You cannot hide them so I see no reason to change them. If firewall is
set-up correct it should allow traffic outside DMZ to those ports. If an
intruder compromised a TSM node in DMZ you modified ports are known.
The main security issue (IMO) is than *SM is using same port for backups
and for admin client sessions. And opening this port in the firewall opens
ability to connect as administrator to the server.

Zlatko Krastev
IT Consultant




Please respond to "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
Sent by:        "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
To:     ADSM-L AT VM.MARIST DOT EDU
cc:

Subject:        Re: Backups through a firewall

Hi,

Wanda wrote:
> All the firewall guy had to do was create a rull that allows TCP/IP
traffic
> through the firewall for port 1500 for the particular client address.
>
> If you use SCHEDMODE PROMPTED, I believe you also have to enable port
1501.
> If you want to use the web client to do TSM backups/restores remotely,
that
> uses port 1581.
>
> All those ports are configurable, i.e., you can tell TSM client and
server
> to use different ports if you want

I would STRONGLY suggest to choose different ports. I believe there's a
list
out there, I think it's through IANA (www.iana.org - somebody please
confirm
that) that tells which port is 'registered' . Pick some free ports high
up,
preferably not next to each other (I would go pick like 7492, 9816 and
9752-
handpicked these :) ). Wouldn't want some h*cker discovering you're using
1234 with some sec hole somewhere and let him just try 1235 and 1236, now
would we?

But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least
someone on the list will tell you, and you'll never forget (and neither
will
I).

Regards,

Rick