FastBack DR with FTPS v Firewall

mccleld

ADSM.ORG Senior Member
Joined
Jun 24, 2003
Messages
256
Reaction score
7
Points
0
Location
London, UK
PREDATAR Control23

Hi Guys,

I'm curious to learn if anybody else here is using the FastBack DR capability through a firewall, and whether you've been able to get it to support FastBack's encryption capability (i.e., FTP over SSL, aka FTPS).

I'm having a torrid time of it - seems as though FTPS is pretty horrendous when it comes to playing ball with firewalls - which for me makes it a puzzling choice as a protocol for a DR capability where there's a good likelihood of firewalls being in the data path between live and DR locations.

It works fine through the firewall when using standard FTP (the firewall admins have opened up FTP for my hosts) but we're all at a loss as how best to manage the FTPS connection, in particular its use of so many ports. I'm wondering if anyone else has already been here and, if so, how they worked through it.

Many thanks,
___________
David Mc
London, UK
 
PREDATAR Control23

Okay, I've an update on this in case it may aid anyone else who goes through this pain.

In summary (and not being a network/firewall guy apologies if I'm a little vague in some areas), many firewalls snoop in on the FTP control connection packets going over port 21 and thereby keep a track of which ports are being used by the data connection to ensure that they are allowed through the firewall. However, with FTPS this control connection is secured so that firewalls cannot inspect the packets and therefore the dynamic ports of data channels cannot be opened automatically. This will cause a problem in shops where firewalls are locked-down as much as possible - particularly when data is travelling inter-site as is likely to be the case with a DR mechanism where encryption is also a likely requirement. One solution that we came up with was to add a rule telling the firewall that traffic over port 21 between two specified hosts (FastBack Server and FastBack DR Hub) was generic traffic (i.e., not FTP/FTPS) so that it didn't try to snoop on the packets - furthermore, the FTP server (FTP Server 7.5 in IIS 7.0 in this instance) was configured to use a restricted data channel port range (as per http://forums.iis.net/t/1157414.aspx) which was also opened between these two hosts.

Hope this helps - again, if anyone else has been through anything along these lines it'd be great to hear your experiences.

Cheers,
___________
David Mc
London, UK
 
Top