Hey guys I am looking at the replication section of the admin guide and cannot find the requirements for firewall ports that need to be open for root-to-root or normal replication to occur.
I've reviewed the Avamar Product Security Guide. Apendix A appears to contain a comprehensive list of ports used by Avamar. Unfortunately, I'm not sure it completely distinguishes between ports used for replication and ports used for backups. For example, here are the ports we see in use between the source and destination Avamar and Data Domain appliances from the perspective of a firewall sitting in between the source and destination networks:
Source Avamar utility node -> Destination Data Domain via tcp port 111,2049,2052 (portmapper, mount, nfs, rpc)
Source Avamar utility node -> Destination Avamar utility node via tcp port 8580, 9443 (web-browsing, ssl)
Source Avamar utility node -> Destination Avamar storage nodes via tcp port 27000 (avamar)
Source Data Domain -> Destination Data Domain via tcp port 2051, 3009 (unknown, ssl)
Are these ports all being used for replication or replication dependencies? Is this a comprehensive list of ports needed for native Avamar and Avamar-controlled Data Domain replication? I believe the last item above is for native Data Domain replication; are either of those ports needed if we do Avamar-controlled Data Domain replication instead? We are trying to run replication out of a tightly controlled site so it's important we only allow the needed ports (and obviously allow all the ports that are needed). We also are subject to a change control process so identifying all of the ports needed up front speeds up the process.
Specifically, why are the two grids talking on port 8580? That is documented as being used for Avamar Downloader Service communication. ADS obviously isn't running on the utility nodes (it requires a Windows box). Ditto for 9443 between the two Avamar utility nodes.
29000 is documented as being used from all nodes to all replicator target nodes but we don't see that port in use. Is it only used for part of the replication process?
What hosts are referred to as "Local host" in the source column of the table in Appendix A (e.g. backup clients, Avamar utility node, Avamar storage node?) 2049 and 2052 are referred to in this way and we see them in use between the source Avamar utility node and destination Data Domain but we do not see 3008 in use which is labeled in the same manner in the appendix.
Are 163, 161, 131 or 7 needed for Avamar-controlled replication of Data Domain backups from one grid/DDR to another grid/DDR?
For pure Avamar replication, only port 27000 (or 29000 for SSL encrypted replication) is required for the replication process itself. The source utility node must be able to reach the target's utility and storage nodes.
The best way to think of Avamar replication is as a simultaneous restore from the source and backup to the target. Replication uses a "two headed" avtar to connect to both source and target and replicate the data from grid to grid. This avtar runs on the utility node of the source and connects to the target like any other backup client. I'm glossing over some detail here but for the purposes of a discussion about ports, this should be enough. I've been meaning to write up a blog post on replication for some time but haven't had a chance.
The Enterprise Manager communicates with the MCS utility node services on various ports:
Just like with backups, port 27000 is used for proprietary or no encryption and port 29000 is used for SSL encryption.
For Avamar / DD integrated replication, the Avamar and DataDomain systems both communicate with their replication partners in the usual way but replication of the Avamar Mtree on the DDR is initiated by the source Avamar server using a ddrmaint command instead of being under the control of the DDR itself.
I'm not that familar with the DDR side of things so I'll see if I can wrangle somebody with more DDR experience to answer your questions about the ports required for DDR integrated replication.
Message was edited by: ianderson -- clarify EM communication details
Thanks, Ian. That's deceptively straightforward and makes sense. I was getting lost in the table of port numbers. We'll start by allowing 27000 to replicate native Avamar backups and go from there.
Look forward to the details for Data Domain Avamar-integrated replication and your blog post.
I read the blog and I think that Joe has several questions remaining:
For the first question, the answer is correct. Port 2052 and 3009 between the source & target DD are being used for replication. We can provide the following document which is a comprehensive list of ports needed for allowing access to a Data Domain system through a firewall. https://my.datadomain.com/download/kb/appliance/firewall_port_requirements.html?fsearch=1&query=Port...
TCP 2052 - Replication / OST / Optimized Duplication - Port is used only if replication is configured on the Data Domain system. Run ‘replication show config’ to determine if this is the case. This port can be modified via the ‘replication modify’ command
TCP 3009 - SMS (System Management) - Port is used for managing a system remotely using Web Based GUI DDEM (Data Domain Enterprise Manager). This port cannot be modified. This port is only used on Data Domain systems running DDOS 4.7.x or later. This port will also need to be opened if you plan to configure replication from within the Data Domain GUI interface, as the replication partner needs to be added to the DD Enterprise Manager.
For the second question:
TCP Ports 161 & 163 are used for Avamar to monitor DD via SNMP. Since Avamar MCs does not monitor the target DD via SNMP I don't believe these ports are required to be open.
I'm not sure about ports 131 and port 7 since they are quite vaguely described in the latest version of Avamar product security guide (P/N 300-013-347) . The table doesn't specify from which source and which destination host these ports should be open.
TCP 131 - Related to the network environment Required when storing backups on a Data Domain system.
7/ECHO Java-related for Data Domain system communication Only required if Data Domain is used to store Avamar client backups.
I think (but not 100% sure) that If youve already got avamar replication working and want to open minimum ports to allow avamar controlled DD replication, then open Port 2052 and 3009 between the source & target DD.
Hello Ian, I appreciate the quick response! I have been tasked with researching port usuage and need it for my manager with in 2 hours. Also I have been on the job for 3 weeks, and am new to the Avamar and Data Domain products.
In reading through the below link, I noticed several Data Domain products but not ours...a DD890.
Now I realize you said you are not a Data Domain expert, but do you think the ports would still be the same?
Or if anyone else would know, your comments would be appreciated.
Maybe Jordic might know?