cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS Blocking Backup Exec

Jump to solution

We backup a users PC using Backup Exec but then we added HIPS onto their machine and the backup always fails now. We put firewall rules into Adaptive mode and the backup ran fine. When we took it out of adaptive mode (telling the pc to retain the rules it created), the backup stil fails. We know its a firewall issue but we are not sure what rule we are missing. We have a firewall rule that allows all traffic from the backup exec server using a wide range of ports to the beremote exe.

The error we get on Backup Exec is: A communications failure has occured

We are using Backup Exec 15 and McAfee HIPS 8

1 Solution

Accepted Solutions

Re: HIPS Blocking Backup Exec

Jump to solution

Hi,

I have now solved the issue, we found that Backup Exec was using a larger range of local ports then we thought and so we epanded this range in the policy and we are now able to backup the machine.

Thanks

3 Replies
McAfee Employee

Re: HIPS Blocking Backup Exec

Jump to solution

The network traffic may not be associated with beremote.exe. Review the HIPS Activity log and create firewall rules for any blocked traffic that is associated with the software (remote IPs, ports, etc.).  You may find that the traffic is SYSTEM-based and is not associated with a specific app PID (meaning the firewall rule cannot be associated with an application).  If the application worked while in Adaptive mode, review what rules were created and see if they might be associated with backup software.  Also test using the "Allow ANY/ANY" firewall rule set from KB67055.

KB67055 – How to troubleshoot a network facing application, or traffic is blocked by Host Intrusion Prevention firewall

https://kc.mcafee.com/corporate/index?page=content&id=KB67055

Also make sure you are testing the latest HIPS 8.0 version for any known defects.

KB70725 - Host Intrusion Prevention 8.0 patch and hotfix version information

https://kc.mcafee.com/corporate/index?page=content&id=KB70725

0 Kudos
rmetzger
Level 14

Re: HIPS Blocking Backup Exec

Jump to solution

Hi Charlie,

This document is for BE v11d but probably applies in your environment:

https://www.veritas.com/support/en_US/article.TECH49563



https://www.veritas.com/support/en_US/article.TECH49563 wrote:






List of TCP/UDP ports used by Backup Exec 11d and above (including CPS and DLO) and BE System Recovery (BESR)









































































































































Backup Exec Agent Browser (process=benetns.exe)6101TCP
Backup Exec Remote Agent for Windows Servers (process=beremote.exe)10000TCP
Backup Exec Server (process=beserver.exe)3527TCP
6106TCP
MSSQL$BKUPEXEC (process=sqlservr.exe)1125TCP
1434 (ms-sql-m)UDP
Oracle Agent for Windows and Linux ServersRandom port unless
configured otherwise
DB2 Agent for Windows and Linux ServersRandom port unless
configured otherwise
Kerberos88UDP
NETBIOS135TCP, UDP
NETBIOS Name Service137UDP
NETBIOS Datagram Service138UDP
NETBIOS Session Service139TCP
NETBIOS (Windows 2000)445TCP
DCOM/RPC3106TCP
Backup Exec Remote Agent6103TCP
Push Install -- Check for conflicts in message queue for CASO which is part of beserver.exe103xTCP
Push Install -- SMB2445TCP
SMTP email notification25 outbound from media serverTCP
SNMP162 outbound from media serverTCP
FTP21TCP
HTTP80TCP
HTTPS443TCP


Backup Exec for Windows Servers Listening Ports:



First, it is important to understand the difference between using a port for listening versus for dynamic or ad-hoc communication.


When Backup Exec for Windows Servers is not running any operations, the various services are listening on ports for incoming communication from other services and/or agents.


During operations such as backups, a Backup Exec for Windows Server will first communicate to the Remote Agent on the static listening port (control connection) and then pass data back and forth using dynamic (ad-hoc) ports that are either random (by default) or can be configured to use a specific range.


More detail on limiting the port ranges for Remote Agent communications can be found in the Related Documents area at the bottom of this document.


 
























































ServicePortPort Type
Backup Exec Agent Browser (benetns.exe)6101TCP
Backup Exec Remote Agent for Windows Server (beremote.exe)10000TCP
Backup Exec Server (beserver.exe)3527, 6106TCP
MSSQL$BKUPEXEC (sqlservr.exe)1125TCP
1434UDP
Backup Exec Remote Agent for NetWare10000, 6102TCP
Remote Agent for Linux and UNIX Servers (RALUS)10000TCP
DBA-initiated backups for Oracle and DB25633

TCP


Backup Exec Deduplication Engine (spoold.exe)10082TCP
Backup Exec Deduplication Manager (spad.exe)10102TCP



My guess is that you have to Configure BERemote to use Specific ports rather than using the default random ports. HIPS in learning mode will work, but turning off learning mode causes failure due to the next random port used, not yet configured to work within HIPS. Check the rules HIPS created while in learning mode and compare against the ports when it fails. This should lead you to the area that can help you statically define the port you want to use, and then change the HIPS rule(s) to use that port.

Another article: https://www.veritas.com/support/en_US/article.TECH43579

Hope this helps

Ron Metzger

0 Kudos

Re: HIPS Blocking Backup Exec

Jump to solution

Hi,

I have now solved the issue, we found that Backup Exec was using a larger range of local ports then we thought and so we epanded this range in the policy and we are now able to backup the machine.

Thanks