Using Backup Exec with firewalls

Last published : Apr 02, 2026
In firewall environments, Backup Exec provides the following advantages:
  • The number of ports that are used for backup network connections is kept to a minimum.
  • Open ports on the Backup Exec server and remote systems are dynamic and offer high levels of flexibility during browsing, backup, and restore operations.
  • You can set specific firewall port ranges and specify backup and restore networks within these ranges. You can use specific ranges to isolate data traffic and provide high levels of reliability.
    Note: The Agent for Windows is required to perform remote backups and restores.
Firewalls affect system communication between a Backup Exec server and any remote systems that reside outside the firewall environment. You should consider special port requirements for your firewall when you configure Backup Exec.
Veritas recommends that you open port 10000 and make sure that it is available on the Backup Exec server and any remote systems. In addition, you must open the dynamic port ranges that Backup Exec uses for communications between the Backup Exec server and Backup Exec agents.
When a Backup Exec server connects to a remote system, it initially uses port 10000. The agent listens for connections on this predefined port. The Backup Exec server is bound to an available port, but additional connections to the agent are initiated on any available port.
When you back up data, up to two ports may be required on the computer on which the agent is installed. To support simultaneous jobs, you must configure your firewall to allow a range of ports large enough to support the number of simultaneous operations desired.
If there is a conflict, you can change the default port to an alternate port number by modifying the %systemroot% \System32\drivers\etc\services file. You can use a text editor such as Notepad to modify your NDMP entry or add an NDMP entry with a new port number. You should format the entry as follows:
ndmp    9999/tcp        #Network Data Management Protocol
Note: If you change the default port, you must change it on the Backup Exec server and all remote systems that are backed up through the firewall.
When you set up TCP dynamic port ranges, Veritas recommends that you use a range of 25 allocated ports for the remote computer. The number of ports that remote computers require depends on the number of devices you protect and the number of tape devices you use. You may need to increase these port ranges to maintain the highest level of performance.
Unless you specify a range, Backup Exec uses the full range of dynamic ports available. When performing remote backups through a firewall, you should select a specific range on the Network and Security settings dialog box.
To browse systems through a firewall
  1. Click the Backup Exec button, select Configuration and Settings, and then selectBackup Exec Settings.
  2. In the left pane, select Network and Security.
  3. Verify that a dynamic range of ports has been set for the Backup Exec server and the Backup Exec agent and that the firewall is configured to pass these port ranges and the 10000 port (which is used for the initial connection from the Backup Exec server to the Backup Exec agent).
Port 6101 must be open to browse Windows systems in the backup selections tree.
  1. Click OK.
More Information
Backup Exec ports
Backup Exec listening ports
About enabling a SQL instance behind a firewall