• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

TMG 2010 blocking Backup Exec Remote Agent

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> TMG 2010 blocking Backup Exec Remote Agent Page: [1]
Login
Message << Older Topic   Newer Topic >>
TMG 2010 blocking Backup Exec Remote Agent - 3.Aug.2010 4:02:29 AM   
m.elali

 

Posts: 3
Joined: 4.May2010
Status: offline
Hi All,

We have a TMG 2010 server installed with a perimeter network setup. Within the perimeter , there is a server that needs to be backed up using backup exec 12.5. I have successfully installed the remote agent , but when I try to back up the server , I cannot see it within the selections.

I have created a rule from the media server to the server in the perimeter using port 10000 / TCP , but am at a loss why I cannot still see the server within the Backup Exec media server.

Has anyone been able to successfully setup backup exec in a DMZ ?

Regards,

Mo
Post #: 1
RE: TMG 2010 blocking Backup Exec Remote Agent - 3.Aug.2010 10:22:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Do you know what protocols it uses?

RPC? DCOM?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to m.elali)
Post #: 2
RE: TMG 2010 blocking Backup Exec Remote Agent - 3.Aug.2010 7:45:20 PM   
m.elali

 

Posts: 3
Joined: 4.May2010
Status: offline
According to the symantec documentation , you need to create an entry on the services file. The protocol it uses is ndmp.

http://seer.entsupport.symantec.com/docs/255174.htm

(in reply to tshinder)
Post #: 3
RE: TMG 2010 blocking Backup Exec Remote Agent - 25.Aug.2010 7:23:45 AM   
vuilverwerking

 

Posts: 63
Joined: 29.Dec.2006
Status: offline
Hi,

We are using BackupExec 2010.
Same problem.
Still searching for the answer.

(in reply to m.elali)
Post #: 4
RE: TMG 2010 blocking Backup Exec Remote Agent - 13.Oct.2011 10:05:47 AM   
lawson23

 

Posts: 20
Joined: 26.Mar.2008
Status: offline
http://www.symantec.com/business/support/index?page=content&id=HOWTO11730

Has anyone figured this out yet? I think you need to define a range in your backupexec options and allow this range. I'm currently having problems with the push install right now.

2010 tmg and 2010 BE

(in reply to vuilverwerking)
Post #: 5
RE: TMG 2010 blocking Backup Exec Remote Agent - 13.Oct.2011 9:48:18 PM   
djfiend

 

Posts: 7
Joined: 10.Oct.2011
Status: offline
I actually just got this working after spending days yelling at my screen. I created a custom protocol for Backup Exec (I am using Backup Exec 2010 R3) with the following ports setup:

Primary Connections
10000-12000 TCP Outbound <--I have configured dynamic ports in Backup Exec so thats why I configured the range
135-139 TCP Outbound
445 TCP Outbound

Secondary Connections
135-139 UDP Send Receive

I created an access rule using the Backup Exec protocol set I made. I set the Backup Exec media server as the listener and then I created a computer set for the servers I want to backup in the perimeter network. You can just target the whole perimter network if you want just depends on how locked down you want it. Also target the local host if you want to backup your TMG server as well. This allows communications with the server and the agent, allows you to browse the server in the Backup Exec console and the Agent Push works as well.

(in reply to m.elali)
Post #: 6
RE: TMG 2010 blocking Backup Exec Remote Agent - 19.Oct.2011 10:55:33 AM   
lawson23

 

Posts: 20
Joined: 26.Mar.2008
Status: offline
djfiend,
Are you installing BE on the TMG box?

I still can't get the agent push to work because of the system policies RPC settings I believe. We have been looking into a resolution but for now have not found anything that has worked yet.

I have also been trying to test wmimgmt.msc access to the box unsuccessfully to rule out BE in anyway for now.

We also have our rules to be ALL outbound allowed right now for testing.

(in reply to djfiend)
Post #: 7
RE: TMG 2010 blocking Backup Exec Remote Agent - 19.Oct.2011 2:41:33 PM   
djfiend

 

Posts: 7
Joined: 10.Oct.2011
Status: offline
Yes I did install the agent on the TMG Server and it was using the agent push. When you made your access rule for Backup Exec did you include the local host (TMG Server)? Ports 135-139 will take care of all the RPC requests used by Backup Exec. Are you using the Traffic Simulator to see what rule is blocking and what are the logs saying?

(in reply to lawson23)
Post #: 8
RE: TMG 2010 blocking Backup Exec Remote Agent - 19.Oct.2011 3:48:30 PM   
lawson23

 

Posts: 20
Joined: 26.Mar.2008
Status: offline
logs don't show anything being blocked. There are many bits of information about setting up a special rpc rule (http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx) and disabling strict rpc in sytem policies but we have tried all of this also with no success.

I have not tried the traffic similator as I have never used this before.

as far as the rules I included Everything.
we have two rules one that is traffic from local host to backup server and one that is backup server to local host.
Both rules have All Outbound Traffic allowed.

< Message edited by lawson23 -- 19.Oct.2011 3:49:54 PM >

(in reply to djfiend)
Post #: 9
RE: TMG 2010 blocking Backup Exec Remote Agent - 19.Oct.2011 5:52:06 PM   
djfiend

 

Posts: 7
Joined: 10.Oct.2011
Status: offline
Are you using the TMG defined protocols in your rule? I created my own protocol for Backup Exec so that might have something to do with it as I did not select the RPC filter. It seems part of the RPC filters job is to auto initiate the UDP ports. I setup mine up as an all in one just for Backup Exec. Here is a pic of how I have mine setup at http://www.dropbox.com/gallery/19972634/1/TMG?h=9f2c03 I setup the custom protocol from info I got out of the Symantec Admin Guide for Backup Exec. The traffic sim is a good tool, it allows you to input a send and receive IP and assign a port to sim traffic flow.

< Message edited by djfiend -- 19.Oct.2011 5:53:25 PM >

(in reply to djfiend)
Post #: 10
RE: TMG 2010 blocking Backup Exec Remote Agent - 20.Oct.2011 9:34:39 AM   
lawson23

 

Posts: 20
Joined: 26.Mar.2008
Status: offline
I have a defined protocol setup exactly as you have and it does not work. I also have a TMG rule that is just allow all outbound traffic and this does not work.

RPC is the issue. If I try to hit wmi locally it works no problem if I try to hit rpc from backup server I get no rpc server available.

Here is what I get from the log when trying a validation for the push:
Client IP
10.0.1.10

Server Name
BER-AP19

Destination IP
10.0.36.71

Protocol
RPC (all interfaces)

Transport
TCP

Rule
[System] Allow remote management from selected computers using MMC

Cache Information
0x0

Error Information
0x0

Destination Port
135

Source Port
52074

Log Record Type
Firewall

Source Network
Internal

Destination Network
Local Host

Action
Initiated Connection

Result Code
0x0 SUCCESS

Original Client IP
10.0.1.10

GMT Log Time
10/20/2011 13:36


Let me ask you another question. This is another common issue I read regarding port 10000 where tmg has the process wininit.exe using port 10000 and this gets in the way with the remote agent being able to start once it is installed. I have this problem also as I have manually installed the agent since push is not working.

I'm guessing you configured rpc earlier for a different reason and this is why you are not having the problem regarding backupexec.

< Message edited by lawson23 -- 20.Oct.2011 10:39:11 AM >

(in reply to djfiend)
Post #: 11
RE: TMG 2010 blocking Backup Exec Remote Agent - 20.Oct.2011 11:46:12 AM   
djfiend

 

Posts: 7
Joined: 10.Oct.2011
Status: offline
It must be because of the port 10000 already being in use. Come to think of it the initial agent install was done as part of the server image. I too had the same problem with port 10000 being in use on the tmg server so I changed the agent to 12000. You will have to configure dynamic ports in the BE server options. To fully get it working though I had to set the agent to 12000 on the BE server as well. Before changing the port for the agent on the Media Server it would still try to open comms on port 10000 to the TMG server. Have sinced pushed an update to the TMG server using the push and it connected just fine.

< Message edited by djfiend -- 20.Oct.2011 11:49:24 AM >

(in reply to lawson23)
Post #: 12
RE: TMG 2010 blocking Backup Exec Remote Agent - 20.Oct.2011 12:00:16 PM   
lawson23

 

Posts: 20
Joined: 26.Mar.2008
Status: offline
djfiend
I'm looking to do this to fix this port issue. Any recommendations?

Reason is if I change the port for the agent I have to do it on all my servers (confirmed with Symantec Support) which is just a pain!

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27228347.html

so changing the dynamic range that tmg sets to start at 10000. pushing wininit.exe out of the way.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;929851

(in reply to djfiend)
Post #: 13
RE: TMG 2010 blocking Backup Exec Remote Agent - 20.Oct.2011 1:10:13 PM   
djfiend

 

Posts: 7
Joined: 10.Oct.2011
Status: offline
Changing the server wasnt that big of a pain but then we only have one :), I can see it being a pain on multiple servers. I had to set the BE server to use dynamic ports in the options, specified the range 10000-12000 and switched the port for the BE agent to 12000 in the services file. I also set the port on the TMG server to 12000 for the agent in the services file. The range I speficed was just chosen at random no specific reasons for it. The key was like I said in the previous post was to set the agent port on the media server to 12000 as well. This did not have any affect on the servers that used the default 10000 for the agent either

(in reply to lawson23)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> TMG 2010 blocking Backup Exec Remote Agent Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts