Archive for April, 2010
Firewall Configurations for Backup
Clients on ESX Server 3
VMware Infrastructure 3
This document provides information about how to configure connections between different backup software ® products and VMware ESX Server 3 hosts.
The document explains how to open predefined firewall ports for supported backup products and how to open specific ports from a command line. If the backup product you use requires additional configuration changes to work with ESX Server 3, the document describes any specific steps you need to perform.
Opening Firewall Ports for Supported Backup Products.
Use VMware Infrastructure Client to enable communication with a number of supported backup products.
When you configure the ESX Server 3 host to establish connections with these backup products, you automatically open predefined firewall ports in the service console.
The following is a list of the supported backup products.
NOTE Although all configuration procedures described in this document were tested with the specific versions indicated here, the procedures might work with other versions of the same product.
The list of supported products and versions might change, and the VI Client can provide options that are not mentioned in the list.
CA ARCserve Backup, version r11.5 SP1
CommVault Galaxy, version 6.1.0
EMC Legato NetWorker, version 7.3.2 jumbo and 7.4
IBM Tivoli Storage Manager (TSM), version 5.3.3 and 5.4
Symantec Backup Exec for Windows Servers, version 11d
Symantec NetBackup, version 6.0
If you are using a backup product that is not on this list and the backup software vendor does not provide
documentation about how to configure the backup software on the ESX Server 3 service console, open ports in the service console firewall from a command line. See Opening Firewall Ports or Port Ranges on the Service
To enable access to ESX Server 3 for a supported backup product. 1.Log in to the VI Client.
2.From the inventory panel, select the ESX Server 3 host.
3.Click the Configuration tab and click Security Profile under Software.
4.Click the Properties link.
5.To enable firewall access for a specific backup software client, select the corresponding box:
CAARC Server — Opens TCP port 6051 for incoming connections with CA ARCserve Backup.
CommVault Dynamic and CommVault Static — Open TCP ports 8600‐8619 and 8400‐8403 for incoming and outgoing connections with CommVault Galaxy.
EMC NetWorker Agent — Opens TCP ports 7937‐9936 for incoming and outgoing connections with EMC NetWorker.
Tivoli Storage Manager Agent — Opens TCP port 1500 for incoming and outgoing connections with IBM Tivoli Storage Manager.
Symantec Backup Exec Agent — Opens TCP ports 10000‐10200 for incoming connections with Symantec Backup Exec for Windows Servers.
Symantec Net Backup Agent — Opens TCP ports 13720, 13724, and 13783 for incoming connections with Symantec NetBackup.
Additional Configuration Steps After you open a firewall port in the ESX Server 3 service console, you might need to perform additional activities to configure and enable specific backup products. For some products, such as CA ARCserve, these activities involve specific changes in the ESX Server 3 service console. For other products, you need to change some configuration settings for the backup software. The following sections specify any required configuration activities.
After you enable the CAARC Server firewall property for the ESX Server 3 host, make sure that the /vmfs
mount point is listed in the /etc/mtab folder on the ESX Server 3 service console.
For instructions on how to populate the /etc/mtab folder, see the VMware KB article 1811.
After you enable the CommVault Dynamic and CommVault Static firewall properties for the ESX Server 3 host,
configure the CommVault client, CommServer, and the Media Agent.
Configuring the CommVault Client on the Service Console Configure the CommVault client running on the ESX Server 3 service console so that it can use the 8600‐8619 and 8400‐8403 port ranges. In addition, select the Two Way (symmetrical) firewall type.
To configure the CommVault client, run the following commands on the ESX Server 3 service console:
Configuring the CommVault Server and the Media Agent
The firewall settings for the CommVault server and the Media Agent need to match the CommVault client
configuration. If these services are running on UNIX or Linux, configure them by following the directions in
“Configuring the CommVault Client on the Service Console.”.
If the services are running on Windows, use the FirewallConfig utility located in the base subdirectory of the
CommVault Galaxy installation directory.
For a default installation, this is C:\Program Files\CommVault Systems\Galaxy\base.$
EMC Legato NetWorker
After you enable the EMC NetWorker Agent firewall property for the ESX Server 3 host, configure EMC Legato NetWorker.
The EMC Legato NetWorker setup should match the default service port range for NetWorker. To adjust this setting, run the following command on the NetWorker server:
nsrports -s esx.company.com -S 7937-9936,
where esx.company.com is the DNS name for the ESX Server 3 host running the NetWorker Client, as
recognized by the NetWorker Server.
For more detailed description about how to set up EMC Legato NetWorker for use with a firewall, see EMC
IBM Tivoli Storage Manager
After you open TCP port 1500 by enabling the Tivoli Storage Manager Agent firewall property for the ESX
Server 3 host, no further configuration of Tivoli Storage Manager is required.
Port 1500 matches the default configuration for Tivoli Storage Manager client and server connection. You can
change this configuration by using the tcpport option for Tivoli Storage Manager.
For information about how to configure Tivoli Storage Manager client/ server communication across a firewall, see IBM Tivoli Storage Manager documentation.
Symantec Backup Exec for Windows Servers
After you enable the Symantec Backup Exec Agent firewall property for the ESX Server 3 host, you need to set the port range to 10001-10200 for the Symantec Backup Exec server.
If you are running Symantec Backup Exec version 11d, use the following procedure.
To set the dynamic port range:
1.Select Tools > Options.
2.On the Properties pane, under Job Defaults, click Network and Security.
3.Select Enable remote agent TCP dynamic port range, and enter 10001 and 10200 in the appropriate fields.
For information about how to set the dynamic port range for various versions of Backup Exec starting with version 9.x, see the Symantec documentation and KB articles.
Opening Firewall Ports or Port Ranges on the Service Console
In addition to predefined ports you open for a number of supported backup products, you might need to open other ports when you configure certain backup clients. For example, if you are using Veritas NetBackup 4.5 as
a backup agent, you need to open ports 13720, 13724, 13782, and 13783.
You can open specific ports by running the esxcfg-firewall command in the service console. Before you open ports to support the product you are installing, consult vendor specifications to determine the necessary ports.
To open a specific port in the service console firewall:
1.Log in to the service console and acquire root privileges.
2.Run the following command:
esxcfg-firewall -o ,tcp,in|out,
port_number is the vendor‐specified port number.
tcp is the TCP protocol.