here what IBM say form node in a DMZ:
- for B/A, GUI & API client connection firewall must allow port 1500 (or
modified one) connection initiated from client's side
- for scheduler in prompted mode - port 1501 and connection initiated from
server (!!!) side + B/A client (1500 in opposite direction)
- for Web Administrtive interface - port 1580 and connection initiated
from browser to server
- for Web client - port 1581 and connection from browser to client + B/A
client (1500)
- for T/EC events things are harder - if TEC server is using portmap
firewall should allow both portmapper port 111 and TEC server port, if not
TECPORT has to be set in dsmserv.opt and firewall must not block this port
from TSM server to TEC server.
Statements from the docks are not completely correct. However they are
true for usual firewall configurations. Again - FW admin's good will and
ability to do their job are important.
All our clients use POLLING for SCHEDMODE. (I.e., client contacts the server
first).
By default, the client and server communicate on port 1500.
All the firewall guy had to do was create a rull that allows TCP/IP traffic
through the firewall for port 1500 for the particular client address.
If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501.
If you want to use the web client to do TSM backups/restores remotely, that
uses port 1581.
All those ports are configurable, i.e., you can tell TSM client and server
to use different ports if you want.
Depending on your firewall config, you may also have to increase the default
firewall timeout for TSM.
hope its help