Veritas-bu

[Veritas-bu] Backing Up through firewall step by step

2002-09-17 06:55:12
Subject: [Veritas-bu] Backing Up through firewall step by step
From: arne AT topnet DOT de (Arne Kloecker)
Date: Tue, 17 Sep 2002 12:55:12 +0200
Hi Grant,

17. September 2002 12:18 Grant.September AT nuinternational DOT com:

> The security guys want to lock down a specific range of ports 512 - 1023 so
> what I need to know is what changes must I make to the media, master serves
> bp.conf file as well as the registry settings on NT for this to take
> effect.

OK, first of all, ask your security guys if they would prefer a port range in 
the unpriviliged range (>1024), they might love you for this ;-)

The Master and Media-Server need to contact the CLients on port 13782 TCP 
(bpcd). The clients need to contact the Servers on port 13720 TCP (bprd).

Then you need to specify a port range for the data communication which is 
bidirectional and also TCP. You should calculate 2 ports for each stream you 
want to have. If you want further security you can set a client to use just a 
subset of the whole range...

On the Client you will have to put the following in the bp.conf:
CLIENT_PORT_WINDOW *firstport* *lastport*

Where *firstport* ist the first port of your range (512 in your example) and 
*lastport* is the last port (1023).

On the Servers you add:
CLIENT_PORT_WINDOW = *firstport* *lastport*
SERVER_PORT_WINDOW = *firstport* *lastport*

If you have a firewall between the servers add this:

SERVER_RESERVED_PORT_WINDOW = *firstport* *lastport*

Here you should use lowports (<1024).

If you use unpriviledged ports (>1024) add on both clients and servers:
ALLOW_NON_RESERVED_PORTS

Also you will need to allow the clients to use high ports by doing this (on 
Unix):
/usr/openv/netbackup/bin/admincmd/bpclient -client *clientname* -add 
-connect_nr_port 1

I hope i didn't forget anything.

If you have further questions don't hesitate to ask.

Arne Kloecker

<Prev in Thread] Current Thread [Next in Thread>