Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] sustained firewall config issues

2006-11-13 06:54:03
Subject: Re: [Networker] sustained firewall config issues
From: Davina Treiber <DavinaTreiber AT PEEVRO.CO DOT UK>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Mon, 13 Nov 2006 11:45:40 +0000
You have misunderstood the instructions in the docs - which I have to admit is easily done.
* UDP connections are never required, TCP ports are all that is necessary. Forget UDP.
* The range from 10001-30000 are SOURCE ports, not destination ports. So you shouldn't need to worry about these unless you also configured your firewall based on source ports, something I think that is rarely done. The docs are very confusing about this point. Forget about 10001 - 30000.
* By default, NetWorker needs the following ports opened between a client and a server: 
Server to client: TCP 7937-7938
Client to server: TCP 7937-9936.
* If you have storage nodes behind the firewall you need slightly more ports: 
Server to storage node: TCP 7937 - (7938 + 4*numdrives)
Storage node to server: TCP 7937 - 9936.
* If your company will allow it, I would recommend opening up those ranges of ports and leaving it at that. It will all work beautifully when set up that way. However if you MUST use a smaller range of ports, then you need to start configuring nsrports as well. From experience I have found that this works fine for filesystem backups but causes sporadic failures for RMAN backups on all clients including those not behind firewalls, which is why I would advise you to stick with the default range if possible.
* If you do need to start messing with nsrports, remember that this needs to be done on the NetWorker server, and that NetWorker needs to be restarted afterwards. But I say again - use the defaults if you are allowed to.
That really is all you need to know.... much simpler than it looks in the admin guide. 


Ty Young wrote:


NetWorker 7.2.1 (Solaris) server
NetWorker 7.2.1 (Solaris) storage node #1
NetWorker 7.2.1 (Win2k3) storage node #2
NetWorker 7.2.1 (Win2k3) clients

All,

I have lingering firewall issues and I can't make sense of them.   I've
read and I believe followed the directions in the Windows Admin guide on
setting up firewalls for NetWorker, which basically seem to indicate that
you need to open up a couple of ranges of ports, 7937 to (7937+x) and 10001
to (10001+y), both TCP and UDP, bidirectionally.

I've done that, and I've also configured storage node #2 (behind a
firewall) with nsrports -S 7937-7970 -C 10001-10050 as well as the clients
(which are behind a second firewall.)   Lastly, I've re-started the
services on all boxes to be sure they're freshly loaded with the right
config out of nsrla.res.

What's happening (still) is that I cannot perform a savegrp backup.  I get
RPC failures:

157. sudo savegrp -vvvv -p -l full -c lendb01 -G GOLD-xxxxxx_Bkups
Password:
lendb01:All                               level=full
11/09/06 16:07:55 savegrp: Run up to 24 clients in parallel
11/09/06 16:07:55 savegrp: lendb01:probe
started
savefs -s dalsn004 -c lendb01 -g GOLD-xxxxxxx_Bkups -p -l full -R -v
11/09/06 16:08:19 savegrp: command 'savefs -s dalsn004 -c lendb01 -g
GOLD-xxxxxx_Bkups -p -l full -R -v ' for client lendb01 exited with return
code 1.
11/09/06 16:08:19 savegrp: lendb01:probe succeeded.
* lendb01:All rcmd lendb01, user root: `savefs -s dalsn004 -c lendb01 -g
GOLD-xxxxxx_Bkups -p -l full -R -v'
* lendb01:All nsrexec: authtype
* lendb01:All savefs: RPC error: Remote system error
* lendb01:All savefs: Cannot access nsr server `dalsn004'
 savefs lendb01: failed.
--- Probe Summary ---

lendb01:All                        level=full, dn=-1, mx=0, vers=unknown,
p=1
lendb01:All             level=full, pool=xxxxxx, save as of Thu Nov  9
16:08:19 GMT-0600 2006
lendb01:index                      level=full, dn=-1, mx=0, vers=unknown,
p=1
lendb01:index           level=full, pool=xxxxxx, save as of Thu Nov  9
16:08:19 GMT-0600 2006

I would really appreciate any help you can give me.   TIA


Phillip T. ("Ty") Young, DMA
Manager, Data Center and Backup/Recovery Services
Information Services
i2 Technologies, Inc.

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
--
This email has been verified as Virus free
Virus Protection and more available at http://www.plus.net


To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] System date changes, Krishnan, Ramamurthy
Next by Date:  Re: [Networker] onbar retention on logs, Davina Treiber
Previous by Thread:  Re: [Networker] sustained firewall config issues, Coty, Edward
Next by Thread:  Re: [Networker] sustained firewall config issues, Peter Viertel
Indexes:  [Date] [Thread] [Top] [All Lists]