We operate through firewalls differently:
We have a small VPN device that we use to create an IPSec VPN tunnel and only
have entries in the firewall for this tunnel, then we
run all ITSM traffic through the tunnel. Makes for simpler firewall settings
and adds extra security because username/password is
sent as plain text by ITSM.
You will also want to limit the Web-GUI client for security reasons too (plain
text -- too).
I can provide more details, contact me directly:
salm(at)vitalds(dot)com or 724-758-3981
Sal
Vital Data Systems
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
> Gill, Geoffrey L.
> Sent: Wednesday, April 21, 2004 6:43 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Firewall backups
>
>
> We're trying to get backups running outside a firewall and below are the
> results of a test. The network folks sent me this log to show the ports
> which communicating during backup. On the left is the server IP on the right
> is the client IP.
>
> The client settings are below. The question is how to get all to communicate
> on one specified port so they can tighten down acls. I've read the write-up
> on this and thought everything was set properly but I must be missing
> something. If someone has advice it would be greatly appreciated.
>
>
>
> Thanks,
>
>
>
> COMMmethod TCPIP
>
> TCPServeraddress xxx.xxx.xxx.xxx
>
> TCPCLIENTADDRESS xxx.xxx.xxx.xxx
>
> WEBPORTS 1582,1583
>
> TCPPort 1500
>
> TCPCLIENTPORT 1501
>
> HTTPPort 1581
>
>
>
> Apr 20 17:04:50 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37317) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:04:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500) ->
> xxx.xxx.xxx.xxx(2200), 1 packet
>
> Apr 20 17:05:04 PDT: list TSM-Filter denied tcp xxx.xxx.xxx.xxx(37316) ->
> xxx.xxx.xxx.xxx(1501), 2 packets
>
> Apr 20 17:05:04 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37317) ->
> xxx.xxx.xxx.xxx(1501), 4 packets
>
> Apr 20 17:05:04 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500) ->
> xxx.xxx.xxx.xxx(2200), 5648 packets
>
> Apr 20 17:05:21 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37318) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:05:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37319) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:06:21 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37320) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:06:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37321) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:07:21 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37322) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:07:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37323) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:08:21 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37324) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:08:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37325) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:09:21 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37326) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:09:51 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37327) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:10:06 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500) ->
> xxx.xxx.xxx.xxx(2200), 61959 packets
>
> Apr 20 17:10:21 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(37328) ->
> xxx.xxx.xxx.xxx(1501), 1 packet
>
> Apr 20 17:10:25 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500) ->
> xxx.xxx.xxx.xxx(2235), 1 packet
>
> Apr 20 17:10:41 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500) ->
> xxx.xxx.xxx.xxx(2235), 8 packets
>
> Apr 20 17:10:41 PDT: list TSM-Filter permitted tcp xxx.xxx.xxx.xxx(1500) ->
> xxx.xxx.xxx.xxx(2200), 2586 packets
>
>
>
> Geoff Gill
> TSM Administrator
> NT Systems Support Engineer
> SAIC
> E-Mail: gillg AT saic DOT com
> Phone: (858) 826-4062
> Pager: (877) 854-0975
>
|
