Re: [Networker] sustained firewall config issues
2006-11-13 06:54:03
You have misunderstood the instructions in the docs - which I have to
admit is easily done.
* UDP connections are never required, TCP ports are all that is
necessary. Forget UDP.
* The range from 10001-30000 are SOURCE ports, not destination ports. So
you shouldn't need to worry about these unless you also configured your
firewall based on source ports, something I think that is rarely done.
The docs are very confusing about this point. Forget about 10001 - 30000.
* By default, NetWorker needs the following ports opened between a
client and a server:
Server to client: TCP 7937-7938
Client to server: TCP 7937-9936.
* If you have storage nodes behind the firewall you need slightly more
ports:
Server to storage node: TCP 7937 - (7938 + 4*numdrives)
Storage node to server: TCP 7937 - 9936.
* If your company will allow it, I would recommend opening up those
ranges of ports and leaving it at that. It will all work beautifully
when set up that way. However if you MUST use a smaller range of ports,
then you need to start configuring nsrports as well. From experience I
have found that this works fine for filesystem backups but causes
sporadic failures for RMAN backups on all clients including those not
behind firewalls, which is why I would advise you to stick with the
default range if possible.
* If you do need to start messing with nsrports, remember that this
needs to be done on the NetWorker server, and that NetWorker needs to be
restarted afterwards. But I say again - use the defaults if you are
allowed to.
That really is all you need to know.... much simpler than it looks in
the admin guide.
Ty Young wrote:
NetWorker 7.2.1 (Solaris) server
NetWorker 7.2.1 (Solaris) storage node #1
NetWorker 7.2.1 (Win2k3) storage node #2
NetWorker 7.2.1 (Win2k3) clients
All,
I have lingering firewall issues and I can't make sense of them. I've
read and I believe followed the directions in the Windows Admin guide on
setting up firewalls for NetWorker, which basically seem to indicate that
you need to open up a couple of ranges of ports, 7937 to (7937+x) and 10001
to (10001+y), both TCP and UDP, bidirectionally.
I've done that, and I've also configured storage node #2 (behind a
firewall) with nsrports -S 7937-7970 -C 10001-10050 as well as the clients
(which are behind a second firewall.) Lastly, I've re-started the
services on all boxes to be sure they're freshly loaded with the right
config out of nsrla.res.
What's happening (still) is that I cannot perform a savegrp backup. I get
RPC failures:
157. sudo savegrp -vvvv -p -l full -c lendb01 -G GOLD-xxxxxx_Bkups
Password:
lendb01:All level=full
11/09/06 16:07:55 savegrp: Run up to 24 clients in parallel
11/09/06 16:07:55 savegrp: lendb01:probe
started
savefs -s dalsn004 -c lendb01 -g GOLD-xxxxxxx_Bkups -p -l full -R -v
11/09/06 16:08:19 savegrp: command 'savefs -s dalsn004 -c lendb01 -g
GOLD-xxxxxx_Bkups -p -l full -R -v ' for client lendb01 exited with return
code 1.
11/09/06 16:08:19 savegrp: lendb01:probe succeeded.
* lendb01:All rcmd lendb01, user root: `savefs -s dalsn004 -c lendb01 -g
GOLD-xxxxxx_Bkups -p -l full -R -v'
* lendb01:All nsrexec: authtype
* lendb01:All savefs: RPC error: Remote system error
* lendb01:All savefs: Cannot access nsr server `dalsn004'
savefs lendb01: failed.
--- Probe Summary ---
lendb01:All level=full, dn=-1, mx=0, vers=unknown,
p=1
lendb01:All level=full, pool=xxxxxx, save as of Thu Nov 9
16:08:19 GMT-0600 2006
lendb01:index level=full, dn=-1, mx=0, vers=unknown,
p=1
lendb01:index level=full, pool=xxxxxx, save as of Thu Nov 9
16:08:19 GMT-0600 2006
I would really appreciate any help you can give me. TIA
Phillip T. ("Ty") Young, DMA
Manager, Data Center and Backup/Recovery Services
Information Services
i2 Technologies, Inc.
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
--
This email has been verified as Virus free
Virus Protection and more available at http://www.plus.net
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|