Backing up a Threat Management Gateway using Backup Exec

Reading Time: 2 minutes

Everyone can have some trouble using Backup Exec to backup their Threat Management Gateway 2010. TMG uses a different range of dynamic ports from the standard Windows Server installations.

Since Windows Vista the new default start port is 49152. The default end port is 65535. Earlier versions of Windows used 1025 through 5000. The new range gives you 16384 ports. You can Check this with the netsh command.

  • netsh int ipv4 show dynamicport tcp
  • netsh int ipv4 show dynamicport udp
  • netsh int ipv6 show dynamicport tcp
  • netsh int ipv6 show dynamicport udp


Now when you execute the command on a machine running TMG 2010 you’ll probably find that the start port is 10000. This can cause problems with Backup Exec.

Backup Exec’s remote Agent uses the Network Data Management Protocol. This necessary to create the backup data stream. The NDMP utilizes port 10000 . Normally this is not an issue. On a TMG however the dynamic range is changed and wininit.exe will seize the first of the Dynamic ports. There are two solutions to this problem.

you can change the port the backup agent uses

Open Notepad in administrator mode and open c:\windows\system32\drivers\etc\services

add the following line to services

  • ndmp 9000/tcp #Network Data Management Protocol

This will change the port to 9000. Don’t forget that you’ll have to do this on the media server as well, and thus on every server you want to back up. Sounds like fun when you have +100 server.

You can change the Dynamic Port Range on your Threat Management Gateway

On your TMG open an elevated command prompt and run the following command:

  • netsh int ipv4 set dynamicportrange tcp startport=10010 numberofports=30000

Now reboot the TMG server

this will free up the first 10 ports of the dynamic range so that NDMP can make use of it. Reboot and make a test run. Beats reconfiguring +100 servers.

You can verify after the reboot if everything went well. If you execute the following command

  • netstat -ao |find /i "listening"

This will give you a listing of the listening ports and the corresponding Process ID. You'll should find listened to by a process ID that should be the same ID as the Beremote.exe process as obtainable through the Windows Task Manager