ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Documentation needed: Backing up through a firewall

2002-03-27 01:16:02
Subject: Re: Documentation needed: Backing up through a firewall
From: Zlatko Krastev <acit AT ATTGLOBAL DOT NET>
Date: Wed, 27 Mar 2002 08:14:21 +0200 
All TSM features can work across firewall. The answer will they work
depends on firewall software capabilities, company security policies and
firewall administrator's good will. Usually firewall is configured to
allow connections to be initiated only from one of the nets/subnets. And
such behavior blocks some TSM features.
for B/A, GUI & API client connection firewall must allow port 1500 (or
modified one) connection initiated from client's side
for scheduler in prompted mode - port 1501 and connection initiated from
server (!!!) side + B/A client (1500 in opposite direction)
for Web Administrtive interface - port 1580 and connection initiated
from browser to server
for Web client - port 1581 and connection from browser to client + B/A
client (1500)
for T/EC events things are harder - if TEC server is using portmap
firewall should allow both portmapper port 111 and TEC server port, if not
TECPORT has to be set in dsmserv.opt and firewall must not block this port
from TSM server to TEC server.
Statements from the docks are not completely correct. However they are
true for usual firewall configurations. Again - FW admin's good will and
ability to do their job are important.

Zlatko Krastev
IT Consultant




Please respond to "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
Sent by:        "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
To:     ADSM-L AT VM.MARIST DOT EDU
cc:

Subject:        Re: Documentation needed: Backing up through a firewall

 Remco,
I posed this question to IBM Tivoli support a few weeks ago and here is
their
response:


This is from Read me for the TSM Client code 4.2.X
ftp://service.software.ibm.com/storage/tivoli-storage-management/maintenance/cl
ient/v4r2/Windows/WinNT/v421/IP22373_READ1STC.TXT

 - The Tivoli Storage Manager server and clients can work across a
firewall in most cases. Please see the 'Tivoli Storage Manager  Firewall'
subsection of the Getting Started chapter in the TSM   Using the
Backup-Archive Client book.

Currently the following operations are known to have problems when a
firewall is in place:

The client scheduler operating in prompted mode does not work  when the
server is across a firewall.

 The client scheduler does work when operating in polling mode.

The server cannot log events to a Tivoli Enterprise Console (T/EC)  server
across a firewall.



This is from the Book Using Backup Archive Clients : Chapter 2

Tivoli Storage Manager Firewall Support

In most cases, the Tivoli Storage Manager server and clients can work
across a firewall. The ports that the client and server need
to communicate must be opened in the firewall by the firewall
administrator. Because every firewall is different, the firewall
administrator may need to consult the instructions for the firewall
software or hardware in use.

The ports that the firewall needs to define are those ports that are
needed
for the client to connect to the Tivoli Storage Manager
server. If the server is listening on port 1500 then the firewall software
needs to forward the port to the Tivoli Storage Manager
server machine.

To allow clients to communicate with a server across a firewall, you must
open the TCP/IP port for the server using the tcpport
option in the server options file. The default TCP/IP port is 1500.

To allow the Web client to communicate with remote workstations across a
firewall, you must open the HTTP port for the
remote workstation using the httpport option in the remote workstation's
client option file. The default HTTP port is 1581.

You must open the two TCP/IP ports for the remote workstation client using
the webports option in the remote workstation's
option file. Values for the webports are required. If you do not specify
the values for the webports option, the default zero (0)
causes TCP/IP to randomly assign two free port numbers. See Webports for
more information about the webports option.

To use the administrative Web interface for a server across a firewall,
you
must open the port that is the HTTP port for the server
using the httpport option in the server options file. The default HTTP
port
is 1580.

In an enterprise environment, we strongly recommend that you use the
Tivoli
Storage Manager Secure Web Administrator Proxy
for Web administration of the Tivoli Storage Manager server. Install the
proxy on a Web server that sits on the firewall so that the
Web server can access resources on both sides of the firewall (this is
sometimes called the demilitarized zone). When you set
up the proxy, you can use it to administer any Tivoli Storage Manager
server at Version 3.7 or higher. For more information on
how to install and use the proxy, see the appendix about the Web proxy in
the Tivoli Storage Manager Quick Start manual. You
can also increase security in this environment by enabling HTTPS services
(also called secure socket layer or SSL) on the Web
server where you install the proxy. Check your Web server documentation
for
information on how to set this up.

When using Tivoli Storage Manager across a firewall, please consider the
following:

     To use the Web client to connect to a client across a firewall, the
Web client and the backup-archive client must be
     Version 4.1.2 or later.
     To enable the backup-archive client, command line admin client, and
the scheduler (running in polling mode) to run outside
     a firewall, the port specified by the server option tcpport (default
1500) must be opened by the firewall administrator.

     Note: Tivoli Storage Manager does not support the scheduler running
in
prompted mode outside a firewall. In prompted
     mode the Tivoli Storage Manager server needs to contact the client.
In
order to do this, some software must be installed
     on the Tivoli Storage Manager server to route the request through the
firewall. This software routes the server request
     through a sock port on the firewall. This is typically called
sockifing a system. Proxies are not supported, since they only
     route a few types of communication protocols (HTTP, FTP, GOPHER) and
Tivoli Storage Manager is not one of these
     communication protocols that are routed. It is important to note that
the client creates a new connection to the Tivoli
     Storage Manager server when prompted. This mean that the firewall
configuration discussed above must be in place.
     The server cannot log events to a Tivoli Enterprise Console (T/EC)
server across a firewall.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Elapsed processing time., Zosimo Noriega
Next by Date:  Re: Elapsed processing time., Boireau, Eric (MED)
Previous by Thread:  Re: Documentation needed: Backing up through a firewall, David Longo
Next by Thread:  Re: Documentation needed: Backing up through a firewall, Daniel Sparrman
Indexes:  [Date] [Thread] [Top] [All Lists]