3 Replies Latest reply on Jan 20, 2016 9:30 AM by charliewilson

    HIPS Blocking Backup Exec

    charliewilson

      We backup a users PC using Backup Exec but then we added HIPS onto their machine and the backup always fails now. We put firewall rules into Adaptive mode and the backup ran fine. When we took it out of adaptive mode (telling the pc to retain the rules it created), the backup stil fails. We know its a firewall issue but we are not sure what rule we are missing. We have a firewall rule that allows all traffic from the backup exec server using a wide range of ports to the beremote exe.

       

      The error we get on Backup Exec is: A communications failure has occured

       

      We are using Backup Exec 15 and McAfee HIPS 8

        • 1. Re: HIPS Blocking Backup Exec
          Kary Tankink

          The network traffic may not be associated with beremote.exe. Review the HIPS Activity log and create firewall rules for any blocked traffic that is associated with the software (remote IPs, ports, etc.).  You may find that the traffic is SYSTEM-based and is not associated with a specific app PID (meaning the firewall rule cannot be associated with an application).  If the application worked while in Adaptive mode, review what rules were created and see if they might be associated with backup software.  Also test using the "Allow ANY/ANY" firewall rule set from KB67055.

           

          KB67055 – How to troubleshoot a network facing application, or traffic is blocked by Host Intrusion Prevention firewall

          https://kc.mcafee.com/corporate/index?page=content&id=KB67055

           

           

           

          Also make sure you are testing the latest HIPS 8.0 version for any known defects.

           

          KB70725 - Host Intrusion Prevention 8.0 patch and hotfix version information

          https://kc.mcafee.com/corporate/index?page=content&id=KB70725

          • 2. Re: HIPS Blocking Backup Exec
            rmetzger

            Hi Charlie,

             

            This document is for BE v11d but probably applies in your environment:

            https://www.veritas.com/support/en_US/article.TECH49563

             

            https://www.veritas.com/support/en_US/article.TECH49563 wrote:

             

            List of TCP/UDP ports used by Backup Exec 11d and above (including CPS and DLO) and BE System Recovery (BESR)

             

             

            Backup Exec Agent Browser (process=benetns.exe) 6101 TCP
            Backup Exec Remote Agent for Windows Servers (process=beremote.exe) 10000 TCP
            Backup Exec Server (process=beserver.exe) 3527 TCP
            6106 TCP
            MSSQL$BKUPEXEC (process=sqlservr.exe) 1125 TCP
            1434 (ms-sql-m) UDP
            Oracle Agent for Windows and Linux Servers Random port unless
            configured otherwise
            DB2 Agent for Windows and Linux Servers Random port unless
            configured otherwise
            Kerberos 88 UDP
            NETBIOS 135 TCP, UDP
            NETBIOS Name Service 137 UDP
            NETBIOS Datagram Service 138 UDP
            NETBIOS Session Service 139 TCP
            NETBIOS (Windows 2000) 445 TCP
            DCOM/RPC 3106 TCP
            Backup Exec Remote Agent 6103 TCP
            Push Install -- Check for conflicts in message queue for CASO which is part of beserver.exe 103x TCP
            Push Install -- SMB2 445 TCP
            SMTP email notification 25 outbound from media server TCP
            SNMP 162 outbound from media server TCP
            FTP 21 TCP
            HTTP 80 TCP
            HTTPS 443 TCP

             

            Backup Exec for Windows Servers Listening Ports:

             

            First, it is important to understand the difference between using a port for listening versus for dynamic or ad-hoc communication.

            When Backup Exec for Windows Servers is not running any operations, the various services are listening on ports for incoming communication from other services and/or agents.

            During operations such as backups, a Backup Exec for Windows Server will first communicate to the Remote Agent on the static listening port (control connection) and then pass data back and forth using dynamic (ad-hoc) ports that are either random (by default) or can be configured to use a specific range.

            More detail on limiting the port ranges for Remote Agent communications can be found in the Related Documents area at the bottom of this document.

             

            ServicePortPort Type
            Backup Exec Agent Browser (benetns.exe) 6101 TCP
            Backup Exec Remote Agent for Windows Server (beremote.exe) 10000 TCP
            Backup Exec Server (beserver.exe) 3527, 6106 TCP
            MSSQL$BKUPEXEC (sqlservr.exe) 1125 TCP
            1434 UDP
            Backup Exec Remote Agent for NetWare 10000, 6102 TCP
            Remote Agent for Linux and UNIX Servers (RALUS) 10000 TCP
            DBA-initiated backups for Oracle and DB2 5633

            TCP

            Backup Exec Deduplication Engine (spoold.exe) 10082 TCP
            Backup Exec Deduplication Manager (spad.exe) 10102 TCP

             

             

            My guess is that you have to Configure BERemote to use Specific ports rather than using the default random ports. HIPS in learning mode will work, but turning off learning mode causes failure due to the next random port used, not yet configured to work within HIPS. Check the rules HIPS created while in learning mode and compare against the ports when it fails. This should lead you to the area that can help you statically define the port you want to use, and then change the HIPS rule(s) to use that port.

             

            Another article: https://www.veritas.com/support/en_US/article.TECH43579

             

            Hope this helps

            Ron Metzger

            • 3. Re: HIPS Blocking Backup Exec
              charliewilson

              Hi,

               

              I have now solved the issue, we found that Backup Exec was using a larger range of local ports then we thought and so we epanded this range in the policy and we are now able to backup the machine.

               

              Thanks