vopied' and 'bpjava-msvc', and resolved by NetBackup using those original names. Previous version hosts are unaware of the new processes available via port 1556 and will continue to contact vxatd and vxazd via vrts-at-port/2821 and vrts-at-auth/4032.

Snapshot backups may experience a small delay during snapshot deletion if port 1556 is not open from the client to the primary server.

NetBackup 7.0.1 Considerations

The bpcd and vnetd processes now run standalone. They and the other legacy processes now register with PBX at startup. Connections to legacy processes that previously contacted the vnetd port will now prefer to use PBX port 1556. If the PBX port is unreachable, then the vnetd port will be used. If the vnetd port is unreachable, then the daemon port will be used. Opening TCP port 1556 outbound from NetBackup servers to NetBackup clients will prevent delays that occur while attempting to use PBX. Similarly, opening TCP port 1556 inbound will prevent delays for client-initiated requests to the primary server.

Note that the Java console to primary server uses the vnetd port for connection to bpjobd and the PBX port for all other connections.

For efficiency the upgrade/install also adds Connect Options of '1 0 2' for localhost. Internal connections via the loopback interface to processes on the same host will use the daemon ports instead of passing through vnetd or PBX.

Network Address Translation (NAT) and Port Address Translation (PAT) Considerations

Except as noted above, the use of NAT and PAT is not supported with NetBackup. Please refer Veritas NetBackup support for Network Address Translation and Port Address Translation for the details.

(For additional details, please refer to Veritas NetBackup™ Network Ports Reference Guide)

References

Etrack : 3332635

Was this content helpful?