I'm a VI3 newbie and I have installed the Backup Exec 11d Remote Agent for Linux onto my first ESX 3.0.1 server successfully. However, I am having trouble getting the BE agent to communicate and publish itself onto the BE media server (Windows 2003).
I believe that the issue is the firewall on ESX. Does anyone have experience in configuring the ESX firewall for Backup Exec 11d?
You can look through the VI client at Configuration/Security. You can also run esxcfg-firewall -q to see what is opened
Take a look at this article - steps 17 and following:
http://www.tooms.dk/articles_tutorials/backupexec_agent_on_esx3/
Take a look at this article - steps 17 and
following:
http://www.tooms.dk/articles_tutorials/backupexec_agen
t_on_esx3/
It looks like that article was originally written for prevoius versions of Backup Exec (pre-v11d). Will steps 17+ work on a v11d linux agent?
OK, I've gotten farther by using the doc linked above. For Backup Exec v11d it uses ports 1025-1075 by default. Does anyone know the command to open multile ports at the same time on ESX's firewall?
For a single port I used:
esxcfg-firewall -o 1025,tcp,in,Backupexec
As far as I know you can only do one port at a time. If you want to be able to manage it via the VI client you can edit /etc/vmware/firewall/services.xml but direct editing of the file probably isn't supported.
http://www.vmware.com/community/message.jspa?messageID=478617
I know that we cannot be the only company using Backup Exec 11d and ESX 3.x together and I was hoping that someone might be able to help with the ESX firewall config. I believe that I have eveything configured correctly now and the ESX server doesnow appear in the Backup Exec software but I cannot select any volumes or files to backup.
When I try to select the server in the Backup Exec console it just hangs for approx. 60 seconds and then it gives me back a generic error. I do not believe that it is a username/password error but yet probably still an issue with the firewall on ESX.
I have opened outbound tcp ports 6101-6102 and inbound tcp ports 1025-1075 on the ESX server for Backup Exec 11d. I believe that the outbound port change is what allowed it to be "published" in the BE console. However, I am not convinced that the inbound ports are correct and Symantec tech. support has been useless in helping me thus far (I opened a ticket with them yesterday morning). In the BE console it is configured to use ports 1025-1075 so this is what I opened on ESX.
I am wondering: could it really need two way communication on these ports? Could UDP also be used?
could you try giving this command and see what happens..
#esxcfg-firewall --allowIncoming allowOutgoing
could you try giving this command and see what
happens..
#esxcfg-firewall --allowIncoming allowOutgoing
I'm assuming that this completely opens the firewall to all inbound and outbound traffic. What I need to know is when I try to undo this command later (--denyIncoming?) will this overwrite the firewall rules that I have already established?
Also, does the ESX firewall only protect the service console? If so, is there a huge risk in me just leaving the firewall essentially turned off?
Message was edited by:
tWiZzLeR
could you try giving this command and see what
happens..
#esxcfg-firewall --allowIncoming allowOutgoing
Thanks Dipak - Yes, this worked! So it IS definitely an ESX firewall issue. Any idea how I can figure out what ports are really being blocked?
Message was edited by:
tWiZzLeR
You can look through the VI client at Configuration/Security. You can also run esxcfg-firewall -q to see what is opened
Hi,
I really don't have any idea about this. I have just started learning ESX server very recently. the command i gave you is from sone of the documents that i have.
regarding this port allow/deny thing, some ESX/LINUX gurus can answer, however if i come across anything i will post it here.
If it's a default install all ports will be blocked except what you can see has been opened through the VI client. using the esxcfg-firewall -q cmd allows you to see these as well as any bespoke ones you've added such as the one for the BU agent
You can look through the VI client at
Configuration/Security. You can also run
esxcfg-firewall -q to see what is opened
Yes, this worked![/b] I didn't even know that you could see some of the firewall settings from the VI Client. There was a service called "Symantec Backup Exec Agent" listed using ports 10000-10200 so I just checked the box and turned it on in the GUI and then I went to the Backup Exec console and changed the port range to match and now it works (with the firewall turned back on for all ports)!
Thanks to everyone for their help!!!
I installed the 11d RALUS on our ESX3.01 servers as well, and I can't see them in our BE 11d console.
I tried everything that was mentioned here (at least I think so):
BackupExec ist allowed in Config/SecurityProfile (Ports 10000-10200), Port 6101 tcp out is open, and I even allowed all outgoing and incoming traffic - without successs.
The VRTSralus service is running and I can stop and start it.
I don't even need vmfs.
We do scheduled backups with vmbk.pl to a separate ext3 SAN volume and only want to backup this volume to tape with BE11d.
Any suggestions what I can try?
Kind regards,
Stefan