• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Using Veritas to backup DMZ machines

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Using Veritas to backup DMZ machines Page: [1]
Login
Message << Older Topic   Newer Topic >>
Using Veritas to backup DMZ machines - 6.Jun.2006 5:42:15 AM   
chamann

 

Posts: 12
Joined: 3.May2006
From: New Zealand
Status: offline
Hi there,

I am trying to backup servers in the DMZ with Veritas Backup Exec 9.1 through my ISA server.

Network setup:

Internal Backup server -----> ISA ------> Cisco PIX -----> external
                                                                       |
                                                                    DMZ

I can backup the ISA server with Backup Exec (rules for that are in place) but I can't use the same rules for the DMZ machines (the PIX is allowing the traffic)

If I try to backup a DMZ machine I end up with the following error

Original Client IP    Client Agent    Authenticated Client    Service    Server Name    Referring Server    Destination Host Name    Transport    MIME Type    Object Source    Source Proxy    Destination Proxy    Bidirectional    Client Host Name    Filter Information    Network Interface    Raw IP Header    Raw Payload    Source Port    Processing Time    Bytes Sent    Bytes Received    Result Code    HTTP Status Code    Cache Information    Error Information    Log Record Type    Log Time    Destination IP    Destination Port    Protocol    Action    Rule    Client IP    Client Username    Source Network    Destination Network    HTTP Method    URL
10.4.0.20    -            LNZLWLGSISA01        -    TCP            -    -        -        -    -    -    10001    0    0    0    0xc0040012 FWX_E_NETWORK_RULES_DENIED        0x0    0x0    Firewall    6/06/2006 11:51:26 a.m.    192.1.80.31    10015    VERITAS - remote backup agent (outbound)    Denied Connection    -    10.4.0.20    -    External    Internal       

The interesting thing is that in the column "Rule" is only a "-" ....

From the veritas support site I have the following statement (but for Backup Exec 8.6 - there is no document for 9.1)
(http://seer.support.veritas.com/docs/243104.htm)

The following ports are required:

Port Number            Protocol    Direction    Description
88                UDP    Inbound/Outbound    Kerberos (Windows 2000)
135                TCP    Inbound/Outbound    NetBIOS
135                UDP    Inbound/Outbound    NetBIOS
137                UDP    Inbound/Outbound    NetBIOS Name Services
138                UDP    Inbound/Outbound    NetBIOS Datagram Service
139                TCP    Inbound/Outbound    NetBIOS Session Service
445                TCP    Inbound/Outbound    NetBIOS (Windows 2000)
6103                TCP    Inbound/Outbound    Backup Exec Remote Agent
DCOM/RPC Ports (from above)    TCP    Inbound/Outbound    DCOM/RPC
DCOM/RPC Ports (from above)    UDP    Inbound/Outbound    DCOM/RPC

If I open up all the mentioned ports I don't need a firewall anymore :-)

Any suggestions how to make it work?

Cheers,
Christoph
Post #: 1
RE: Using Veritas to backup DMZ machines - 7.Jun.2006 12:27:40 AM   
chamann

 

Posts: 12
Joined: 3.May2006
From: New Zealand
Status: offline
Update:

I found the following article (http://seer.support.veritas.com/docs/255831.htm), reconfigured the missing parts but it is still not working :-(

Original Client IP    Client Agent    Authenticated Client    Service    Server Name    Referring Server    Destination Host Name    Transport    MIME Type    Object Source    Source Proxy    Destination Proxy    Bidirectional    Client Host Name    Filter Information    Network Interface    Raw IP Header    Raw Payload    Source Port    Processing Time    Bytes Sent    Bytes Received    Result Code    HTTP Status Code    Cache Information    Error Information    Log Record Type    Log Time    Destination IP    Destination Port    Protocol    Action    Rule    Client IP    Client Username    Source Network    Destination Network    HTTP Method    URL
10.4.0.20    -            LNZLWLGSISA01        -    TCP            -    -        -        -    -    -    10001    0    0    0    0xc0040012 FWX_E_NETWORK_RULES_DENIED        0x0    0x0    Firewall    7/06/2006 9:44:13 a.m.    192.1.80.31    10013    VERITAS - Media server    Denied Connection    -    10.4.0.20    -    External    Internal       

Any suggestions?

Cheers,
Christoph

(in reply to chamann)
Post #: 2
RE: Using Veritas to backup DMZ machines - 8.Jun.2006 11:43:04 PM   
Rievax

 

Posts: 50
Joined: 13.Oct.2004
Status: offline
Christoph,

According to your log, you have a configuration error: Server from DMZ is trying to initiate a connection (Source Network: External) to an Internal server (Destination Network= Internal).

You may have a bad network configuration or a bad Network Rules configuration (i.e. NAT instead of Route).


Xavier.

(in reply to chamann)
Post #: 3
RE: Using Veritas to backup DMZ machines - 9.Jun.2006 12:55:28 AM   
chamann

 

Posts: 12
Joined: 3.May2006
From: New Zealand
Status: offline
Xavier,

yes, there is a NAT between the Backup server and the DMZ server but I published the Backup server and allowed the necessary outbound ports.

Why is the ISA still denieing the packets?

Cheers,
Christoph

(in reply to Rievax)
Post #: 4
RE: Using Veritas to backup DMZ machines - 9.Jun.2006 3:22:49 PM   
Rievax

 

Posts: 50
Joined: 13.Oct.2004
Status: offline
Hello,

I guess it is because your client (in DMZ) is trying to talk to the server (Internal LAN) using its internal IP. Because NAT is used in your case, your client cannot talk directly to its internal IP address: that is why you published the server. The problem here is that this 'published server' IP is different than its original IP: your client may start talking to the published IP (and that will/may work) but as soon as the server will reply back it will inform the client to talk to its original IP address, and NAT will not allow that. At least, that is my guess...

To understand the issue, try to trace the TCP communication (the ISA logs will be enough at this point of time). I think that you will see something like:

1 - Backup server (IP 10.0.0.10) sends to DMZ server (IP 192.168.0.10) TCP xxx Allow Rule "Backup Exec"
2 - DMZ Server (IP 192.168.0.10) sends to Backup server (IP 10.0.0.10) TCP xxx Denied Rule "-"

Because it is NAT, it won't work and log #2 hits no rule and is denied.

Hope this will help you understanding why it is not working...

Xavier.

(in reply to chamann)
Post #: 5
RE: Using Veritas to backup DMZ machines - 16.Jun.2006 7:37:19 AM   
dbellion

 

Posts: 5
Joined: 16.Jun.2006
Status: offline
Hi Christoph

I've had some fun getting the same thing working for 10d but appears to be working now.

I have the agent server in an ISA DMZ.

Have you specified hostname or IP address in backupexec user-defined selections for your remote agent server?
Didn't work by specifying IP for me but works now with hostname. Confirm your name resolution, try with network rule as route as suggested above.
Have you customised the dynamic port range used for the BE <-> remote agent communication and reflected this in isa rules? ..as well as the agent anouncing port.

I can provide some more info on our setup / isa config if you still have not solved this issue.

Cheers

David Bellion

(in reply to Rievax)
Post #: 6
RE: Using Veritas to backup DMZ machines - 20.Jun.2006 4:40:35 AM   
dbellion

 

Posts: 5
Joined: 16.Jun.2006
Status: offline
Hi

All working in our environment now. I have reduced the open ports to a minimum as below:
 
BACKUPSRV --> DMZSRV TCP:10000 (NDMP)
BACKUPSRV --> DMZSRV TCP:10021-10022 (Media Server Dynamic Port Range)
DMZSRV --> BACKUPSRV TCP:6101 (Remote Agent Advertising)

I'm not allowing CIFs, NetBIOS etc as suggested in Veritas document and working fine although slows it down - but note I am using ver 10d. Your remote agent advertising port might be different also. If you cant work it out hopefully your isa logs will help.

The Dynamic port range will of course change depending on what you have specified in your backupexec configuration.

I am using hostname instead of ip for the dmzsrv. When troubleshooting i noticed on the DMZ servers security logs that it was authenticating with the incorrect account - check this also.

Hope some of this might help

(in reply to dbellion)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Using Veritas to backup DMZ machines Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts