That's the lowdown on the ports. Beautifully put by Davina as usual.
I would add that if you are doing large filesystem backups over the
firewall these may potentially run for longer than the firewall's TCP
timeout and sessions can be interrupted... To prevent this you should
set the tcp_keepalive interval on the **server** to something shorter
than the timeout - eg 30 minutes...
If we had a functioning FAQ for this list I reckon the firewall question
would be near the top of it.
-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT listserv.temple DOT edu] On
Behalf Of Davina Treiber
Sent: Monday, 13 November 2006 10:46 PM
To: NETWORKER AT listserv.temple DOT edu
Subject: Re: [Networker] sustained firewall config issues
You have misunderstood the instructions in the docs - which I have to
admit is easily done.
* UDP connections are never required, TCP ports are all that is
necessary. Forget UDP.
* The range from 10001-30000 are SOURCE ports, not destination ports. So
you shouldn't need to worry about these unless you also configured your
firewall based on source ports, something I think that is rarely done.
The docs are very confusing about this point. Forget about 10001 -
30000.
* By default, NetWorker needs the following ports opened between a
client and a server:
Server to client: TCP 7937-7938
Client to server: TCP 7937-9936.
* If you have storage nodes behind the firewall you need slightly more
ports:
Server to storage node: TCP 7937 - (7938 + 4*numdrives)
Storage node to server: TCP 7937 - 9936.
* If your company will allow it, I would recommend opening up those
ranges of ports and leaving it at that. It will all work beautifully
when set up that way. However if you MUST use a smaller range of ports,
then you need to start configuring nsrports as well. From experience I
have found that this works fine for filesystem backups but causes
sporadic failures for RMAN backups on all clients including those not
behind firewalls, which is why I would advise you to stick with the
default range if possible.
* If you do need to start messing with nsrports, remember that this
needs to be done on the NetWorker server, and that NetWorker needs to be
restarted afterwards. But I say again - use the defaults if you are
allowed to.
That really is all you need to know.... much simpler than it looks in
the admin guide.
Ty Young wrote:
>NetWorker 7.2.1 (Solaris) server
>NetWorker 7.2.1 (Solaris) storage node #1
>NetWorker 7.2.1 (Win2k3) storage node #2
>NetWorker 7.2.1 (Win2k3) clients
>
>All,
>
>I have lingering firewall issues and I can't make sense of them. I've
>read and I believe followed the directions in the Windows Admin guide
on
>setting up firewalls for NetWorker, which basically seem to indicate
that
>you need to open up a couple of ranges of ports, 7937 to (7937+x) and
10001
>to (10001+y), both TCP and UDP, bidirectionally.
>
>I've done that, and I've also configured storage node #2 (behind a
>firewall) with nsrports -S 7937-7970 -C 10001-10050 as well as the
clients
>(which are behind a second firewall.) Lastly, I've re-started the
>services on all boxes to be sure they're freshly loaded with the right
>config out of nsrla.res.
>
>What's happening (still) is that I cannot perform a savegrp backup. I
get
>RPC failures:
>
> 157. sudo savegrp -vvvv -p -l full -c lendb01 -G GOLD-xxxxxx_Bkups
>Password:
>lendb01:All level=full
>11/09/06 16:07:55 savegrp: Run up to 24 clients in parallel
>11/09/06 16:07:55 savegrp: lendb01:probe
>started
>savefs -s dalsn004 -c lendb01 -g GOLD-xxxxxxx_Bkups -p -l full -R -v
>11/09/06 16:08:19 savegrp: command 'savefs -s dalsn004 -c lendb01 -g
>GOLD-xxxxxx_Bkups -p -l full -R -v ' for client lendb01 exited with
return
>code 1.
>11/09/06 16:08:19 savegrp: lendb01:probe succeeded.
>* lendb01:All rcmd lendb01, user root: `savefs -s dalsn004 -c lendb01
-g
>GOLD-xxxxxx_Bkups -p -l full -R -v'
>* lendb01:All nsrexec: authtype
>* lendb01:All savefs: RPC error: Remote system error
>* lendb01:All savefs: Cannot access nsr server `dalsn004'
> savefs lendb01: failed.
>--- Probe Summary ---
>
>lendb01:All level=full, dn=-1, mx=0,
vers=unknown,
>p=1
>lendb01:All level=full, pool=xxxxxx, save as of Thu Nov 9
>16:08:19 GMT-0600 2006
>lendb01:index level=full, dn=-1, mx=0,
vers=unknown,
>p=1
>lendb01:index level=full, pool=xxxxxx, save as of Thu Nov 9
>16:08:19 GMT-0600 2006
>
>I would really appreciate any help you can give me. TIA
>
>
>Phillip T. ("Ty") Young, DMA
>Manager, Data Center and Backup/Recovery Services
>Information Services
>i2 Technologies, Inc.
>
>To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
>body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems
>wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
>via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
>--
>This email has been verified as Virus free
>Virus Protection and more available at http://www.plus.net
>
>
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
NOTICE
This e-mail and any attachments are confidential and may contain copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store or act
in reliance on this e-mail or any attachments, and should destroy all copies of
them. Macquarie Bank does not guarantee the integrity of any emails or any
attached files. The views or opinions expressed are the author's own and may
not reflect the views or opinions of Macquarie Bank.
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|