Peter Bjoern wrote:

Hi,

I have a few questions about a possible backup scenario.

The scenario includes two TSM servers, a firewall and a number of clients
placed outside the firewall.

The exact configuration is a little more complicated than I describe here,
but for the sake of simplicity
I will try to describe the scenario as simple as possible.

The simplified scenario is :
Two clients, called client_a and client_b are placed outside the firewall.
One TSM server, called tsm_ext, is placed outside the firewall. It has no
tape library.
One TSM server, called tsm_int, is placed inside the firewall. It has a
large tape library.

The clients will backup to the external server tsm_ext, but since tsm_ext
has no tape library
tsm_ext will have to pass the data on to virtual volumes on the internal
server tsm_int.

This is being done by establishing a server-to-server communication between
tsm_ext and
tsm_int.
On tsm_ext a "define server" command has defined tsm_int  as "int1" with
the appropriate IP address,
port etc.
The necessary device class "int1c" pointing to "int1"and a sequential pool
"int1p" pointing to "int1c"
has been defined and the tsm_ext has been defined as a client "extsvr1"
(type=server) on tsm_int.
Everything OK.

The server-to-server mechanism has been tested and it works perfectly, data
being backed up to
the "int1p" pool on the tsm_ext server on a virtual volume.

Now to the problem and question.
On the internal server, tsm_int,  all data that comes from tsm_ext will be
owned by client "extsvr1" and
will be stored according to the policies that apply to this client.
I.e. if it eventually goes to a tapepool on tsm_ext it will be collocated
(if collocation is on, of course)
on a range of tapes in the library.

Well, the data coming from tsm_ext contains data from two clients (client_a
and client_b).
This data will be intermixed on the virtual volumes and eventually also on
the physical volumes
in the library
Thus we have lost collocation for clents_a and client_b in the tape
library, with the usual potential
problems in a restore situation as a consequence.
Now consider that in real life it's not just two clients but a larger
number (50+)

Is there any way we can pass the data on from tsm_ext to tsm_int and still
maintain separation/collocation
between the "real" clients after the data is passed on to tsm_int as coming
from client "extsvr1" ?

We have considered a brute-force approach by defining a complete set of
server/devclass/pool/clientname
for each real "client" thus having the internal server. tsm_int, see data
as coming from different clients and
thereby collocating data for each client in the tape library.
This _will_  work (I've tested it for two instances) but I really don't
like having to it that way.

Is there any other way we can accomplish what we want (to keep the client
data collocated in
the tape library) ?

Regards

Peter

Peter,

I maybe missing something here but I think I have an "almost"  answer.
I would be have the client_a and client_b backup to a diskpool on the
tsm_ext then migrate to a storage pool with collocation that uses the
virtual volumes.  ITSM should then colocate the data onto separate
virtual volumes.  If you make the virtual volume size the same size as a
tape you would in effect accomplish what you are looking for.  However,
this is not a perfect solution (especially if you have large capacity
tapes like an LTO) because if the client does not backup in amounts
close to the capacity of the tape then this system will be less than
efficeint.

Now, I have another suggestion though.  I have seen several people
lately post about using ITSM through a firewall. Yours is just another
example of how to do it.  I have been doing this quite successfully by
using VPN's.  I don't have to worry about opening ports or any of the
other concerns people have been dealing with.  Typically I just run a
VPN from firewall to firewall, as far as the clients are concerned the
ITSM server is simply on another subnet.  Therefore, there is no special
ITSM configuration required and the security level is much greater.
Anytime you open ports through you firewall you are opening holes in
it.  In addition, the ITSM client/server code is not what I would call
highly secure!  In fact, if you have any kind of security requirements
(HIPAA comes to mind) opening ports probably would be a violation.
Also, keep in mind that your data, login and password a traveling the
public network in clear text!  Everything that traverse through the VPN
tunnel is encrypted.

If you would like to discuss various methods of doing the VPN's I would
be gald to do that although I am not sure that is on topic for this
list.  Howwever, if there is enough interest I would be glad to post a
simple diagram with my firewall configuration and the necessary hardware
and software.  I can build the Firewall/Router/VPN for under
$1000.00(USD) and install, configure and test the system in less than a
day.  And for a  home or small office I can build the box for about half
that.

--
Regards,
Mark D. Rodriguez
President MDR Consulting, Inc.

===============================================================================
MDR Consulting
The very best in Technical Training and Consulting.
IBM Advanced Business Partner
SAIR Linux and GNU Authorized Center for Education
IBM Certified Advanced Technical Expert, CATE
AIX Support and Performance Tuning, RS6000 SP, TSM/ADSM and Linux
Red Hat Certified Engineer, RHCE
===============================================================================