We are trying to develop an approach to backup the
clients who are in the DMZ via TSM server sitting
inside the firewall.  Please comment on the following
strategy:


To backup the Clients in DMZ from TSM Lib located
within the Intranet, install the TSM client on the
Client in DMZ and open a port in the firewall.
Additionally, use data encryption.   To do this, you
would use the include.exclude and exclude.encrypt
options in your options file. . The encryption key for
these can either be stored locally on your machine or
prompted for each time a backup or restore is
attempted. This is set with encryptkey option in your
options file.

TSM clients in DMZ should not be allowed do any
administrative function.   You can only prevent the
client from deleting backups and archives. This can be
performed by running (on the TSM server): update node
<nodename> archdelete=no backdelete=no .

Note:  You could also change password=prompt in the
client options file to require a password before a
client could perform any actions.  Not recommended
though.   Additionally, since the TSM server address
is required in client options file, you  can't hide
information about the TSM server, in case of security
breach.

ANY BETTER IDEA is appreciated.  Additionally, any red
flags in the strategy.

Thanks in Advance.
Jas
jaz.makkar AT eds DOT com