ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question about backup scenario (long)

2002-10-17 17:19:30
Subject: Re: Question about backup scenario (long)
From: Alex Paschal <AlexPaschal AT FREIGHTLINER DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 17 Oct 2002 14:07:36 -0700 
Let me get this straight.  They're willing to do one outside initiated IP-IP
rule on the firewall (your server-server communication), they're just not
willing to multiple IP-IP port limiting rules, one for each client?

Then what about dropping a second NIC in each client and in the TSM server,
then create a private segment or VLAN?  It can be packet/IP filtered pretty
easily and cheaply if desired, and if the segment is switched, you don't
have to worry too much about packet sniffing.  Personally, I think having a
DMZ TSM server is overkill.

Heh, heh, heh.  Just thought of something.  Drop in a NAT router/firewall in
the DMZ, define a route for all your DMZ clients to use that router to talk
to TSM.  Viola, only one outside IP-IP rule through the firewall, from the
NAT to your TSM server, basically what you have now.  Nice, eh?  But
personally, I think the second NIC idea is better.

Another possibility is a SAN to share your tape, library, and, if you like,
your diskpools (using SANergy).  Then your external TSM server can have
access to the tape without having to buy a second library, and you'll get
your collocation.

Alex Paschal
Storage Administrator
Freightliner, LLC
(503) 745-6850 phone/vmail

-----Original Message-----
From: Peter Bjoern [mailto:pebjn AT WMDATASDC DOT DK]
Sent: Thursday, October 17, 2002 9:00 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Question about backup scenario (long)


>Have you thought about having the clients in
>question being backed up directly to the internal TSM server? It would
mean
>having TCP ports 1500 and 1501 open.

Hi Mark

That was our first preference (seen from a functionality point of view),
however having those ports open from all the clients to the internal side
is unacceptable to the network security people since it would involve
having
to allow sessions being initiated from clients on the outside to the server
on
the inside and they will not allow outside initiated connections.

The solution with the external server placed between two firewalls and
other stuff
where you only needed to permit traffic from on IP to one IP on specific
ports
was the only way to transport data from the outside to the inside that
could be approved.

Regards

Peter
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Slow DB backups., Alex Paschal
Next by Date:  default directory for the macro command, Joel Fuhrman
Previous by Thread:  Re: Question about backup scenario (long), Mark Stapleton
Next by Thread:  Re: Question about backup scenario (long), Peter Bjoern
Indexes:  [Date] [Thread] [Top] [All Lists]