[Veritas-bu] Backup through firewalls
2006-09-15 01:05:51
Subject: |
[Veritas-bu] Backup through firewalls |
From: |
smpt at peppas.gr (smpt) |
Date: |
Fri, 15 Sep 2006 07:05:51 +0200 |
Hi,
I've configured some firewaled NetBackup domains with vnetd and I never had any
problem with streams.
I have ages to hear from someone the port model. I had proposed this to some of
my customers and when the firewall admin understood how many ports needed they
refused it immediately.
> -------Original Message-------
> From: David Rock <dave-bu at graniteweb.com>
> Subject: Re: [Veritas-bu] Backup through firewalls
> Sent: 14 Sep '06 23:06
>
> * Mark.Donaldson at cexp.com <Mark.Donaldson at cexp.com> [2006-09-14 13:48]:
> > There's a whole section on this in the SAG.
> >??
> > Shortanswer, you need "bpcd" from the master or media server to the
> > client, "vnetd" the reverse direction.??You have to make sure you
> > configure the client for "no callback connections" via the bpclient
> > command or, no doubt, someplace in the GUI.
> >??
> > Users on the client cannot perform their own restores using this.??I'm
> > told, but have not verified, that you can enable "bprd" from client to
> > master to allow this.
>
> Speaking as a backup guy who is now on the firewall team, using vnetd is
> by far the recommended way of dealing with the firewall.??If all you are
> dealing with is backup servers to client machine, the short list is:
>
> Server -> Client?? port 13782 (bpcd)
> Client -> Server?? ports 13724 (vnetd) and 13720 (bprd)
>
> Yes client initiated restores will work with just these ports.??If your
> backup servers are hanging off of a DMZ so that your admin clients using
> the Java GUI need to get access, you can also use:
>
> Admin Client -> Server ports 13722 (bpjava) and 13724 (vnetd)
>
> This will also require the /usr/openv/java/nbj.conf file setting of
> NBJAVA_CONNECT_OPTION=1 (default is 0)
>
> The only downside to vnetd that I have heard of but not seen personally
> is that you are limited to a single stream for backups, which could
> impact your backup model if you are trying to use NEW_STREAM file
> directives.??If that is the case, you can configure port ranges and I
> highly recommend using ALLOW_NON_RESERVED_PORTS as part of that.??Using
> low ports (<1024) by default is one of the stupidest things NBU ever did.
>
> --
> David Rock
> david at graniteweb.com
> _______________________________________________
> Veritas-bu maillist??-??Veritas-bu at mailman.eng.auburn.edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
|
|
|