1. Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING) Click the link to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This message will disappear after you have made at least 12 posts. Thank you for your cooperation.

FastBack DR with FTPS v Firewall

Discussion in 'TSM Fastback' started by mccleld, Oct 18, 2010.

  1. mccleld

    mccleld Member

    Joined:
    Jun 24, 2003
    Messages:
    261
    Likes Received:
    7
    Occupation:
    Data Protection Specialist
    Location:
    London, UK
    Hi Guys,

    I'm curious to learn if anybody else here is using the FastBack DR capability through a firewall, and whether you've been able to get it to support FastBack's encryption capability (i.e., FTP over SSL, aka FTPS).

    I'm having a torrid time of it - seems as though FTPS is pretty horrendous when it comes to playing ball with firewalls - which for me makes it a puzzling choice as a protocol for a DR capability where there's a good likelihood of firewalls being in the data path between live and DR locations.

    It works fine through the firewall when using standard FTP (the firewall admins have opened up FTP for my hosts) but we're all at a loss as how best to manage the FTPS connection, in particular its use of so many ports. I'm wondering if anyone else has already been here and, if so, how they worked through it.

    Many thanks,
    ___________
    David Mc
    London, UK
     
  2.  
  3. mccleld

    mccleld Member

    Joined:
    Jun 24, 2003
    Messages:
    261
    Likes Received:
    7
    Occupation:
    Data Protection Specialist
    Location:
    London, UK
    Okay, I've an update on this in case it may aid anyone else who goes through this pain.

    In summary (and not being a network/firewall guy apologies if I'm a little vague in some areas), many firewalls snoop in on the FTP control connection packets going over port 21 and thereby keep a track of which ports are being used by the data connection to ensure that they are allowed through the firewall. However, with FTPS this control connection is secured so that firewalls cannot inspect the packets and therefore the dynamic ports of data channels cannot be opened automatically. This will cause a problem in shops where firewalls are locked-down as much as possible - particularly when data is travelling inter-site as is likely to be the case with a DR mechanism where encryption is also a likely requirement. One solution that we came up with was to add a rule telling the firewall that traffic over port 21 between two specified hosts (FastBack Server and FastBack DR Hub) was generic traffic (i.e., not FTP/FTPS) so that it didn't try to snoop on the packets - furthermore, the FTP server (FTP Server 7.5 in IIS 7.0 in this instance) was configured to use a restricted data channel port range (as per http://forums.iis.net/t/1157414.aspx) which was also opened between these two hosts.

    Hope this helps - again, if anyone else has been through anything along these lines it'd be great to hear your experiences.

    Cheers,
    ___________
    David Mc
    London, UK
     

Share This Page