I’m in the process of upgrading a Backup Exec installation to the latest version and adding Oracle backups using the Backup Exec Agent For Applications And Databases. The backup server and database server are both running Windows Server 2008. This was going reasonably smoothly (well, Symantec smoothly which is bumpier than most) until I ran into an issue with the Oracle backups that took a little while to solve. It turns out that if there’s a firewall between your backup server and database server, you’ll probably need to make some changes and these aren’t very well documented.
When I ran an Oracle backup, I would get the following error:
Final error: 0xe000846b – The resource could not be backed up because an error occurred while connecting to the Agent for Windows. The correct version of the Agent for Windows must be running on the target computer.
This didn’t affect normal filesystem backups to the database server. Also, the Backup Exec job log helpfully includes the RMAN output from the Oracle end and this showed that the backup had started (so the initial connection to the agent had obviously worked) but then an error had occurred, presumably when RMAN tried to start streaming the data to the backup server.
After several dead end searches, I eventually found Symantec Technote 209163 which explains that one possible cause is the Windows Firewall and that the solution was to disable the firewall on both servers. I did that to find out if this was the solution – it was! And a couple more tests showed it was only the database server’s firewall that needed to be disabled. But I couldn’t just disable a customer’s server firewall, and frankly didn’t want to. So I dug a little deeper.
Symantec Technote 74284 explains the TCP ports used by the Oracle agent at the various communication and transfer stages. I guessed the problem started at session 3 when the dynamic port connections are first made. Using Backup Exec through firewalls (from the Backup Exec Admin Guide but easier to link to on that site) added more detail. And Symantec Technote 24256 explained how to control the dynamic port range. So the solution seemed to be to limit the port range being used and then make a firewall exception for just those ports.
Symantec suggests using a minimum of 25 dynamic ports, the minimum should be fine for this small installation. To set the ports in Backup Exec 2012, you need to click the Backup Exec button at the top left of the server administration console, select Configuration and Settings followed by Backup Exec Options and then go onto the Network and Security tab. Tick the check box for Enable TCP Dynamic Port Range and enter your chosen range, in my case from 1025 to 1050. Click OK to save. Then hop over to your database server and open Windows Firewall With Advanced Security in Administrative Tools. Create a new inbound rule for the TCP port range 1025-1050 which allows the connection for all profiles. Once the rule is created, you can refine it further by double clicking and, for example, restricting the rule to connections from your Backup Exec server.
I’ve now run several full and incremental backups and they’ve all gone smoothly.