Veritas-bu

[Veritas-bu] Backup through firewalls

2006-09-15 08:46:46
Subject: [Veritas-bu] Backup through firewalls
From: jlightner at water.com (Jeff Lightner)
Date: Fri, 15 Sep 2006 08:46:46 -0400
Step by step notes I wrote when I did this:

FYI the following is what I did in NetBackup for backing up client in the 
firewall.  
     Open Netbackup Java GUI 
     Go to Host Properties
     Go to Master Servers
     Double click on the master server.
     In Master Server Properties box go to Client Attributes
     Click Add
     Type in name of client(s) and hit enter to add to list.
     Select (highlight) the client(s) from list
     Under BPCD Connect Back click the VNETD Port radio button
     Click OK.
     Exit and you're done with the GUI.
     After that at command line on the master server run 
       "bprdreq  -rereadconfig".
       (Note - this worked but manual and Datalink indicated 
        bouncing daemons is the only SURE way to do it.
        Datalink said it works "sometimes".)

Also for above to you must open the following ports on the firewall:
Media >> Client
13782 (bpcd)

Client >> Media
13724 (vnetd)

Media being the media server (which is the master server in our case).

We also did this recently on some Linux clients on firewall so I have notes on 
iptables config if you need that.

-----Original Message-----
From: veritas-bu-bounces at mailman.eng.auburn.edu [mailto:veritas-bu-bounces 
at mailman.eng.auburn.edu] On Behalf Of smpt
Sent: Friday, September 15, 2006 1:06 AM
To: David Rock; 
Subject: Re: [Veritas-bu] Backup through firewalls

Hi,
I've configured some firewaled NetBackup domains with vnetd and I never had any 
problem with streams. 

I have ages to hear from someone the port model. I had proposed this to some of 
my customers and when the firewall admin understood how many ports needed they 
refused it immediately.


>  -------Original Message-------
>  From: David Rock <dave-bu at graniteweb.com>
>  Subject: Re: [Veritas-bu] Backup through firewalls
>  Sent: 14 Sep '06 23:06
>  
>  * Mark.Donaldson at cexp.com <Mark.Donaldson at cexp.com> [2006-09-14 13:48]:
>  > There's a whole section on this in the SAG.
>  >??
>  > Shortanswer, you need "bpcd" from the master or media server to the
>  > client, "vnetd" the reverse direction.??You have to make sure you
>  > configure the client for "no callback connections" via the bpclient
>  > command or, no doubt, someplace in the GUI.
>  >??
>  > Users on the client cannot perform their own restores using this.??I'm
>  > told, but have not verified, that you can enable "bprd" from client to
>  > master to allow this.
>  
>  Speaking as a backup guy who is now on the firewall team, using vnetd is
>  by far the recommended way of dealing with the firewall.??If all you are
>  dealing with is backup servers to client machine, the short list is:
>  
>  Server -> Client?? port 13782 (bpcd)
>  Client -> Server?? ports 13724 (vnetd) and 13720 (bprd)
>  
>  Yes client initiated restores will work with just these ports.??If your
>  backup servers are hanging off of a DMZ so that your admin clients using
>  the Java GUI need to get access, you can also use:
>  
>  Admin Client -> Server ports 13722 (bpjava) and 13724 (vnetd)
>  
>  This will also require the /usr/openv/java/nbj.conf file setting of
>  NBJAVA_CONNECT_OPTION=1 (default is 0)
>  
>  The only downside to vnetd that I have heard of but not seen personally
>  is that you are limited to a single stream for backups, which could
>  impact your backup model if you are trying to use NEW_STREAM file
>  directives.??If that is the case, you can configure port ranges and I
>  highly recommend using ALLOW_NON_RESERVED_PORTS as part of that.??Using
>  low ports (<1024) by default is one of the stupidest things NBU ever did.
>  
>  --
>  David Rock
>  david at graniteweb.com
>  _______________________________________________
>  Veritas-bu maillist??-??Veritas-bu at mailman.eng.auburn.edu
>  http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>  
_______________________________________________
Veritas-bu maillist  -  Veritas-bu at mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu