ADSM-L

Re: Backing up clients from DMZ on TSM server inside the firewall

2002-04-23 14:25:27
Subject: Re: Backing up clients from DMZ on TSM server inside the firewall
From: Robert Clark <raclark AT REGENCE DOT COM>
Date: Tue, 23 Apr 2002 11:07:31 -0700
NAT the TSM server address so that it appears to be in the DMZ.

That way if you need to change the layout of the LAN outside of the DMZ,
you don't have as many firewall rules to change.

Has anyone seen a document that describes exactly what ports the TSM client
needs to use for a backup session? Using tcpdump to figure out what we need
open seems kind of backwards.

Thanks, [RC]

        Robert Clark
 The Regence Group
Storage Administrator
      503-220-4743



                    "Makkar, Jas"
                    <JMakkar@ADT.        To:     ADSM-L AT VM.MARIST DOT EDU
                    COM>                 cc:
                    Sent by:             Subject:     Backing up clients from 
DMZ on TSM server inside the
                    "ADSM: Dist          firewall
                    Stor Manager"
                    <ADSM-L AT VM DOT MA
                    RIST.EDU>


                    04/23/2002
                    10:59 AM
                    Please
                    respond to
                    "ADSM: Dist
                    Stor Manager"






We are trying to develop an approach to backup the
clients who are in the DMZ via TSM server sitting
inside the firewall.  Please comment on the following
strategy:


To backup the Clients in DMZ from TSM Lib located
within the Intranet, install the TSM client on the
Client in DMZ and open a port in the firewall.
Additionally, use data encryption.   To do this, you
would use the include.exclude and exclude.encrypt
options in your options file. . The encryption key for
these can either be stored locally on your machine or
prompted for each time a backup or restore is
attempted. This is set with encryptkey option in your
options file.

TSM clients in DMZ should not be allowed do any
administrative function.   You can only prevent the
client from deleting backups and archives. This can be
performed by running (on the TSM server): update node
<nodename> archdelete=no backdelete=no .

Note:  You could also change password=prompt in the
client options file to require a password before a
client could perform any actions.  Not recommended
though.   Additionally, since the TSM server address
is required in client options file, you  can't hide
information about the TSM server, in case of security
breach.

ANY BETTER IDEA is appreciated.  Additionally, any red
flags in the strategy.

Thanks in Advance.
Jas
jaz.makkar AT eds DOT com



 ==========================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended solely
for the entity or individual to whom it is addressed.  If you are not the
intended recipient, you should delete this message and are hereby notified
that any disclosure, copying, or distribution of this message is strictly
prohibited.  Nothing in this email, including any attachment, is intended
to be a legally binding signature.
<Prev in Thread] Current Thread [Next in Thread>