NetBackup 6.x and 7.x and 8.x firewall port requirements

NetBackup 6.x and 7.x and 8.x firewall port requirements

  • Article ID:100002391
  • Last Published:
  • Product(s):NetBackup

Problem

 

Which TCP ports must be open through a firewall for NetBackup (NBU) 6.x, 7.x and 8.x hosts to communicate with each other?

This does not include port requirements for communication with services that run on back-level hosts; NetBackup 5.x services, remote EMM Server, or other legacy processes. Those details are covered in the NetBackup (tm) 6.0 Port Usage Guide for Windows and UNIX Platforms and the NetBackup 7.0.1 Security and Encryption Guide, see the Related Articles.

 

Cause

 

As the number of NetBackup services has multiplied, and networking as a whole has evolved from the 20th century to the 21st century to the internet, NetBackup too has evolved.  The goal has been to generally minimize the network and firewall configuration requirements where possible.  These were the main transition points in the evolution of NetBackup.

  • Initially, all NetBackup services listened on their own unique (daemon) TCP port. 
    • Any additional connections needed between the process on the connecting host and the servic were made by the service using a call-back connection from the service host to a TCP port in the SERVER_PORT_WINDOW on the connecting host.
       
  • In NetBackup 4.5, the services began to also listen/accept connections from the new vnetd service that listened on TCP port 13724.  The connecting processes still defaulted to daemon port usage to prevent immediate firewall conflicts (connect options = x x 2).  Once firewalls were reconfigured, NetBackup could be configured to try to reach services via vnetd with retries via the daemon ports (connect options = x x 1). 
    • Any additional connections needed between the processes were still made with call-back (connect options = x 0 x), but could be configured to use the new connect-back connection type.  The latter is from the service to vnetd/13724 on the connecting host(connect options = x 1 x).
    • If the TCP port for vnetd/13724 was open bi-directionally between all hosts, the daemon and call-back ports no longer needed to be open through any firewalls provided the 'default_connect_options = 1 1 1' was configured on all hosts.
       
  • In NetBackup 5.x, the connecting processes where switched to prefer vnetd over the daemon port by defaults (default_connect_options = 1 1 1).  If a connection could not be established via vnetd, it was still retried via the daemon port.
     
  • In NetBackup 6.0, the PBX process was introduced to support CORBA connections.  It listens on TCP port 1556 for inbound CORBA connections to the new services which are multi-threaded, much like vnetd does on TCP port 13724 for the many single-threaded legacy services. Thus, all of the new services could be reached via port 1556 and each new service did not need to listen on its own unique port.
    • At the same time, the vnetd forwarding connection was introduced as an alternative to the the prior call-back and connect-back mechanisms used to make additional connections to bpcd and other legacy client processes. The forwarding connection, like the service connection, is opened from the connecting host to the targert/service host, thus removing the need to accept TCP SYN packets inbound from NetBackup client hosts if only server-initiated standard backup and restore operations are performed.  Forwarding sockets were automatically used with connect options = x x 0|1.  Legacy call-back or vnetd connect-back was still available with connect options = x 0|1 2.
       
  • In NetBackup 7.0.1, the legacy services were updated to also register with PBX to accept inbound connections; in addition to still accepting connections from vnetd and directly on the daemon port.  At the same time, the connecting processes were switch to first try to connect to the legacy services via PBX before retrying via vnetd and then retrying via the daemon port if necessary.
     
  • In NetBackup 7.5, the Resilient Network Transport Daemon (nbrntd) was introduced.  It uses the TCP port for vnetd/13724 exclusively because PBX cannot do what nbrntd needs to have done, but vnetd can.
     
  • In NetBackup 8.0, web services were introduced on the NetBackup master server.  It also receives connections via TCP port 1556, and uses Transport Layer Security (TLS) / Secure Sockets Layer (SSL) protocol on that port.
     
  • In NetBackup 8.1, outbound connections to legacy services between secure communication capable hosts were changed to utilize only the TCP port for PBX/1556; any configured connect options are ignored.  The legacy services still listen for inbound connections via the TCP ports for vnetd/13724 and daemon ports, but only continue the communication if the connection is from a known, verified, pre-8.1 host (or the local vnetd process in the case where Resilient Network is configured).
     
  • NetBackup also continues to need to interact with a growing number of other network accessible 3rd party processes listening on additional ports.
     

Additional details are included in the Solution below.
 

Solution

 

The TCP ports used by NetBackup in the default configuration are as follows; without overriding connect options in the Client Attributes (bpclient) or Firewall (CONNECT_OPTIONS) settings:

  • Master server to/from media servers requires the TCP port for PBX/1556, bi-directional.
  • Master server to client requires the TCP port for PBX/1556 if performing stream discovery, application discovery, or if the clients perform user-directed backup/archive/restore, or client-directed application backup/list/restore.
  • TLS/SSL protocol must be allowed on the TCP port for PBX/1556 inbound to the master server (new in 8.0).
     
  • Media server to media server requires the TCP port for PBX/1556, bi-directional.
  • Media server to client requires the TCP port for PBX/1556.
     
  • Client to master server requires the TCP port for PBX/1556 for client-initiated (user or application), but not server-initiated, operations.
  • Client to master server requires the TCP port for PBX/1556 for Client Direct restores (new in 7.6).
  • Clients require the TCP port for PBX/1556 to be open either to the master server or to a media server that can act as a http proxy tunnel for web service calls (new in 8.1). 
     
  • SAN Client to/from master/media servers requires the TCP port for PBX/1556, bi-directional.
     
  • Java/Windows admin consoles to master and media servers requires the TCP port for PBX/1556, bi-directional.
     
  • Hosts running NetBackup 7.0.1 - 8.0 will retry connections to legacy services via the TCP port for vnetd/13724 if the connection cannot be established via the TCP port for PBX/1556.
    • If the service cannot be reached via the TCP port for PBX/1556 and the TCP port for vnetd/13724 is blocked by a firewall which silently discards the TCP SYN packet, then the operating system connect() API will wait for TCP SYN retry/timeout before failing the connection attempt.  This will introduce delays before NetBackup can detect a connection failure.
    • If the firewall returns an immediate TCP RESET, there will be minimal delay before the connction failure is detected.
       
  • Note:  The firewall behaviors described in the bullet above also apply to any other TCP port that is blocked, but attempted to be used.
    • For that reason, it is recommended that the TCP port for vnetd/13724 remain open bi-directional between NetBackup hosts.
       
  • Hosts running NetBackup 5.x - 7.0 target the TCP port for vnetd/13724 when connecting to legacy services (instead of PBX/1556).
     
  • Hosts running NetBackup 4.5 target the TCP daemon ports for the legacy services (instead of vnetd/13724), unless the connect options have been changed to 'x x 0|1'.
  • Hosts running NetBackup 3.x - 4.0 target the TCP daemon ports for the legacy services (instead of vnetd/13724).
     
  • If using the Resilient Network/Client feature for connections to legacy services:  (new in 7.5)
    • It must be configured on both the connecting and accepting hosts; master, media server, and/or client.
    • The TCP port for vnetd/13724 must be open bi-directional between the hosts.
       
  • To backup and restore VMWare:
    • Backup host to vCenter requires TCP port 443.
    • If using query builder (VIP), master server to vCenter requires TCP port 443.
    • If using the nbd transport type, backup host to ESX host requires TCP port 902.
       
  • If using the NetBackup plugins for VMware or Hyper-V:
    • The master server must have TCP port 8443 open inbound from the hosts running the plugin (vCenter, vSphere web client, etc).
       
  • To backup and restore SharePoint:
  • If using Granular Restore Technology (GRT):
    • Clients need to connect to the media server on portmap/111 and nbfsd/7394.
       
  • If using OpsCenter:
    • Web browsers require TCP ports http/80 and https/443 to the OpsCenter Web GUI with either 8181 and 8443 or 8282 and 8553 used as alternates.
    • Custom report generators require TCP port 13786 to the OpsCenter Server.
    • Open port 1556 (pbx) between the OpsCenter server and master server.
    • OpsCenter Server also uses UDP port 162 outbound for SNMP trap protocol.
       
  • To backup and restore NDMP filers:
    • Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000.
    • The SERVER_PORT_WINDOW is used inbound from the filer to the media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP.
    • If using shared drives and Automatic Volume Recognition, open the ICMP protocol from the media server scan host that is hosting the avrd process to the NDMP filers hosting the tape drives.
       
  • If using VxSS with NetBackup pre-7.1 Access Control (NBAC):
    • Master servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
    • Media servers require the TCP ports vrts-at-port/2821 and vrts-auth-port/4032 to the VxSS server.
    • Clients require the TCP port vrts-at-port/2821 to the VxSS server.
    • Java/Windows admin consoles require the TCP port vrts-at-port/2821 to the VxSS server.
       
  • If using the OpenStorage plug-in by DataDomain:
    • Requires access to TCP port 2049, UDP/TCP port 111, and the mountd port on the target DataDomain array.
    • For optimized duplication access to TCP port 2051 is also required.
       
  • If using Optimized Duplication (including Automatic Image Replication):
    • For MSDP-to-MSDP, the source storage server needs access to spad/10102 and spoold/10082 on the destination server.
    • For MSDP-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.
    • For PDDO-to-PDDO, the source storage server needs access to SPA/443 and spoold/10082 on the destination server.
       
  • For Automatic Image Replication (AIR)
    • In addition to the ports for Optimized Duplication, also open the TCP port for PBX/1556 between the master servers.
       
  • For NetBackup Copilot
    • Open 8446 from the master server to the NetBackup appliance media server hosting the co-pilot NFS shares, for web service reqeusts.
    • Open 2049 and 111 from the client to the NetBackup appliance media server, so it can mount the NFS share.
       
  • For NetBackup 5xxx Appliances:
    • Open ssh/22, http/80, and https/443 inbound for in-band administration.
    • Open http/80 and https/443 inbound to the Intelligent Platform Management Interface (IPMI) for out-of-band administration.
    • Open 5900 inbound to the IPMI for KVM remote console/CLI and virtual ISO/CDROM redirection from NetBackup Integrated Storage Manager (5020/5200 appliances).
      • Port 623 will also be used if open.
    • Open 7578 inbound to the IPMI for Remote Console CLI access (5220/5x30 appliances).
    • Open 5120 inbound to the IPMI for Remote Console virtual ISO/CD-ROM redirection (5220/5x30 appliances).
    • Open 5123 inbound to the IPMI for Remote Console virtual floppy redirection (5220/5x30 appliances).
    • Open 111, 867, 2049, and 20048 inbound for portmapper, NFS, and mountd.
    • Open 139 and 445 inbound for samba/netbios, including the Log/Install shares.
    • Open 27017 inbound between nodes in an Appliance High Availability cluster.
    • Open https/443 outbound to the Veritas Call Home server for proactive hardware monitoring and messaging.
    • Open https/443 outbound to the Veritas Critical System Protection (SCSP) server to download SCSP certificates.
    • Open snmp/162 outbound to the SNMP server for SNMP traps and alerts, and to the download server for appliance updates.  Must match the port number on which the server is listening, if non-default.
    • Open smtp/25 outbound for email alerts.
    • Open sftp/22 outbound for log uploads to Veritas.
    • Open 389 and 636 outbound for LDAP and LDAPS respectively.
    • Open rsyslog/514 outbound for log forwarding.
    • Open 11111 between PureDisk 50x0 appliances and NetBackup 5[2-3]x0 MSDP appliances for multi-node topology discovery.
       
  • For CloudStore open port 5637 inbound to master and media servers from other NB servers and OpsCenter hosts (new in 8.1).
     
  • For CloudCatalyst, open port 443 from the media server to the cloud server.

 

Local/Internal Listening Ports

NetBackup processes also use TCP ports for intra-host connects that are internal to the host.  These ports do not need to be open externally.  The ports may be bound and listening only for connections to the loopback interface (127.0/8, or ::1) or for all network interfaces (0.0.0.0, *.*.*.*, or:::) depending on the hostname targeted by the connecting process; localhost or other hostname local to the host.

  • port 1557 (PBX)
  • port 3652 (nbwmc)
  • port 8205 (nbwmc)
  • port 9284 (nbsl NBSL_NCWS_PORT)
  • port 13785 (NB_dbsrv <--> nbwmc)


Note: These ports need to be available when/if the service starts, or functionalitly will be impaired.

 

Legacy Daemon Ports

The NetBackup legacy daemons continue to listen on the legacy ports for both intra-host connections from other processes on the same host and inter-host connections from back-level hosts.  These ports do not need to be open through the firewall unless back-level hosts are present that cannot connect via PBX/1556.

  • port 13701 (vmd, media servers)
  • port 13702 - 13719 (robotic and control daemons, media servers)
  • port 13720 (bprd, master server)
  • port 13721 (bpdbm, master server) 
  • port 13722 (bpjava-msvc, master server)
  • port 13723 (bpjobd, master server)
  • port 13782 (bpcd, master and media servers, clients)
  • port 13783 (nbatd, master server)
  • port 13786 (OpsCenter report generation, master server) 


Note: These ports need to be available when/if the service starts, or functionality will be impaired.

 

NetBackup 7.0.1 Considerations

The bpcd and vnetd processes now run standalone. They and the other legacy processes now register with PBX at startup. Connections to legacy processes that previously contacted the vnetd port will now prefer to use PBX port 1556. If the PBX port is unreachable, then the vnetd port will be used. If the vnetd port is unreachable, then the daemon port will be used. Opening TCP port 1556 outbound from NetBackup servers to NetBackup clients will prevent delays that occur while attempting to use PBX. Similarly, opening TCP port 1556 inbound will prevent delays for client-initiated requests to the master server.

Note that the Java console to master server uses the vnetd port for connection to bpjobd and the PBX port for all other connections.

For efficiency the upgrade/install also adds Connect Options of '1 0 2' for localhost. Internal sockets on the loopback interface to processes on the same host will use the daemon ports instead of passing through vnetd or PBX.

 

NetBackup 7.1 Considerations

NetBackup Access Control (NBAC) has been integrated with NetBackup and the processes nbatd and nbazd will be used in place of vxatd and vxazd. These processes are registered with PBX for inbound connections via the PBX port 1556, removing the need to have ports open to the VxSS server.

The processes are also listening on TCP ports 13783 and 13722 respectively. These port numbers are registered with IANA using the original service names of 'vopied' and 'bpjava-msvc', and resolved by NetBackup using those original names. Back level hosts are unaware of the new processes available via port 1556 and will continue to contact vxatd and vxazd via vrts-at-port/2821 and vrts-at-auth/4032.

Snapshot backups may experience a small delay during snapshot deletion if port 1556 is not open from the client to the master server.

 

NetBackup 7.5 Considerations

The Resilient Network feature requires vnetd/13724 to be open bi-directional for connection to legacy services on any host specified by the configuration of the feature.  This is meant primarily for media server to client.  But can also be configured for client-directed operations between the client and the master server, or between master and media server. This feature cannot use PBX/1556.

 

NetBackup 7.6 Considerations

The Client Direct restore feature requires the TCP ports for PBX/1556 and vnetd/13724 to be open from the client to the master server for the file list port connection; regardless of whether the restore is server or client initiated.

 

NetBackup 7.7.1 Considerations

The Co-Pilot feature requires the TCP port for 8446 to be open inbound to the NetBackup appliance from the master server to manage the NFS shares.  The standard NFS ports, 2049 and 111 must be open inbound from the clients so that they can mount the NFS shares.

 

NetBackup 8.0 Considerations

The new web service feature runs on the master server and registers with PBX which listens on port 1556/PBX on behalf of web services and other daemon listeners.  Like NBAC and other older features, web services utilizes Transport Layer Security (TLS) / Secure Sockets Layer (SSL).  Unlike the older features, the TLS protocol occurs immediately upon connection establishment.  Firewalls may detect and block this initial protocol and prevent connections to the web service.  Be sure that TLS/SSL protocol is permitted on port 1556.

 

NetBackup 8.1 Considerations

The secure communication feature requires that all NB 8.1 or higher hosts (including clients) can connect to web services on the master server. The connection is via port 1556/PBX, either direct to the master server or indirectly via a media server acting as a proxy tunnel. The media server already has/requires access to the master server on port 1556/PBX.

The secure communication feature also deprecates the use of Connect Options from NB 8.1 or higher hosts to any other host. Options settings that enable legacy daemon ports, vnetd connect-back, legacy call-back, and reserved port use are ignored.

The CloudStore feature introduces a new service (nbcssc) which runs on master and media servers. The new service listens, by default, on port 5637 which must be open inbound from the other NB servers and the OpsCenter hosts.

 

Network Address Translation (NAT) and Port Address Translation (PAT) Considerations

The use of NAT and PAT is not supported with NetBackup. See 100004694 in the Related Articles section for details.

 

Related Articles

Veritas NetBackup (tm) 7.0.1 Security and Encryption Guide

Veritas NetBackup does not support Network Address Translation and Port Address Translation

References

Etrack : 3332635

Was this content helpful?