Troubleshooting Communication Issues With Backup Exec System Recovery (BESR)}.
1. What Ports does Backup Exec System Recovery Utilize?
2. How Do I set the DCOM Security Settings?
3. How Do I make exceptions in Windows Firewall for Backup Exec System Recovery?
The Backup Exec System Recovery agent cannot deploy/connect from the Backup Exec System Recovery console. This is typically caused by improper environmental settings.
Backup Exec System Recovery requires opening the following ports:
137 (inbound and outbound TCP and UDP)
138 (inbound and outbound UDP)
139 (inbound and outbound TCP)
By default, DCOM is free to use any port between 1024 and 65535 when it dynamically selects a port for an application. This range can be reduced by creating registry keys on the computer that hosts the DCOM service; the firewall router can then be configured to forward only these TCP ports. Ports above port 5000 should be used since numbers below port 5000 may already be in use by other applications and can cause conflicts with other DCOM applications. Experience shows that at least 20 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
In order to open ports, perform the following steps:
1. Click on Start and then Run
2. Type Regedit and click OK
3. Click on File then Export
4. Give this file the name RegistryBackup and click OK
Edit the registry:
1. On the agent machine, open HKLM\Software\Microsoft\Rpc\Internet. Create the Internet subkey under Rpc.
2. Within Internet, create a REG_MULTI_SZ - With Internet highlighted, right click in the right pane and select New then MultiString Value
3. Name the new string Ports and set its value to 5001-5100.
Create a REG_SZ - Right click again in the right pane and select New then String Value
4. Name this new string PortsInternetAvailable and set its value to Y.
5. Create a second REG_SZ called UseInternetPorts and set its value also to Y.
6. Reboot. The machine will need a reboot for these changes to take affect.
Create a firewall rule that allows TCP 135 inbound (from the Symantec Backup Exec System Recovery console to the Symantec Backup Exec System Recovery agent) and a second rule that allows 5001-5100. Destination host addresses may be added so that only machines with Symantec Backup Exec System Recovery agents are reachable on these ports. If using the Windows built-in firewall, the range of ports cannot be specified. Therefore 100 separate rules must be created. This however, can be accomplished in XP SP2 and 2003 SP1 by running NETSH from the command line:
netsh firewall add portopening <tcp|udp> <port#> <rule_name>
netsh firewall add portopening tcp 135 EPMAP
netsh firewall add portopening tcp 5001 RPC5001
netsh firewall add portopening tcp 5002 RPC5002
netsh firewall add portopening tcp 5003 RPC5003
netsh firewall add portopening tcp 5100 RPC5100
In addition, Simple File Sharing will need to be disabled. To disable simple file sharing go to My Computer/Tools/Folder options/View and at the bottom take the check mark out for "Use Simple File Sharing" then reboot the machine. The agent machine will also need to be a member of the same domain and/or workgroup as the console system and on the same subnet.