How to configure Backup Exec with Firewalls.

  • Article ID:100017208
  • Modified Date:
  • Product(s):


How to configure Backup Exec with Firewalls.


Note: To check if this document describes the computer in question, download and run a health check with Veritas QuickAssist.


In a Firewall Environment, ensure ports settings are configured correctly or else Backup Exec may get interrupted on following actions:

1. Browsing to remote machines through a firewall via the Backup Selections List.
2. Backing up and restoring machines through a firewall.

Browsing systems through firewall:

Because most firewalls do not allow a remote system to be displayed in the Microsoft Network Neighborhood, additional steps need to be performed to select these remote systems in the Backup Exec Administration Console.

Use "User-Defined-Selection"  to view systems behind a firewall.

1. On the navigation bar, click on the Backup Button in the Backup Exec Interface.
2. Right click on User-Defined Selection Folder.
3. In the "Define a selection", Name Field, after the \\, type the name or IP Address of the remote system, click Add, then Close.  

Backing  systems through a firewall/TCP Filtered environment:

Because Firewalls affect system communication between a media server and remote systems outside the firewall environment, special port requirements must be considered when configuring Backup Exec for use with firewalls.  If you are using Symantec endpoint protection for firewall you can also free any 25 random ports from the console.

Which PORTS needs to be opened on the FIREWALL.

1025-65535 (Default Dynamic Ports) DATA

Note:  A DYNAMIC PORT is a Port which is not permanently assigned to any specific protocol. They are intended for temporary use.
A minimum of two ports are required per backup job through a firewall.  If backups will be run at the same time through the firewall then more ports will need to be opened.

Note: It is recommended to keep a range of ports opened instead of just one because a dynamic ports can be engaged by  other applications. Therefore keep at least 25 ports opened for the remote system so there is a pool of ports available to all applications needing them..  For example:
A Control connection is always established on TCP Port 10000 between the media server and remote machine. 

Advertising is done on port 6101 from the remote server to the Backup Exec server.

Data connections for the backup are done on ports within the Dynamic Port Range. 

Recommended PORT consideration for a Firewall/TCP Filtered environment.:

When performing remote backups through a firewall, select a specific range under Network & Firewall defaults dialog box in the Backup Exec console.  Open the same range on your  Firewall/PORT
The Dynamic and/or Private Ports are those from 1025 through 65535

  • For Deduplication Storage option, the deduplication option will require the following UDP and TCP ports.


The Deduplication Engine ( spoold ). Open this port between the hosts that deduplicate data.


The deduplication database ( postgres ).


The Deduplication Manager ( spad ).

 Firewall Settings for the Remote Administrator (running on Windows 2008 R2)

To detect and manage the Backup Exec services for a remote Backup Exec server running Windows 2012 R2 from the Remote Administrator running on a Windows 2008 R2 computer, enable the following firewall inbound rules on the remote Backup Exec server:

- Remote Service Management (RPC-EPMAP)
- Windows Management Instrumentation (WMI-In)



Related Articles

Error "0xe000feb8" or "0xe000feb9" occurs when attempting to backup or restore to a remote machine

Remote Agent for Linux or Unix Servers (RALUS) backup job fails with "A communications failure has occurred" if the "Firewall" is enabled on the remote UNIX\Linux server

Was this content helpful?

Get Support