[Veritas-bu] Backing Up through firewall step by step
2002-09-17 06:55:12
Subject: |
[Veritas-bu] Backing Up through firewall step by step |
From: |
arne AT topnet DOT de (Arne Kloecker) |
Date: |
Tue, 17 Sep 2002 12:55:12 +0200 |
Hi Grant,
17. September 2002 12:18 Grant.September AT nuinternational DOT com:
> The security guys want to lock down a specific range of ports 512 - 1023 so
> what I need to know is what changes must I make to the media, master serves
> bp.conf file as well as the registry settings on NT for this to take
> effect.
OK, first of all, ask your security guys if they would prefer a port range in
the unpriviliged range (>1024), they might love you for this ;-)
The Master and Media-Server need to contact the CLients on port 13782 TCP
(bpcd). The clients need to contact the Servers on port 13720 TCP (bprd).
Then you need to specify a port range for the data communication which is
bidirectional and also TCP. You should calculate 2 ports for each stream you
want to have. If you want further security you can set a client to use just a
subset of the whole range...
On the Client you will have to put the following in the bp.conf:
CLIENT_PORT_WINDOW *firstport* *lastport*
Where *firstport* ist the first port of your range (512 in your example) and
*lastport* is the last port (1023).
On the Servers you add:
CLIENT_PORT_WINDOW = *firstport* *lastport*
SERVER_PORT_WINDOW = *firstport* *lastport*
If you have a firewall between the servers add this:
SERVER_RESERVED_PORT_WINDOW = *firstport* *lastport*
Here you should use lowports (<1024).
If you use unpriviledged ports (>1024) add on both clients and servers:
ALLOW_NON_RESERVED_PORTS
Also you will need to allow the clients to use high ports by doing this (on
Unix):
/usr/openv/netbackup/bin/admincmd/bpclient -client *clientname* -add
-connect_nr_port 1
I hope i didn't forget anything.
If you have further questions don't hesitate to ask.
Arne Kloecker
|
|
|