We have a TMG 2010 server installed with a perimeter network setup. Within the perimeter , there is a server that needs to be backed up using backup exec 12.5. I have successfully installed the remote agent , but when I try to back up the server , I cannot see it within the selections.
I have created a rule from the media server to the server in the perimeter using port 10000 / TCP , but am at a loss why I cannot still see the server within the Backup Exec media server.
Has anyone been able to successfully setup backup exec in a DMZ ?
Has anyone figured this out yet? I think you need to define a range in your backupexec options and allow this range. I'm currently having problems with the push install right now.
I actually just got this working after spending days yelling at my screen. I created a custom protocol for Backup Exec (I am using Backup Exec 2010 R3) with the following ports setup:
Primary Connections 10000-12000 TCP Outbound <--I have configured dynamic ports in Backup Exec so thats why I configured the range 135-139 TCP Outbound 445 TCP Outbound
Secondary Connections 135-139 UDP Send Receive
I created an access rule using the Backup Exec protocol set I made. I set the Backup Exec media server as the listener and then I created a computer set for the servers I want to backup in the perimeter network. You can just target the whole perimter network if you want just depends on how locked down you want it. Also target the local host if you want to backup your TMG server as well. This allows communications with the server and the agent, allows you to browse the server in the Backup Exec console and the Agent Push works as well.
I still can't get the agent push to work because of the system policies RPC settings I believe. We have been looking into a resolution but for now have not found anything that has worked yet.
I have also been trying to test wmimgmt.msc access to the box unsuccessfully to rule out BE in anyway for now.
We also have our rules to be ALL outbound allowed right now for testing.
Yes I did install the agent on the TMG Server and it was using the agent push. When you made your access rule for Backup Exec did you include the local host (TMG Server)? Ports 135-139 will take care of all the RPC requests used by Backup Exec. Are you using the Traffic Simulator to see what rule is blocking and what are the logs saying?
logs don't show anything being blocked. There are many bits of information about setting up a special rpc rule (http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx) and disabling strict rpc in sytem policies but we have tried all of this also with no success.
I have not tried the traffic similator as I have never used this before.
as far as the rules I included Everything. we have two rules one that is traffic from local host to backup server and one that is backup server to local host. Both rules have All Outbound Traffic allowed.
< Message edited by lawson23 -- 19.Oct.2011 3:49:54 PM >
Are you using the TMG defined protocols in your rule? I created my own protocol for Backup Exec so that might have something to do with it as I did not select the RPC filter. It seems part of the RPC filters job is to auto initiate the UDP ports. I setup mine up as an all in one just for Backup Exec. Here is a pic of how I have mine setup at http://www.dropbox.com/gallery/19972634/1/TMG?h=9f2c03 I setup the custom protocol from info I got out of the Symantec Admin Guide for Backup Exec. The traffic sim is a good tool, it allows you to input a send and receive IP and assign a port to sim traffic flow.
< Message edited by djfiend -- 19.Oct.2011 5:53:25 PM >
I have a defined protocol setup exactly as you have and it does not work. I also have a TMG rule that is just allow all outbound traffic and this does not work.
RPC is the issue. If I try to hit wmi locally it works no problem if I try to hit rpc from backup server I get no rpc server available.
Here is what I get from the log when trying a validation for the push: Client IP 10.0.1.10
Server Name BER-AP19
Destination IP 10.0.36.71
Protocol RPC (all interfaces)
Transport TCP
Rule [System] Allow remote management from selected computers using MMC
Cache Information 0x0
Error Information 0x0
Destination Port 135
Source Port 52074
Log Record Type Firewall
Source Network Internal
Destination Network Local Host
Action Initiated Connection
Result Code 0x0 SUCCESS
Original Client IP 10.0.1.10
GMT Log Time 10/20/2011 13:36
Let me ask you another question. This is another common issue I read regarding port 10000 where tmg has the process wininit.exe using port 10000 and this gets in the way with the remote agent being able to start once it is installed. I have this problem also as I have manually installed the agent since push is not working.
I'm guessing you configured rpc earlier for a different reason and this is why you are not having the problem regarding backupexec.
< Message edited by lawson23 -- 20.Oct.2011 10:39:11 AM >
It must be because of the port 10000 already being in use. Come to think of it the initial agent install was done as part of the server image. I too had the same problem with port 10000 being in use on the tmg server so I changed the agent to 12000. You will have to configure dynamic ports in the BE server options. To fully get it working though I had to set the agent to 12000 on the BE server as well. Before changing the port for the agent on the Media Server it would still try to open comms on port 10000 to the TMG server. Have sinced pushed an update to the TMG server using the push and it connected just fine.
< Message edited by djfiend -- 20.Oct.2011 11:49:24 AM >
Changing the server wasnt that big of a pain but then we only have one :), I can see it being a pain on multiple servers. I had to set the BE server to use dynamic ports in the options, specified the range 10000-12000 and switched the port for the BE agent to 12000 in the services file. I also set the port on the TMG server to 12000 for the agent in the services file. The range I speficed was just chosen at random no specific reasons for it. The key was like I said in the previous post was to set the agent port on the media server to 12000 as well. This did not have any affect on the servers that used the default 10000 for the agent either
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> TMG 2010 blocking Backup Exec Remote Agent 
TMG 2010 blocking Backup Exec Remote Agent - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread