Backup Exec 12.5 does not Support Backup Jobs Using NAT

Publication Date:  2012-07-19 Views:  513 Downloads:  0
Issue Description
Private IP addresses were assigned to servers in both the local equipment room and disaster recovery room of the customer, and a firewall is deployed at the network egress of each equipment room. The customer planned to back up the SQL Server 2005 database in the local equipment room from the Backup Exec 12.5 server in the disaster recovery room using NAT to implement remote disaster recovery.
On the server running the SQL Server 2005 database, the customer changed the media server address in the Remote Agent to the public IP address translated by NAT. However, the Backup Exec server in the disaster recovery equipment room failed to detect the Backup Exec client. Then the customer enabled all ports on the firewall, and then manually added the Backup Exec client on the Backup Exec server. The fault still persisted. However, the media server list of the Backup Exec Remote Agent on the server running the SQL Server still displayed the private IP address of the Backup Exec server in the disaster recovery center. 
Alarm Information
None
Handling Process
Because the Backup Exec does not support NAT, set up a virtual private network (VPN).
On the firewall in the local equipment room, configure an L2TP VPN, and assign only one IP address to the dialup address pool so that the VPN client always obtains this IP address after each dialup. Then set up an L2TP dialup connection on the Backup Exec server. Dial up to connect to the VPN on the Backup Exec Server. After the Backup Exec Server successfully detects the Backup Exec client, formulate the backup policy to test the backup and recovery functions. The result is positive. 
Root Cause
According to Symantec, the Backup Exec does not support NAT. NAT applies only to IP addresses with IP headers, but not private IP addresses contained in application-layer data in an IP packet. When the Backup Exec server interacts with the Remote Agent using an IP address contained in application-layer data. This is why the private IP address of the Backup Exec Server can be viewed on the Backup Exec Remote Agent. This also explains why the Backup Exec Server cannot detect the Remote Agent. 
Suggestions
Occasionally, customers want to realize remote backup using NAT. However, the Backup Exec does not support NAT. Set up VPNs (dialup or site as required) to meet such requirements. 

END