Search www.adsm.org and you will find more complete discussion of this
issue.
It's pretty simple; you just have to set up a "hole" in your firewall that
allows the traffic.

All our clients use POLLING for SCHEDMODE. (I.e., client contacts the server
first).
By default, the client and server communicate on port 1500.
All the firewall guy had to do was create a rull that allows TCP/IP traffic
through the firewall for port 1500 for the particular client address.

If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501.
If you want to use the web client to do TSM backups/restores remotely, that
uses port 1581.

All those ports are configurable, i.e., you can tell TSM client and server
to use different ports if you want.

Depending on your firewall config, you may also have to increase the default
firewall timeout for TSM.
Some firewall software will automatically close the connection after n
minutes, if there is no traffic; it is not uncommon for a TSM client to go
"silent" for a while as it noodles around in the client directory looking
for things to back up.  Symptoms of that problem:  on the client in
dsmsched.log you will see that during the backup the TSM session is
terminated, then it reconnects and backs up some more, then gets
disconnected, then reconnects, etc. many times during the backup window.
May or may not ever finish the backup completely.  Increase the firewall
timeout so that the firewall doesn't close the connection.

Check adsm.org for more discussion.

************************************************************************
Wanda Prather
The Johns Hopkins Applied Physics Lab
443-778-8769
wanda_prather AT jhuapl DOT edu

"Intelligence has much less practical application than you'd think" -
Scott Adams/Dilbert
************************************************************************