Backup Central

So I have been to the Networker Advanced Administration class and was
told the only ports we need open on the firewall to back up a client are
7937-7938. I have run nsrports -s chewie -S 7937-7941 on the client and
have the firewall configured likewise.

Now running back ups we get connection time outs. We see in the
firewall logs that the client and server are trying to connect on ports
outside the range specified. Of course opening ports 7937-9936 on the
firewall solved the porblem, but we do not want that many ports open.

What gives? Can we lock the client and server down to a few ports?

Jon

www.classmailbox.com

Note: To sign off this list, send a "signoff networker" command via email
to listserv < at > listserv.temple.edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
should be sent to stan < at > temple.edu

Hi Jon,

7937-9936 is the service ports. You can reduce them by calculating by the
formula - 2+3+2T+P+C where
i. Where T is the no. of locally attached backup devices
ii. P is the Server Parallelism.
iii. C is the max. no. of clients to be backed up at a time.

What I know is you also need to open ports 10001-30000 for smooth
communication. In that case the nsrports command will have -C in place of
-S.

Recently, one of my customers has configured IPsec on Windows thereby
reducing the total port range to 3. I am not aware of the exact procedure.

For UNIX etc., you need to open all the ports. IPsec does not work.

Regards,
Anuj Mediratta
Phone: +919312634262
To know more about our services, do log on to www.ace-data.com
-----Original Message-----
From: Legato NetWorker discussion [mailto:NETWORKER < at > LISTSERV.TEMPLE.EDU] On
Behalf Of Jon Fraley
Sent: Thursday, March 03, 2005 8:19 PM
To: NETWORKER < at > LISTSERV.TEMPLE.EDU
Subject: [Networker] firewall ports

So I have been to the Networker Advanced Administration class and was
told the only ports we need open on the firewall to back up a client are
7937-7938. I have run nsrports -s chewie -S 7937-7941 on the client and
have the firewall configured likewise.

Now running back ups we get connection time outs. We see in the
firewall logs that the client and server are trying to connect on ports
outside the range specified. Of course opening ports 7937-9936 on the
firewall solved the porblem, but we do not want that many ports open.

What gives? Can we lock the client and server down to a few ports?

Jon

www.classmailbox.com

Note: To sign off this list, send a "signoff networker" command via email
to listserv < at > listserv.temple.edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
should be sent to stan < at > temple.edu

Note: To sign off this list, send a "signoff networker" command via email
to listserv < at > listserv.temple.edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
should be sent to stan < at > temple.edu

The service ports can be restricted to 7937 and 7938. Even though Legato
says 111 is not needed, it still tries to contact via that port so you may
want to have that open too.

We have been able to restrict the connection ports to about 100 (i.e.
10000-10100)....any amount smaller than that will cause connection timeouts
especially during an incremental. When you kick off and incremental, run a
"netstat -an" and you will see all the ports Networker opens up.

Note, you must restart the nsrexecd processes on the clients after the ports
are reset!!!!

Note: To sign off this list, send a "signoff networker" command via email
to listserv < at > listserv.temple.edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
should be sent to stan < at > temple.edu