Backup Central

We have only one client behind firewall.
Networker server and cleint have version 7.5.1.4 (windows 2003)
I went through the documentation twice but I am still confused !!

For security reason, we are not able to use default range (7937-9936) and
would like to lock it down.


[1] nsrports command gave the default range on both the sever and a client ? Does it really matter ?

nsrports (on the server)
Service ports: 7937 - 9936
Connection ports: 0-0

nsrports (on the client)
Service ports: 7937 -9936
Connection ports: 0-0

[2] How does the nsrports command work in an environment where the client is behind a firewall ?

[3] Do I need to change firewall settings for the connection ports (0-0) ?

[4] Does Networker require ICMP (ping, tracert, etc) & UDP in order to function ?

[5] Do I have to update any file on the servers before modifying the firewall rule to make sure they will only use specific ports?

Pleaes let me know the following

Networker server to client
protocol:
ports:

Networker client to server
protocol:
ports:

Please advice.

Hi we are running ports 7937 to 7970. If you want another port range put
the port range in the brackets.

In order to open the server firewall we run these two commands in a cmd
window
for /L %i in (7937,1,7970) do netsh firewall add portopening UDP %
i "Networker UDP %i" ENABLE CUSTOM ip number of your networker serv

Then
for /L %i in (7937,1,7970) do netsh firewall add portopening TCP %
i "Networker TCP %i" ENABLE CUSTOM ip number of your networker serv

HWere it says IP number of your networker server put in the number for
example 10.1.1.1

This opens the ports

Hi we are running ports 7937 to 7970. If you want another port range put
the port range in the brackets.

In order to open the server firewall we run these two commands in a cmd
window
for /L %i in (7937,1,7970) do netsh firewall add portopening UDP %
i "Networker UDP %i" ENABLE CUSTOM ip number of your networker serv

Then
for /L %i in (7937,1,7970) do netsh firewall add portopening TCP %
i "Networker TCP %i" ENABLE CUSTOM ip number of your networker serv

HWere it says IP number of your networker server put in the number for
example 10.1.1.1

This opens the ports


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

To make it Absolutely certain I run this command on the Client not the
Networker server.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Hi

I am not sure I understood the point.
Can you please give some more info regarding the questions I have ?
Thanks

i may have been to quick jumping to conclusions. I took this for a client
running an windows firewall.
This is a quick rework for that.
I am not sure I you are refering to how to set a certain port range for
the server behind the firewal.
Are you locking for the command: nsrports -P 7937-7800
This way you lock the specific ports for the server.
On the firewall you open the respective ports.

i may have been to quick jumping to conclusions. I took this for a client
running an windows firewall.
This is a quick rework for that.
I am not sure I you are refering to how to set a certain port range for
the server behind the firewal.
Are you locking for the command: nsrports -P 7937-7800
This way you lock the specific ports for the server.
On the firewall you open the respective ports.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Our client is behind a firewall.

Networker server, storage nodes and all other clients are one one side.

currently nsrports is set to default on every server

service ports: 7937 - 9936
connection ports: 0-0

I would like to know

[1] Do I need to change nsrports on the cleint ? if so, what should it be ?

[2] Firewall rule in both ways

[3] If connection ports range is set to 0-0 on the client, will it not negotiate something that the FW prevents?

I am sorry for asking very basic questions.

1: I think you will have do decide what port range to use that is from 7937 to whatever you think aceptable. We for instance use up to 7970.

2: The Firewall needs to have the same port range set both ways.

3: you should not have the ports set to 0 - 0 you have to set it for a real port range.

Hope this get you started.

To test this between the client and the networker server use, rpcinfo -p servername


__________________________________________

Ottó Vestmann Guðjónsson
Kerfisforritari
Rekstrarlausnir
Grunnþjónusta og fjarskipti
Skýrr

otto.vestmann < at > skyrr.is

569 5100
http://www.skyrr.is
_________________________________________


http://www.skyrr.is/legal/disclaimer.txt


-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER < at > LISTSERV.TEMPLE.EDU] On Behalf Of psoni
Sent: 22. janúar 2010 16:43
To: NETWORKER < at > LISTSERV.TEMPLE.EDU
Subject: [Networker] Networker Firewall Setings

Our client is behind a firewall.

Networker server, storage nodes and all other clients are one one side.

currently nsrports is set to default on every server

service ports: 7937 - 9936
connection ports: 0-0

I would like to know

[1] Do I need to change nsrports on the cleint ? if so, what should it be ?

[2] Firewall rule in both ways

[3] If connection ports range is set to 0-0 on the client, will it not negotiate something that the FW prevents?

I am sorry for asking very basic questions.

+----------------------------------------------------------------------
|This was sent by soni.parth < at > gmail.com via Backup Central.
|Forward SPAM to abuse < at > backupcentral.com.
+----------------------------------------------------------------------


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

OK, so if I understand correctly, we need the following rule in firewall.

Networker server to client :
TCP/UDP
7937 - 7944 (for services)
10000 - 10100 (for connection) - I believe 100 would be enough

Client to Networker server:
TCP/UDP
7937 - 7944 (for services)
10000 - 10100 (for connection)


The only part I didn't understand was whether or not the nsrports need to have the same values to be able to work with the firewall rule..

Currently, NW server and that client have the default values.
service ports : 7937 -9936
connection ports : 0-0

If I update nsrports on the server, what would happen to the storage nodes and all other clients that also use the default range ?

ON the client you need to set the ports according to the firewall. Otherwise you might end up trying to communcate on ports out of range.
On the other hand I have never tried doing a different setup of the port range on the client and the Networker server.

However I am not sure if 7937 to 7944 is enough. Someone else might input on that.



__________________________________________

Ottó Vestmann Guðjónsson
Kerfisforritari
Rekstrarlausnir
Grunnþjónusta og fjarskipti
Skýrr

otto.vestmann < at > skyrr.is

569 5100
http://www.skyrr.is
_________________________________________


http://www.skyrr.is/legal/disclaimer.txt



-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER < at > LISTSERV.TEMPLE.EDU] On Behalf Of psoni
Sent: 25. janúar 2010 16:00
To: NETWORKER < at > LISTSERV.TEMPLE.EDU
Subject: [Networker] Networker Firewall Setings

OK, so if I understand correctly, we need the following rule in firewall.

Networker server to client :
TCP/UDP
7937 - 7944 (for services)
10000 - 10100 (for connection) - I believe 100 would be enough

Client to Networker server:
TCP/UDP
7937 - 7944 (for services)
10000 - 10100 (for connection)


The only part I didn't understand was whether or not the nsrports need to have the same values to be able to work with the firewall rule..

Currently, NW server and that client have the default values.
service ports : 7937 -9936
connection ports : 0-0

If I update nsrports on the server, what would happen to the storage nodes and all other clients that also use the default range ?

+----------------------------------------------------------------------
|This was sent by soni.parth < at > gmail.com via Backup Central.
|Forward SPAM to abuse < at > backupcentral.com.
+----------------------------------------------------------------------


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Port range 7937-7944 is not wide enough to run the server. You can check admin guide for numbers needed. Its ( 11 + 2 * #devices + #jukeboxes ) ports for nsr 7.3+.

V.Jansky

________________________________________
Odesílatel: EMC NetWorker discussion [NETWORKER < at > LISTSERV.TEMPLE.EDU] za uživatele Ottó V. Guðjónsson [otto.vestmann < at > SKYRR.IS]
Odesláno: 25. ledna 2010 17:10
Komu: NETWORKER < at > LISTSERV.TEMPLE.EDU
Předmět: Re: [Networker] Networker Firewall Setings

ON the client you need to set the ports according to the firewall. Otherwise you might end up trying to communcate on ports out of range.
On the other hand I have never tried doing a different setup of the port range on the client and the Networker server.

However I am not sure if 7937 to 7944 is enough. Someone else might input on that.



__________________________________________

Ottó Vestmann Guðjónsson
Kerfisforritari
Rekstrarlausnir
Grunnþjónusta og fjarskipti
Skýrr

otto.vestmann < at > skyrr.is

569 5100
http://www.skyrr.is
_________________________________________


http://www.skyrr.is/legal/disclaimer.txt



-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER < at > LISTSERV.TEMPLE.EDU] On Behalf Of psoni
Sent: 25. janúar 2010 16:00
To: NETWORKER < at > LISTSERV.TEMPLE.EDU
Subject: [Networker] Networker Firewall Setings

OK, so if I understand correctly, we need the following rule in firewall.

Networker server to client :
TCP/UDP
7937 - 7944 (for services)
10000 - 10100 (for connection) - I believe 100 would be enough

Client to Networker server:
TCP/UDP
7937 - 7944 (for services)
10000 - 10100 (for connection)


The only part I didn't understand was whether or not the nsrports need to have the same values to be able to work with the firewall rule..

Currently, NW server and that client have the default values.
service ports : 7937 -9936
connection ports : 0-0

If I update nsrports on the server, what would happen to the storage nodes and all other clients that also use the default range ?

+----------------------------------------------------------------------
|This was sent by soni.parth < at > gmail.com via Backup Central.
|Forward SPAM to abuse < at > backupcentral.com.
+----------------------------------------------------------------------


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

We can add a few more ports to 7937 - 7944.
Per admin guide, 4 service ports would be enough for a client. The client isn't using any module.

You said I need to modify nsrports on the client to :
service ports: 7937 -7944 (or 7950)
connection ports: 10000 - 10100

How about on the NW server ?

The default 0-0 range allows OS to choose the ports. What would happen If OS selects lower range of ports (anything not in 10000 -100100) to establish a connection which may all be blocked by the firewall ?

We have only one client behind a firewall.

Networker server, storage nodes and all other cleitns are on the other side.

currently nsrports on every host is set to 7937 -9936 / 0-0.

I am trying to set 7937-7944 (bothways) only for a particular client and not changing the nsrports default values on the networker server.

I have several clients behind local firewalls. Assuming you are using
NetWorker 7.4 or higher, you should set the ports on the clients as follows:

nsrports -S 7939-7940

Leave the connection ports alone.

Set up the firewall to allow related traffic in. When you start
nsrexecd it will use ports 7937-7940, so make sure your server can get
in through those ports to initiate the traffic with the client. The
server will send hostname and port information to the client and the
client (via save commands) will initiate the connection back to the
server (or storage node) -- from some connection port.

If you are talking about a firewall that is NOT physically on the client
(ie a firewall system between the client and the server), then you will
have to set up the connection ports and the server ports as well on both
the server and the client.

This is all documented in the admin guide.

Frank

On 1/25/10 11:51 AM, psoni wrote:
We have only one client behind a firewall.

Networker server, storage nodes and all other cleitns are on the other side.

currently nsrports on every host is set to 7937 -9936 / 0-0.

I am trying to set 7937-7944 (bothways) only for a particular client and not changing the nsrports default values on the networker server.

+----------------------------------------------------------------------
|This was sent by soni.parth < at > gmail.com via Backup Central.
|Forward SPAM to abuse < at > backupcentral.com.
+----------------------------------------------------------------------


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER