The following table summarises the NetBackup firewall ports:
| Source | Destination | Ports (TCP/UDP) | Description |
| Master/Primary Server | Media Server | 13724 / vnetd 1556 / pbx 13783 / NBAC 13722 / NBAC | Master - Media server/ appliance internal communication. Master server to/from media servers requires the TCP port for PBX/1556, bi-directional. It is recommended that the TCP port for vnetd/13724 remain open bi-directional between NetBackup hosts. NetBackup Access Control (NBAC) are listening on TCP ports 13783 and 13722 respectively. |
| Master/Primary Server | Backup Client | 13724 / vnetd 1556 / pbx 13783 / NBAC 13722 / NBAC | Master - Client backup/restore communication. Master server to client requires the TCP port for PBX/1556 if performing stream discovery, application discovery, or if the clients perform user-directed backup/archive/restore, or client-directed application backup/list/restore. TLS/SSL protocol must be allowed on the TCP port for PBX/1556 inbound to the master server. It is recommended that the TCP port for vnetd/13724 remain open bi-directional between NetBackup hosts. NetBackup Access Control (NBAC) are listening on TCP ports 13783 and 13722 respectively. |
| Master/Primary Server | ESXi / vCenter | 443 (VMware) | If using query builder (VIP), master server to vCenter requires TCP port 443. |
| Master/Primary Server | NDMP | 10000 (NDMP) | Master/Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000. |
| Media Server | Backup Client | 13724 / vnetd 1556 / pbx 10082 (De-dup) 10102 (De-dup) 443 (De-dup) 7394 ( GRT/NFS Server) | Media server to client requires the TCP port for PBX/1556. SAN Client to/from master/media servers requires the TCP port for PBX/1556, bi-directional. Client to storage/media server requires the TCP ports for spad/10102 and spoold/10082 for Client Direct backup and restore. Clients require the TCP port for PBX/1556 to be open either to the master server or to a media server that can act as a http proxy tunnel for web service calls. It is recommended that the TCP port for vnetd/13724 remain open bi-directional between NetBackup hosts. |
| Media Server | ESXi / vCenter | 443 (VMware) 902 (NBD/NBDSL) | Backup host (appliances) to vCenter requires TCP port 443. If using the nbd transport type, backup host (appliances) to ESX host requires TCP port 902. |
| Media Server | NDMP | 10000 (NDMP) | Media server (DMA) to NDMP filer (tape or disk) requires TCP port 10000. The SERVER_PORT_WINDOW is used inbound from the filer to the media server for remote NDMP and can also be used for efficient catalog file (TIR data) movement with local and 3-way NDMP. If using shared drives and Automatic Volume Recognition, open the ICMP protocol from the media server scan host that is hosting the avrd process to the NDMP filers hosting the tape drives. |
For more details, see the following Veritas tech-note: https://www.veritas.com/support/en_US/article.100002391