I’ve been involved with an increasing number of NetWorker 7.6 SP1 configurations on Windows 2008 R2, and I’m not sure whether what I’ve encountered is specific to Windows 2008 R2 or just a general deficiency in the NetWorker installer’s firewall configuration process. Either way, since it caused some challenges for me, I wanted to note down the issues I’ve observed.
First, the firewall configuration is only applied to the “Public” profile. This is OK for single-interface servers, but if your system has multiple interfaces, it isn’t sufficient – you need to edit the rules to apply to all three of “Domain”, “Private” and “Public”:
The next issues encountered were relating to tape libraries on storage nodes. In particular, it appeared that the default automatic NetWorker firewall configuration on at least Windows 2008 R2 didn’t add support for the nsrmmgd or nsrlcpd daemons to communicate.
To create these rules:
- On the server:
- Copied two of the existing rules – one for TCP, one for UDP – and updated the “Programs and Services” pane to reference X:pathtobinnsrmmgd.exe.
- On each storage node:
- Copied two of the existing rules – one for TCP, one for UDP – and updated the “Programs and Services” pane to reference X:pathtobinnsrlcpd.exe.
With these sets of changes in play, NetWorker has behaved a lot more normally.
(Obviously, any firewall changes you make in your environment should be considered against site requirements.)
Hi,
I have problem with NW server to backup win 2008R2 clients. Do I have to create firewall rules for both UDP and TCP ?
Yes, you will.
ok so just opening the ports is enough or should I also allow nsrexec.exe for both UDP and TCP ?
is this command correct ? I can’t seem to get it to work
netsh advfirewall add portopening protocol=ALL port=7937-9936 name=”NW connection” mode=enable scope=all profile=all
from the client, I get an error when I type
rpcinfo -p NW_server
80720 9 %s%s – %s 3 24 26 can’t contact portmapper: 11 23 352:Remote system error 11 185 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
I get this even if I turn off windows firewall.
That suggests another networking issue is coming into play – or the daemons may need a restart after turning off the firewall. I would normally not expect to see a need to restart the daemons though after turning off the firewall, hence that it may be another issue.
I have already restarted the daemons but still get this problem .
any suggestions ???
should I be getting this after I’ve changed the firewall rules for TCP and UDP ?
Unless there’s other network issues or firewalls in play, you typically shouldn’t get this after you’ve successfully changed the firewall rules. I’d suggest raising a case with your support provider.
ok thanks.
I also want to ask your guidance on something else….
this is what we have.
NW server – Windows 2008 R2 server 7.6 SP1 build 664
NW client – Windows 2008 R2 server 7.6 SP1 build 664
The backup is about 4T. the NW server is connected to the brocade switch and I have presented a 6T LUN to the NW server.
The clients are on ESX cluster and have shared storage on the clariion too.
I want to establish backup of these clients via the fiber switch. Right now, the backup is via Ethernet.
I think there is difference between storage node and dedicated storage node but I am confused.
I am not sure how to ensure I have backup over fiber. At the moment if I disable the 192.168 IP address….which is the private bkp add, then I can’t ping the clients and servers….so this proves the backup is over ethernet.
I need to get the backup over the fc switch
If you’re wanting to do backup over Fibre Channel, then you need to look into dynamic drive sharing (or, depending on the number of tape drives, etc., in the environment, library sharing).
Typically you’d be looking at dedicated storage nodes, fibre-channel mapped/zoned to see tape drives, or VTLs, etc., backing up their own data to SAN-connected backup storage.
ok, so we will have to get dedicated storage node license ? and then create the zones to backup the data via the fc switch.
Minimum dedicated storage node license. If you want to share FC connected tape drives between the dedicated storage nodes, you’ll also need 1 dynamic drive license per tape drive.
Oh…so I can’t do a backup to disk over fiber ????
because of the size of the data, I want to do backup over fc switch instead of Ethernet.
Assuming even if I get dedicated storage node license do I need to do any major changes to do the backup over fc ?
You can – then you don’t need dynamic drive shares, you’d just need appropriate levels of disk backup license.
But, what are you going to do once you get the backup written to fibre attached disk?
I will not be transferring the data to tape. All I do is backup to disk.
I already have backup to disk license.
So on my NW backup server, I have a LUN and have formatted that as a GTP drive and have created a folder and have labelled it with AFTD.
I am also running a trial of the NW install so I guess all licenses are enabled. so now what changes do I need to make to ensure backup is via fc switch ?
You need to create an ADV_FILE type device on the remote storage nodes – using the device naming convention of ‘rd=hostname:PATH’. If you’re creating using 7.6 SP1, the device creation wizard can make this a bit easier.
Hi Preston,
that’s what I have done. ok I’ll go back a bit.
New HP DL380G7 server > created zones on the fc switch > carved a 6T LUN on the clariion > presented to the server > mounted as GTP disk and formatted using windows default NTFS format > gave a drive name. So far so good.
Then installed NW 7.6.1.3.Build.446 64bit. Then created a group. Then add client wizard > added client > then added client to group
then went to went to media pool > created new media pool > selected the group in data source
created a label pool >
went to devices > right click > new device wizard > selected AFDT > storage node > NW SERVER > enter device path > E:vm_pool > label and mount pool after creation > pool type > backup > selected pool label which was created earlier as vmpool > target sessions > 1 > max sessions > 32 > configure > device created
is this the way ? but I think the backup still goes thru the Ethernet card !
That configuration will be backup over ethernet.
You must create remote devices on the storage nodes attached mapping to local paths on the storage node.
Past this I’d suggest you seek local install assistance.
Hi Preston,
I created a new folder on the disk and then selected Browse storage file system instead of device path > entered server admin login and password > selected pool > next > and device was created !!!
was this it ?? was I missing this ??? now if I start the backup, will it go via fiber ?? will it have any impact on the client if I start the backup now ? how do I test if the backup is via fc switch ?