ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

MSCS and firewalls

2001-04-05 17:07:45
Subject: MSCS and firewalls
From: Joel Cooper <jocooper AT DELOITTE DOT COM>
Date: Thu, 5 Apr 2001 16:07:42 -0500 
I have a situation that I'm having a problem with. I wanted to see if anyone
knows the quick answer. This message is long, so thanks to anyone that reads it
and even more to anyone that has an idea.

First, ADSM didn't used to be supported through a firewall even though it would
work in many situations. I don't know in this day and age if that non-support is
still official. If it is, I really feel it needs to be changed because in this
age of the Internet, I am having web server TSM clients added like you wouldn't
believe. If the problem is the client opening up additional ports and not being
able to predict the random port it will use, why not have an option file setting
to set valid ports for the client to try? Even if Tivoli won't "support
firewalls", at least give us some functionality where we can do our jobs. I've
got a few million dollars worth of servers outside firewalls and they haven't
quit ordering them. So far, we've been backing up about 2 or 3 dozen b/a clients
and a few SQL agents for awhile through a firewall.

To accomplish this, we've been having our Security department implement firewall
rules that allow bi-directional TCP/IP traffic on 1500 and 1501. No problems.

My situation is this: I just setup 2 Windows 2000 based cluster server (MSCS)
outside a firewall, one for SQL 7.0 and one for Exchange 2000.  According to TSM
v4 instructions, I need a client for the Windows nodes that could run the
cluster and I need a client for each cluster group, in my case a group for the
quorum and a group for Exchange 2000. With Exchange 2000, I also need the TDP
for Exchange v2.

I have these clients all installed and they all work manually. My problem is
with the scheduler service. The first service to run on 1500 works; the
subsequent services never answer the server. According to the error logs, they
found the TCP/IP port busy and picked another at random. It appears they picked
56582 and then 56583, etc.

I made each service work on 1500 by itself, but I need them to run together. I
thought the answer was in TCPPort in dsm.opt. I got them to open ports 1500 -
1505 and put each client on its own port. The firewall part works, showing a
session going through w/o a problem. I am getting ANS1017 Session rejected:
TCP/IP connection failure, though. I am not sure why. I'm not getting activity
log errors for this on my last test.

Does anyone have any ideas? Is this because my server has the option to be
contacted on TCPPort 1500? I don't want to use the Windows scheduler to handle
this, but I have to cover these servers.

I don't see what a support call will accomplish yet, but if I get a little more
information I'm willing to try to get some answers.

Thanks in advance,

Joel Cooper
jocooper AT deloitte DOT com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Creating devices in Win2000, Kelly J. Lipp
Next by Date:  Re: Amount of Data Backed Up Each Night, Paul Zarnowski
Previous by Thread:  Creating devices in Win2000, Rob Schroeder
Next by Thread:  Re: MSCS and firewalls, John Stephens
Indexes:  [Date] [Thread] [Top] [All Lists]