Results 1 to 2 of 2
  1. #1
    Member mccleld's Avatar
    Join Date
    Jun 2003
    Location
    London, UK
    Posts
    261
    Thanks
    1
    Thanked 3 Times in 3 Posts

    Thumbs down FastBack DR with FTPS v Firewall

    Hi Guys,

    I'm curious to learn if anybody else here is using the FastBack DR capability through a firewall, and whether you've been able to get it to support FastBack's encryption capability (i.e., FTP over SSL, aka FTPS).

    I'm having a torrid time of it - seems as though FTPS is pretty horrendous when it comes to playing ball with firewalls - which for me makes it a puzzling choice as a protocol for a DR capability where there's a good likelihood of firewalls being in the data path between live and DR locations.

    It works fine through the firewall when using standard FTP (the firewall admins have opened up FTP for my hosts) but we're all at a loss as how best to manage the FTPS connection, in particular its use of so many ports. I'm wondering if anyone else has already been here and, if so, how they worked through it.

    Many thanks,
    ___________
    David Mc
    London, UK

  2. #2
    Member mccleld's Avatar
    Join Date
    Jun 2003
    Location
    London, UK
    Posts
    261
    Thanks
    1
    Thanked 3 Times in 3 Posts

    Default

    Okay, I've an update on this in case it may aid anyone else who goes through this pain.

    In summary (and not being a network/firewall guy apologies if I'm a little vague in some areas), many firewalls snoop in on the FTP control connection packets going over port 21 and thereby keep a track of which ports are being used by the data connection to ensure that they are allowed through the firewall. However, with FTPS this control connection is secured so that firewalls cannot inspect the packets and therefore the dynamic ports of data channels cannot be opened automatically. This will cause a problem in shops where firewalls are locked-down as much as possible - particularly when data is travelling inter-site as is likely to be the case with a DR mechanism where encryption is also a likely requirement. One solution that we came up with was to add a rule telling the firewall that traffic over port 21 between two specified hosts (FastBack Server and FastBack DR Hub) was generic traffic (i.e., not FTP/FTPS) so that it didn't try to snoop on the packets - furthermore, the FTP server (FTP Server 7.5 in IIS 7.0 in this instance) was configured to use a restricted data channel port range (as per http://forums.iis.net/t/1157414.aspx) which was also opened between these two hosts.

    Hope this helps - again, if anyone else has been through anything along these lines it'd be great to hear your experiences.

    Cheers,
    ___________
    David Mc
    London, UK

Similar Threads

  1. Replies: 9
    Last Post: 10-24-2011, 06:13 AM
  2. FastBack Encrypted Replication using FTPS
    By mccleld in forum TSM Fastback
    Replies: 1
    Last Post: 09-13-2010, 10:27 AM
  3. Backing up through a firewall
    By dms19 in forum Backup / Archive Discussion
    Replies: 20
    Last Post: 06-05-2007, 11:24 AM
  4. TSM Client through Firewall
    By yilas in forum TSM Client
    Replies: 2
    Last Post: 10-03-2006, 03:32 AM
  5. Backup across firewall
    By AndyRH in forum Backup / Archive Discussion
    Replies: 3
    Last Post: 05-12-2003, 08:30 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •