ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TSM backup via firewall

2000-08-28 09:16:19
Subject: TSM backup via firewall
From: Eric Tang <tangeric AT HK1.IBM DOT COM>
Date: Mon, 28 Aug 2000 21:26:58 +0800 
Hi All,

I am new to firewall, and I am going to setup TSM client backup via
firewall,
after reading Apar IC27212 and perform testing on a NT Client and AIX TSM
Server with testing firewall in between, I have a few questions to ask.

Environment

AIX TSM Server 3.7.3     (IP address 9.184.95.101  hostname: tivoli
schedulemode is any)
NT TSM Client 3.7.2 (IP address 49.11.35.51        hostname: ntadsm01
schedmode is prompted)

Checkpoint Firewall rules:

     Source    Destination         Service    Action
1.   tivoli    ntadsm01       adsm1501   accept
2.   ntadsm01  tivoli         adsm1500   accept
3.   any       any            any        drop

Service adsm1501: Port 1501 defined in TCP Service Property
Service adsm1500: Port 1500 defined in TCP Service Property


Finding:

If rule 2 is absent, cannot run dsmc incremental, q files  ...etc (even
manually via cli)
If rule 1 is absent, dsmc client will not wake up according to server
schedule


Output from "netstat -a" on TSM Server when dsmc inc is running and "q
session" shows 2 sessions

Proto  Recv_Q  Send_Q  Local Address   Foreign Address  (state)
tcp4   0       0       tivoli.1500     49.11.35.51.1075      Established
tcp4   0       0       tivoli.1500     49.11.35.51.1076      Established
....
tcp4 ....            *.1500      *.*               Listen
tcp4 ....            *.1580      *.*               Listen


Questions:

1. Are 1075, 1076 the random ports mentioned in the Apar?
2. Are those firewall rules proper to bypass the problem mentioned in the
Apar?
3. For those having TSM backup via firewall, are you having a similar
setup?


Apar IC27212
****************************************************************
 * USERS AFFECTED: All TSM Clients*
 ****************************************************************
 * PROBLEM DESCRIPTION: Tivoli Storage Manager Client does not*
 * support the use of a firewall in the environment. When the *
 * client connects to the assigned port, the server rolls the *
 * client over to another random port to keep the initial port*
 * open for additional communication. Oncethe client is on *
 * another port, communication is severed unless the next*
 * selected port happens to be open in the firewall as well.*
 ***************************************************************
 * RECOMMENDATION: It should be documented that TSM does not *
 * support access through a firewall.*
 ***************************************************************
 PROBLEM CONCLUSION: The following statement has been documented
 in the readmes for all TSM clients:
 "The TSM clients work in conjunction with a TSM server to which
 they have access. Currently, TSM does not support the use of a
 firewall beween the server and the client."

Regards,
Eric Tang
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DB volume layout (was Re: Database sizing question), Talafous, John G.
Next by Date:  TSM backing up EMC BCV, HK Chng
Previous by Thread:  Slow restore, Rupp Thomas (Illwerke)
Next by Thread:  Re: TSM backup via firewall, Trevor Foley
Indexes:  [Date] [Thread] [Top] [All Lists]