Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Using Veritas to backup DMZ machines
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Using Veritas to backup DMZ machines - 6.Jun.2006 5:42:15 AM
|
|
|
chamann
Posts: 12
Joined: 3.May2006
From: New Zealand
Status: offline
|
Hi there,
I am trying to backup servers in the DMZ with Veritas Backup Exec 9.1 through my ISA server.
Network setup:
Internal Backup server -----> ISA ------> Cisco PIX -----> external
|
DMZ
I can backup the ISA server with Backup Exec (rules for that are in place) but I can't use the same rules for the DMZ machines (the PIX is allowing the traffic)
If I try to backup a DMZ machine I end up with the following error
Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
10.4.0.20 - LNZLWLGSISA01 - TCP - - - - - - 10001 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 6/06/2006 11:51:26 a.m. 192.1.80.31 10015 VERITAS - remote backup agent (outbound) Denied Connection - 10.4.0.20 - External Internal
The interesting thing is that in the column "Rule" is only a "-" ....
From the veritas support site I have the following statement (but for Backup Exec 8.6 - there is no document for 9.1)
(http://seer.support.veritas.com/docs/243104.htm)
The following ports are required:
Port Number Protocol Direction Description
88 UDP Inbound/Outbound Kerberos (Windows 2000)
135 TCP Inbound/Outbound NetBIOS
135 UDP Inbound/Outbound NetBIOS
137 UDP Inbound/Outbound NetBIOS Name Services
138 UDP Inbound/Outbound NetBIOS Datagram Service
139 TCP Inbound/Outbound NetBIOS Session Service
445 TCP Inbound/Outbound NetBIOS (Windows 2000)
6103 TCP Inbound/Outbound Backup Exec Remote Agent
DCOM/RPC Ports (from above) TCP Inbound/Outbound DCOM/RPC
DCOM/RPC Ports (from above) UDP Inbound/Outbound DCOM/RPC
If I open up all the mentioned ports I don't need a firewall anymore :-)
Any suggestions how to make it work?
Cheers,
Christoph
|
|
|
|
|
RE: Using Veritas to backup DMZ machines - 7.Jun.2006 12:27:40 AM
|
|
|
chamann
Posts: 12
Joined: 3.May2006
From: New Zealand
Status: offline
|
Update:
I found the following article (http://seer.support.veritas.com/docs/255831.htm), reconfigured the missing parts but it is still not working :-(
Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
10.4.0.20 - LNZLWLGSISA01 - TCP - - - - - - 10001 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 7/06/2006 9:44:13 a.m. 192.1.80.31 10013 VERITAS - Media server Denied Connection - 10.4.0.20 - External Internal
Any suggestions?
Cheers,
Christoph
|
|
|
|
|
RE: Using Veritas to backup DMZ machines - 8.Jun.2006 11:43:04 PM
|
|
|
Rievax
Posts: 40
Joined: 13.Oct.2004
Status: offline
|
Christoph,
According to your log, you have a configuration error: Server from DMZ is trying to initiate a connection (Source Network: External) to an Internal server (Destination Network= Internal).
You may have a bad network configuration or a bad Network Rules configuration (i.e. NAT instead of Route).
Xavier.
|
|
|
|
|
RE: Using Veritas to backup DMZ machines - 9.Jun.2006 12:55:28 AM
|
|
|
chamann
Posts: 12
Joined: 3.May2006
From: New Zealand
Status: offline
|
Xavier,
yes, there is a NAT between the Backup server and the DMZ server but I published the Backup server and allowed the necessary outbound ports.
Why is the ISA still denieing the packets?
Cheers,
Christoph
|
|
|
|
|
RE: Using Veritas to backup DMZ machines - 9.Jun.2006 3:22:49 PM
|
|
|
Rievax
Posts: 40
Joined: 13.Oct.2004
Status: offline
|
Hello,
I guess it is because your client (in DMZ) is trying to talk to the server (Internal LAN) using its internal IP. Because NAT is used in your case, your client cannot talk directly to its internal IP address: that is why you published the server. The problem here is that this 'published server' IP is different than its original IP: your client may start talking to the published IP (and that will/may work) but as soon as the server will reply back it will inform the client to talk to its original IP address, and NAT will not allow that. At least, that is my guess...
To understand the issue, try to trace the TCP communication (the ISA logs will be enough at this point of time). I think that you will see something like:
1 - Backup server (IP 10.0.0.10) sends to DMZ server (IP 192.168.0.10) TCP xxx Allow Rule "Backup Exec"
2 - DMZ Server (IP 192.168.0.10) sends to Backup server (IP 10.0.0.10) TCP xxx Denied Rule "-"
Because it is NAT, it won't work and log #2 hits no rule and is denied.
Hope this will help you understanding why it is not working...
Xavier.
|
|
|
|
|
RE: Using Veritas to backup DMZ machines - 16.Jun.2006 7:37:19 AM
|
|
|
dbellion
Posts: 5
Joined: 16.Jun.2006
Status: offline
|
Hi Christoph
I've had some fun getting the same thing working for 10d but appears to be working now.
I have the agent server in an ISA DMZ.
Have you specified hostname or IP address in backupexec user-defined selections for your remote agent server?
Didn't work by specifying IP for me but works now with hostname. Confirm your name resolution, try with network rule as route as suggested above.
Have you customised the dynamic port range used for the BE <-> remote agent communication and reflected this in isa rules? ..as well as the agent anouncing port.
I can provide some more info on our setup / isa config if you still have not solved this issue.
Cheers
David Bellion
|
|
|
|
|
RE: Using Veritas to backup DMZ machines - 20.Jun.2006 4:40:35 AM
|
|
|
dbellion
Posts: 5
Joined: 16.Jun.2006
Status: offline
|
Hi
All working in our environment now. I have reduced the open ports to a minimum as below:
BACKUPSRV --> DMZSRV TCP:10000 (NDMP)
BACKUPSRV --> DMZSRV TCP:10021-10022 (Media Server Dynamic Port Range)
DMZSRV --> BACKUPSRV TCP:6101 (Remote Agent Advertising)
I'm not allowing CIFs, NetBIOS etc as suggested in Veritas document and working fine although slows it down - but note I am using ver 10d. Your remote agent advertising port might be different also. If you cant work it out hopefully your isa logs will help.
The Dynamic port range will of course change depending on what you have specified in your backupexec configuration.
I am using hostname instead of ip for the dmzsrv. When troubleshooting i noticed on the DMZ servers security logs that it was authenticating with the incorrect account - check this also.
Hope some of this might help
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
