My site has installed a filewall. Eventually all systems that need to be
accessible from the Internet will be outside the firewall, and all systems
used exclusively by our own staff and students will be inside the firewall.
We would like to use our existing TSM server to back up the systems outside
the firewall as well as those inside. As far as I can tell, there are
essentially only two approaches to doing this.

The first approach is to configure the firewall to pass TCP traffic to and
from port 1500 on the TSM server and configure clients outside the firewall
to use polling mode scheduling. Some of my co-workers have suggested a
variant of this approach in which the TSM server and its clients would be
reconfigured to use a different port. The hope is that this would reduce
the risk of attacks that depended on knowing the port number for TSM.
There are some concerns about the firewall's ability to handle the volume
of traffic to and from the TSM server.

The second approach is to equip the TSM server with an additional network
interface connected to the subnet outside the firewall. Our TSM server
currently runs under OS/390, with one TCP/IP address space dedicated to
supporting TSM connections. We could either configure the existing address
space to support the new interface or add another address space to support
the new interface.

How are other TSM sites dealing with firewalls? Is there any security
advantage in using a port other than 1500 for TSM? If we select the second
approach, is there any security advantage in a separate TCP/IP address
space for the new network interface?