ADSM-L

Re: linux client setup through firewall - what source port?

2004-09-11 06:04:50
Subject: Re: linux client setup through firewall - what source port?
From: Stef Coene <stef.coene AT DOCUM DOT ORG>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Sat, 11 Sep 2004 12:54:44 +0200
On Friday 10 September 2004 22:02, T. Lists wrote:
> Hey all - I know this one has been asked before, but I
> can't seem to find a solution to my problem.  IBM has
> been a bit snitty - telling me it's a
> "communications/network" problem.  Ok, maybe not
> snitty - maybe I'm just having a bad day.
>
> Anyway.
>
> TSM server AIX 5.1, TSM 5.2.0
> Linux client TSM 5.2.3
>
> The linux client is in the dmz outside the firewall.
> (And, for the record, I've never set up a client that
> was outside the firewall)  I've tried both the "method
> 1" and "method 2" called out in the Unix BA manual.
> Now I'm concentrating on "method 1" which is the
> method where you open ports on the firewall.
>
> Have asked my firewall admin to open ports 1500, 1501,
> 1581.  He says they are open.
1500 is enough

> dsm.sys contains (among other things)
>    COMMmethod         TCPip
>    TCPPort            1500
>    TCPServeraddress   <server ip addr>
>    passwordaccess     generate
>    schedmode          polling
>    nodename           lin01
>    tcpclientaddress   <client ip addr>
>    httpport           1581
>    tcpclientport      1501
>    webports           1582  1583
>
> Simply trying a "dsmc inc" from the client eventually
> times out with:
>
>    [root@lin01 var]# dsmc inc
>    IBM Tivoli Storage Manager
>    Command Line Backup/Archive Client Interface -
>                 Version 5, Release 2, Level 3.0
>    (c) Copyright by IBM Corporation and other(s)
>                 1990, 2004. All Rights Reserved.
>
>    Node Name: LIN01
>    ANS1017E Session rejected: TCP/IP connection
>                 failure
>
>
> Running a tcpdump during this shows that the
> destination port that is trying to be reached is 1500
> on the server (which is correct), but the source port
> on the client is 32850.  I assume my problem is
> because the firewall admin hasn't opened port 32850 -
> however from other posts I gather this is a randomly
> assigned port on the client?  Is it governed by a
> parameter I'm unaware of?  Or, might this  not be my
> problem at all?
That's not the problem.
Your client connects TO port 1500 on the TSM server.  So you have to open port
1500 to your TSM server.  But each connection requires also a port on the
client to receive data and that's port 32850.  But the firewall knows this
and will allow the packets coming back.

Just open the port 1500 from the client in the dmz to the server in your lan
and it shoud work.

Stef