Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] sustained firewall config issues

2006-11-13 18:27:58
Subject: Re: [Networker] sustained firewall config issues
From: Peter Viertel <Peter.Viertel AT MACQUARIE DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Tue, 14 Nov 2006 10:22:21 +1100 
That's the lowdown on the ports. Beautifully put by Davina as usual.

I would add that if you are doing large filesystem backups over the
firewall these may potentially run for longer than the firewall's TCP
timeout and sessions can be interrupted... To prevent this you should
set the tcp_keepalive interval on the **server** to something shorter
than the timeout - eg 30 minutes...

If we had a functioning FAQ for this list I reckon the firewall question
would be near the top of it. 

-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT listserv.temple DOT edu] On
Behalf Of Davina Treiber
Sent: Monday, 13 November 2006 10:46 PM
To: NETWORKER AT listserv.temple DOT edu
Subject: Re: [Networker] sustained firewall config issues

You have misunderstood the instructions in the docs - which I have to 
admit is easily done.

* UDP connections are never required, TCP ports are all that is 
necessary. Forget UDP.

* The range from 10001-30000 are SOURCE ports, not destination ports. So

you shouldn't need to worry about these unless you also configured your 
firewall based on source ports, something I think that is rarely done. 
The docs are very confusing about this point. Forget about 10001 -
30000.

* By default, NetWorker needs the following ports opened between a 
client and a server:
Server to client: TCP 7937-7938
Client to server: TCP 7937-9936.

* If you have storage nodes behind the firewall you need slightly more 
ports:
Server to storage node: TCP 7937 - (7938 + 4*numdrives)
Storage node to server: TCP 7937 - 9936.

* If your company will allow it, I would recommend opening up those 
ranges of ports and leaving it at that. It will all work beautifully 
when set up that way. However if you MUST use a smaller range of ports, 
then you need to start configuring nsrports as well. From experience I 
have found that this works fine for filesystem backups but causes 
sporadic failures for RMAN backups on all clients including those not 
behind firewalls, which is why I would advise you to stick with the 
default range if possible.

* If you do need to start messing with nsrports, remember that this 
needs to be done on the NetWorker server, and that NetWorker needs to be

restarted afterwards. But I say again - use the defaults if you are 
allowed to.

That really is all you need to know.... much simpler than it looks in 
the admin guide.


Ty Young wrote:

>NetWorker 7.2.1 (Solaris) server
>NetWorker 7.2.1 (Solaris) storage node #1
>NetWorker 7.2.1 (Win2k3) storage node #2
>NetWorker 7.2.1 (Win2k3) clients
>
>All,
>
>I have lingering firewall issues and I can't make sense of them.   I've
>read and I believe followed the directions in the Windows Admin guide
on
>setting up firewalls for NetWorker, which basically seem to indicate
that
>you need to open up a couple of ranges of ports, 7937 to (7937+x) and
10001
>to (10001+y), both TCP and UDP, bidirectionally.
>
>I've done that, and I've also configured storage node #2 (behind a
>firewall) with nsrports -S 7937-7970 -C 10001-10050 as well as the
clients
>(which are behind a second firewall.)   Lastly, I've re-started the
>services on all boxes to be sure they're freshly loaded with the right
>config out of nsrla.res.
>
>What's happening (still) is that I cannot perform a savegrp backup.  I
get
>RPC failures:
>
> 157. sudo savegrp -vvvv -p -l full -c lendb01 -G GOLD-xxxxxx_Bkups
>Password:
>lendb01:All                               level=full
>11/09/06 16:07:55 savegrp: Run up to 24 clients in parallel
>11/09/06 16:07:55 savegrp: lendb01:probe
>started
>savefs -s dalsn004 -c lendb01 -g GOLD-xxxxxxx_Bkups -p -l full -R -v
>11/09/06 16:08:19 savegrp: command 'savefs -s dalsn004 -c lendb01 -g
>GOLD-xxxxxx_Bkups -p -l full -R -v ' for client lendb01 exited with
return
>code 1.
>11/09/06 16:08:19 savegrp: lendb01:probe succeeded.
>* lendb01:All rcmd lendb01, user root: `savefs -s dalsn004 -c lendb01
-g
>GOLD-xxxxxx_Bkups -p -l full -R -v'
>* lendb01:All nsrexec: authtype
>* lendb01:All savefs: RPC error: Remote system error
>* lendb01:All savefs: Cannot access nsr server `dalsn004'
>  savefs lendb01: failed.
>--- Probe Summary ---
>
>lendb01:All                        level=full, dn=-1, mx=0,
vers=unknown,
>p=1
>lendb01:All             level=full, pool=xxxxxx, save as of Thu Nov  9
>16:08:19 GMT-0600 2006
>lendb01:index                      level=full, dn=-1, mx=0,
vers=unknown,
>p=1
>lendb01:index           level=full, pool=xxxxxx, save as of Thu Nov  9
>16:08:19 GMT-0600 2006
>
>I would really appreciate any help you can give me.   TIA
>
>
>Phillip T. ("Ty") Young, DMA
>Manager, Data Center and Backup/Recovery Services
>Information Services
>i2 Technologies, Inc.
>
>To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
>body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems
>wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
>via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
>--
>This email has been verified as Virus free
>Virus Protection and more available at http://www.plus.net
>  
>

To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


NOTICE
This e-mail and any attachments are confidential and may contain copyright 
material of Macquarie Bank or third parties. If you are not the intended 
recipient of this email you should not read, print, re-transmit, store or act 
in reliance on this e-mail or any attachments, and should destroy all copies of 
them. Macquarie Bank does not guarantee the integrity of any emails or any 
attached files. The views or opinions expressed are the author's own and may 
not reflect the views or opinions of Macquarie Bank.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] onbar retention on logs, Tim Verbois
Next by Date:  [Networker] Fw: [Veritas-bu] The *NEW* support site, Randy Doering
Previous by Thread:  Re: [Networker] sustained firewall config issues, Davina Treiber
Next by Thread:  [Networker] System date changes, Krishnan, Ramamurthy
Indexes:  [Date] [Thread] [Top] [All Lists]