SUMMARY
Effect of Windows Firewall on Windows Agent and Windows Instant Recovery (WIR)
ISSUE
Purpose
Discuss how firewall settings can affect client backups and Windows Instant Recovery (WIR) restores
Description
In order for backup/recovery of client data to work properly, communication channels must remain open between the backup appliance and the client computer. Likewise, when WIR is enabled for a Windows client, the required communication channels must remain open between the backup appliance and the WIR virtual client running on the appliance. If the Windows firewall is not configured properly with the necessary channels open, the appliance either won’t be able to see the client, the backups will fail, or the WIR restores will fail.
Cause
When the Windows Agent is installed on a client, it adds several firewall settings that open up the required communication channels. Specifically, a rule is added that allows communication to the BPNETD.exe, WBPR.exe and WBPS.exe processes on all ports for incoming connection requests. Additionally, on more recent versions of Windows, a rule is added that allows ICMP (ping) requests to the client. All rules that are added can be found by looking for Inbound Rules that begin with “Unitrends” under Advanced Security settings in the firewall interface.
Any modifications to the Windows firewall that closes these communication channels can affect the functionality of backups and WIR recovery. In some cases, backups will work, but WIR restores will fail. This is likely due to the fact that the network port configuration on the virtual client during a WIR restore is different from the configuration on the actual client. On the virtual client, a single virtual port is provided to the client regardless of how the physical ports are configured on the actual client. This difference can in some cases cause the firewall rules to work differently on the WIR instance.
Resolution
If you are trying to add a new client to be backed up in the RRC GUI, and it is telling you it can’t contact the client after you’ve given an IP address, verify that the rule that allows incoming ICMP requests to the client is enabled. Note that on older Windows versions, the Print and File Sharing rule opens up the required ICMP port, while on later versions, there is a specific Unitrends rule.
If backups are failing due to communication problems, verify the rules allowing communication to the agent processes are enabled.
If WIR restores are failing due to communication problems, there are many possible causes. One of the things to check while searching for the source of the problem is the firewall rules. Turn off the firewall completely on the actual client machine and do another incremental backup. If the subsequent WIR restore that was failing before succeeds, then the problem is likely a firewall problem. You can either leave the firewall off, or begin a search for the rule that might be causing the problem.