dwilk1973
3 Silver

Ports that need to be open for replication?

Hey guys I am looking at the replication section of the admin guide and cannot find the requirements for firewall ports that need to be open for root-to-root or normal replication to occur.

0 Kudos
10 Replies
Anonymous
Not applicable

Re: Ports that need to be open for replication?

Hi,

Ports 27000 and 29000 need to be open on all the nodes for replication..

0 Kudos
matej_felle
2 Iron

Re: Ports that need to be open for replication?

You can find Avamar product security guide on Powerlink. Read - you have Port usage and firewall requirements.

BR

Matej

0 Kudos
fdxpilot
3 Argentum

Re: Ports that need to be open for replication?

I've reviewed the Avamar Product Security Guide.  Apendix A appears to contain a comprehensive list of ports used by Avamar.  Unfortunately, I'm not sure it completely distinguishes between ports used for replication and ports used for backups.  For example, here are the ports we see in use between the source and destination Avamar and Data Domain appliances from the perspective of a firewall sitting in between the source and destination networks:

Source Avamar utility node -> Destination Data Domain via tcp port 111,2049,2052 (portmapper, mount, nfs, rpc)

Source Avamar utility node -> Destination Avamar utility node via tcp port 8580, 9443 (web-browsing, ssl)

Source Avamar utility node -> Destination Avamar storage nodes via tcp port 27000 (avamar)

Source Data Domain -> Destination Data Domain via tcp port 2051, 3009 (unknown, ssl)

Are these ports all being used for replication or replication dependencies?  Is this a comprehensive list of ports needed for native Avamar and Avamar-controlled Data Domain replication?  I believe the last item above is for native Data Domain replication; are either of those ports needed if we do Avamar-controlled Data Domain replication instead?  We are trying to run replication out of a tightly controlled site so it's important we only allow the needed ports (and obviously allow all the ports that are needed).  We also are subject to a change control process so identifying all of the ports needed up front speeds up the process.

Specifically, why are the two grids talking on port 8580?  That is documented as being used for Avamar Downloader Service communication.  ADS obviously isn't running on the utility nodes (it requires a Windows box).  Ditto for 9443 between the two Avamar utility nodes.

29000 is documented as being used from all nodes to all replicator target nodes but we don't see that port in use.  Is it only used for part of the replication process?

What hosts are referred to as "Local host" in the source column of the table in Appendix A (e.g. backup clients, Avamar utility node, Avamar storage node?) 2049 and 2052 are referred to in this way and we see them in use between the source Avamar utility node and destination Data Domain but we do not see 3008 in use which is labeled in the same manner in the appendix.

Are 163, 161, 131 or 7 needed for Avamar-controlled replication of Data Domain backups from one grid/DDR to another grid/DDR?

0 Kudos
ionthegeek
4 Ruthenium

Re: Ports that need to be open for replication?

For pure Avamar replication, only port 27000 (or 29000 for SSL encrypted replication) is required for the replication process itself. The source utility node must be able to reach the target's utility and storage nodes.

The best way to think of Avamar replication is as a simultaneous restore from the source and backup to the target. Replication uses a "two headed" avtar to connect to both source and target and replicate the data from grid to grid. This avtar runs on the utility node of the source and connects to the target like any other backup client. I'm glossing over some detail here but for the purposes of a discussion about ports, this should be enough. I've been meaning to write up a blog post on replication for some time but haven't had a chance.

The Enterprise Manager communicates with the MCS utility node services on various ports:

  • Port 9443 is the web services port for the Administrator Server (MCS). This port is required for monitoring and managing a system from the EM GUI. If replication is being managed by editing the configuration file directly, this port is not required.
  • In addition to the downloader service, port 8580 is used by the EM to communicate with the Avamar Installer.

Just like with backups, port 27000 is used for proprietary or no encryption and port 29000 is used for SSL encryption.

For Avamar / DD integrated replication, the Avamar and DataDomain systems both communicate with their replication partners in the usual way but replication of the Avamar Mtree on the DDR is initiated by the source Avamar server using a ddrmaint command instead of being under the control of the DDR itself.

I'm not that familar with the DDR side of things so I'll see if I can wrangle somebody with more DDR experience to answer your questions about the ports required for DDR integrated replication.

Message was edited by: ianderson -- clarify EM communication details

0 Kudos
fdxpilot
3 Argentum

Re: Ports that need to be open for replication?

Thanks, Ian.  That's deceptively straightforward and makes sense.  I was getting lost in the table of port numbers.  We'll start by allowing 27000 to replicate native Avamar backups and go from there.

Look forward to the details for Data Domain Avamar-integrated replication and your blog post.

0 Kudos
Anonymous
Not applicable

Re: Ports that need to be open for replication?

I read the blog and I think that Joe has several questions remaining:

  1. Source Data Domain -> Destination Data Domain via tcp port 2051, 3009 (unknown, ssl)  Are these ports all being used for replication or replication dependencies? Is this a comprehensive list of ports needed for native Avamar and Avamar-controlled Data Domain replication?

For the first question, the answer is correct. Port 2052 and 3009 between the source & target DD are being used for replication.   We can provide the following document which is a comprehensive list of ports needed for allowing access to a Data Domain system through a firewall.  https://my.datadomain.com/download/kb/appliance/firewall_port_requirements.html?fsearch=1&query=Port...

TCP 2052 - Replication / OST / Optimized Duplication - Port is used only if replication is configured on the Data Domain system. Run ‘replication show config’ to determine if this is the case. This port can be modified via the ‘replication modify’ command

TCP 3009 - SMS (System Management) - Port is used for managing a system remotely using Web Based GUI DDEM (Data Domain Enterprise Manager). This port cannot be modified. This port is only used on Data Domain systems running DDOS 4.7.x or later. This port will also need to be opened if you plan to configure replication from within the Data Domain GUI interface, as the replication partner needs to be added to the DD Enterprise Manager.

For the second question:

  1. Are 163, 161, 131 or 7 needed for Avamar-controlled replication of Data Domain backups from one grid/DDR to another grid/DDR?

TCP Ports 161 & 163 are used for Avamar to monitor DD via SNMP.  Since Avamar MCs does not monitor the target DD via SNMP I don't believe these ports are required to be open.

I'm not sure about ports 131 and port 7 since they are quite vaguely described in the latest version of Avamar product security guide (P/N 300-013-347) .  The table doesn't specify from which source and which destination host these ports should be open.

TCP 131 - Related to the network environment Required when storing backups on a Data Domain system.

7/ECHO Java-related for Data Domain system communication Only required if Data Domain is used to store Avamar client backups.

I think (but not 100% sure) that If youve already got avamar replication working and want to open minimum ports to allow avamar controlled DD replication, then open Port 2052 and 3009 between the source & target DD. 

0 Kudos
papawiskas
2 Bronze

Re: Ports that need to be open for replication?

If you did write this blog post...what is the URL, I would like to read it over if you don't mind.

Thanks.

0 Kudos
ionthegeek
4 Ruthenium

Re: Ports that need to be open for replication?

Unfortunately I haven't had a chance to write it up yet. It's still sitting 3/4 written in my drafts folder.

0 Kudos
papawiskas
2 Bronze

Re: Ports that need to be open for replication?

Hello Ian, I appreciate the quick response! I have been tasked with researching port usuage and need it for my manager with in 2 hours. Also I have been on the job for 3 weeks, and am new to the Avamar and Data Domain products.

In reading through the below link, I noticed several Data Domain products but not ours...a DD890.

Now I realize you said you are not a Data Domain expert, but do you think the ports would still be the same?

Or if anyone else would know, your comments would be appreciated.

https://my.datadomain.com/download/kb/appliance/firewall_port_requirements.html?fsearch=1&query=Port...

Maybe Jordic might know?

0 Kudos