Thanks Frank for the useful info. 

Yes, there is a NetScreen firewall system between Networker server (7.5.1.4) 
and a cleint (7.5.1.4).

So I will do the following. Let me know if I am wrong.

[1] Calculate the # of service ports using the formula
      12 + (2*devices) + jukeboxes 
      This comes to 23 so I will set service ports to 7937-7985 (a few extra)

[2] Modify nsrports on the server, storage nodes, and the clients 
     (will keep the values same for simplicity)
     > nsrports
     service ports: 7937 - 7985 (a few extra)
     connection ports: 10001 - 10200 (not sure if 200 would be enough)
     Question: 
     What is the formula to decide the connection ports ?

[3] nsrports on the client which is behind a firewall
     > nsrports
     service ports: 7937 - 7945
     connection ports: 10001 - 10200
       
[4] Restart nsrexecd on every host

[4] Implement the following rule in firewall between Networker server and 
     a client.

     Networker server to client : 
     TCP/UDP 
     7937 - 7945 (for services) 
     10001 - 10200 (for connection) - I believe 100 would be enough 

    Client to Networker server: 
    TCP/UDP 
    7937 - 7985 (for services) 
    10001 - 10200 (for connection)
 

Do I need to worry about mgmt console ? It is running on the Networker server.

What about TCP 111 -sunRPC ?

+----------------------------------------------------------------------
|This was sent by soni.parth AT gmail DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER