How to configure firewall on RHEL7 backup-archive client

J

jeinhorn

ADSM.ORG Member
Joined
Apr 4, 2014
Messages
34
Reaction score
1
Points
0
Greetings, Gurus -

Our TSM Server is version 6.4.1.0 running on RHEL 6.

Recently I installed the backup-archive client version 7.1.2 on a virtual machine running RHEL 7. If I disable the firewall, I can initiate backups from the TSM server. But with the firewall enabled, I cannot do the same.

dsm.opt on the client:
Code: 
SErvername  tsmserv
 COMMMethod  TCPip
 TCPPort  1500
 TCPServeraddress  <omitted>
 TCPBuffsize  32
 TCPWindowsize  64
 TCPNodelay  Yes
 TCPCLIENTADDRESS  <omitted>
 nodename  <omitted>
 ERRORLOGR  30 D
 ERRORLOGname  /tmp/dsmerror.log
 HTTPPort  1581
 Inclexcl  /opt/tivoli/tsm/client/ba/bin/inclexcl.list
 LargeCommBuffers  Yes
 ManagedServices  Webclient Schedule
 PASSWORDAccess  generate
 ResourceUtilization  5
 SCHEDMode  Prompted
 SCHEDLOGR  30 D
 SCHEDLOGname  /tmp/dsmsched.log
 TXNBytelimit  25600

I updated the firewall to allowed for TCP traffic through port 1500 as follows:
Code: 
# firewall-cmd --zone=public --permanent --add-port=1500/tcp
success

# firewall-cmd --zone=public --add-port=1500/tcp
success

# firewall-cmd --zone=public --list-ports
1500/tcp

# iptables-save | grep 1500
-A IN_public_allow -p tcp -m tcp --dport 1500 -m conntrack --ctstate NEW -j ACCEPT
Then I configured a backup schedule on the TSM server and defined an association with the client. The schedule reaches "Pending" status but the backup never runs. Nothing gets logged to /var/log/secure on the client.

Can anyone advise me on what I can do to enable server-initiated backups without disabling the firewall?

Many Thanks,
Janet
 
We know that the backup work when the firewall is not enable.
I suspect that both the manual and the schedule backup does not work when the firewall is enable.
Is the port 1501 open through the firewall?
The TSM Server listen at 1500.
The TSM Client listen at 1501.
On the firewall open the port 1501, enable the firewall, and then perform a manual backup.
If the manual backup does work, the schedule backup should also work.
To confirm this, perform a test schedule backup.

ManagedServices Webclient Schedule
Click to expand...

Notice that we are using the CAD Daemon to manage the schedule backup.
The WEBPORTS parameter need to be set.

WEBPORTS <cadport> <agentport>

The first port is used for the Client Acceptor service, the second port is used for the Web Client Agent service.

If the WEBPORTS option isn’t specified, the default value (0) is used for both ports. A randomly free port number is assigned for each port (in the range 1024 – 5000). An explicitly specified port can range from 1000 – 32767.

Not sure if the following tech doc will help or muddy the waters even more.
Tivoli Storage Manager client setup in a firewall environment

Good Luck,
Sias
 
Hello Sias / LED888 -

I am very grateful for your reply. Based on the info that you shared, I took the following steps:
  • updated my dsm.sys to include "WEBPORT 1552 1553"
  • updated the firewall on the backup-archive client as follows (firewall is disabled on the TSM server) . This may have been overkill, since I am still inexperienced with firewall commands and I could not figure out how to enable ports only for inbound or outbound traffic.
Code: 
# firewall-cmd --zone=public --add-port=1500/tcp
success

# firewall-cmd --zone=public --list-ports
1500/tcp

# firewall-cmd --zone=public --permanent --add-port=1501/tcp
success

# firewall-cmd --zone=public --add-port=1501/tcp
success

# firewall-cmd --zone=public --permanent --add-port=1552/tcp
success

# firewall-cmd --zone=public --add-port=1552/tcp
success

# firewall-cmd --zone=public --permanent --add-port=1553/tcp
success

# firewall-cmd --zone=public --add-port=1553/tcp
success

# firewall-cmd --zone=public --list-ports
1500/tcp 1552/tcp 1501/tcp 1553/tcp

# iptables-save | egrep "1500|1501|1552|1553"
-A IN_public_allow -p tcp -m tcp --dport 1500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1501 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1552 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1553 -m conntrack --ctstate NEW -j ACCEPT
  • Restarted the client acceptor daemon on the client ("systemctl restart dsmcad.service")
  • Configured a incremental backup schedule on the TSM server, associated this schedule with the client
SUCCESS! The schedule executed to completion.

From my perspective, this thread may be closed, and you should get credit for providing a useful response.

Thanks Again,
Janet
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,431
Members
21,947
Latest member
dylbrawn
Back
Top