> -----Original Message-----
> From: EMC NetWorker discussion 
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of JGillTech
> Sent: Wednesday, 1 October 2008 8:59 AM

> Did I forget anything... seems like a cumbersome process when 
> adding a new client.  What happens if the defaults a left 
> alone, 7937-9936 for the NSR  system port range resource on 
> the clients (meaning that I just install client and leave the 
> defaults)... however, I only open ports 7937 and 7938 on the 
> client firewall.

I have been doing some testing of 7.4.3 client and server through
firewall this week. And made an unpleasant discovery.

While in earlier versions (7.2 and earlier) we've usually got away with
2 ports only inbound through the firewall, the manual now says we need
to open 4 ports. I have discovered that if you do want it to only use 4
specific ports when you put it through a firewall then you have to
change the client from its default 2000 port range down to match the
range in your firewall rule.

There is now an extra tcp session from server to client which is a SSL
connection to exchange the peer certificates and keys - on the system I
was testing we found that while it still used ports 7938 and 7937 it
went and picked port 9011 for the ssl connection. To make it use 7939 we
had to change the client's service port range with nsrports.

I also got tripped up here because I assumed that if you change the
range with the nsrports command then it takes effect immediately - in
fact you actually have to restart the nsrexecd service to pick up the
changed port range.

So it looks like for our new windows server builds that will have their
firewalling turned on we will have to customise the port range at
installation time, which is a pain.   I wonder if we should lobby EMC to
change the client package's default range to 4 ports, and get the
storage node package to change it to the full 2000 if they are
installed. Then again, if they were to do that what would happen at
upgrade time? 

NOTICE
This e-mail and any attachments are confidential and may contain copyright 
material of Macquarie Group Limited or third parties. If you are not the 
intended recipient of this email you should not read, print, re-transmit, store 
or act in reliance on this e-mail or any attachments, and should destroy all 
copies of them. Macquarie Group Limited does not guarantee the integrity of any 
emails or any attached files. The views or opinions expressed are the author's 
own and may not reflect the views or opinions of Macquarie Group Limited.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER