Backup Central

Thanks Frank for the useful info.

Yes, there is a NetScreen firewall system between Networker server (7.5.1.4) and a cleint (7.5.1.4).

So I will do the following. Let me know if I am wrong.

[1] Calculate the # of service ports using the formula
12 + (2*devices) + jukeboxes
This comes to 23 so I will set service ports to 7937-7985 (a few extra)

[2] Modify nsrports on the server, storage nodes, and the clients
(will keep the values same for simplicity)
> nsrports
service ports: 7937 - 7985 (a few extra)
connection ports: 10001 - 10200 (not sure if 200 would be enough)
Question:
What is the formula to decide the connection ports ?

[3] nsrports on the client which is behind a firewall
> nsrports
service ports: 7937 - 7945
connection ports: 10001 - 10200

[4] Restart nsrexecd on every host

[4] Implement the following rule in firewall between Networker server and
a client.

Networker server to client :
TCP/UDP
7937 - 7945 (for services)
10001 - 10200 (for connection) - I believe 100 would be enough

Client to Networker server:
TCP/UDP
7937 - 7985 (for services)
10001 - 10200 (for connection)


Do I need to worry about mgmt console ? It is running on the Networker server.

What about TCP 111 -sunRPC ?

Do I need to worry about mgmt console ? It is running on the Networker
server.

You shouldn't run the Console on the server, if you have more than about
50-60 clients, I am told. I have about 100, and I had major problems with
unfinished jobs and other errors, when I ran the Console on the server.
When I moved the console to a separate client, all those problems went
away.

Something to consider.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

psoni wrote:

10001 - 10200 (for connection) - I believe 100 would be enough


Don't get bogged down worrying about connection ports. Connection ports
could be called source ports, the ports from which the connection
originates. Hardly anyone configures a firewall based on source ports,
so you probably don't even need to consider them.


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

This is all we've got in firewall right now...

Networker Server to Client
TCP
7937-7940

All other ports have been blocked.

Any suggestions about the implementation steps I sent earlier ?
Thanks in advance

On 1/25/10 1:27 PM, psoni wrote:
Thanks Frank for the useful info.

Yes, there is a NetScreen firewall system between Networker server (7.5.1.4) and a cleint (7.5.1.4).

So I will do the following. Let me know if I am wrong.

[1] Calculate the # of service ports using the formula
12 + (2*devices) + jukeboxes
This comes to 23 so I will set service ports to 7937-7985 (a few extra)


As I attempted to imply in my first note -- you do not want to
explicitly include ports 7937 and 7938 in the value you give to nsrports
-S. This is because effective with version 7.5, EMC has managed to
break the port assignment code so that if those two ports are in the
values, they get used by the *wrong* daemons. Why do you want to set up
a few extra? If you know you need 23, set it to 23... So, use

nsrports -S 7939-7959

Just remember that when you start nsrexecd up, that it will also use
7937 and 7938 because that's the way it was coded. EMC has finally
added a note about this in the 7.6 Admin Guide. I still haven't
convinced them that since you could have 7937 and 7938 in the list in
7.4 (and below) that they have introduced a gotcha that a working
pre-7.5 client when upgraded and started up for the first time ....
doesn't reliably start! (sigh)

[2] Modify nsrports on the server, storage nodes, and the clients
(will keep the values same for simplicity)
nsrports
service ports: 7937 - 7985 (a few extra)
connection ports: 10001 - 10200 (not sure if 200 would be enough)
Question:
What is the formula to decide the connection ports ?


As someone else responded to you, the connection ports are the ports
that you allow the non-daemon commands that run and need ports on the
local machine to use. Here, I can't help you, because I don't use
them. However, I think you are going to need to figure out how many
concurrently running non-daemon programs you can have (what's your
parallelism set to) and then probably double it to be safe. As you have
a firewall in the network between your server and your client, you are
going to need to muck with this value (sadly) or else, you are going to
have to open a very big hole to allow any port to talk to any port in
both directions.

[3] nsrports on the client which is behind a firewall
nsrports
service ports: 7937 - 7945
connection ports: 10001 - 10200


Why? You know that the client only needs 4 service ports. Set it to
service ports 7939-7940 and be done with it.


[4] Restart nsrexecd on every host

[4] Implement the following rule in firewall between Networker server and
a client.

Networker server to client :
TCP/UDP
7937 - 7945 (for services)
10001 - 10200 (for connection) - I believe 100 would be enough

Again, I'd open just 7937-7940 for the services. I believe you are
correct that 100 would be enough.



Client to Networker server:
TCP/UDP
7937 - 7985 (for services)
10001 - 10200 (for connection)


I'm not sure that 100 ports for connections from the server to the
client are going to be enough -- it really depends on how many save
groups you run at the same time and the number of save sets each of them
runs in parallel -- plus a few more for the indexes for each of those
save groups.

Again, I don't think you need use more than 7937-7959 for the service ports.



Do I need to worry about mgmt console ? It is running on the Networker server.


Will you be running the mgmt console (NMC) java code on this client? If
you will, then yes, you need to worry about it. It's documented in the
Admin guide which ports it needs -- if you used the defaults, you need
at a minimum to have 9000, 9001 and 2838 (IIRC) open from the client to
the server -- and you need to have everything open from the server to
the client unless you can find a way to limit which ports the NMC java
code on the client opens to talk to the server.

What about TCP 111 -sunRPC ?


EMC keeps saying that they don't use it.... I know they do, everyone
knows they do.... but I block it anyway.... it slows some things down,
but it doesn't break them.... EMC really wants to use (udp) 7938 for
that function.


--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

Thanks everyone for the useful information.

Frank,
I have a created a SR with EMC but they haven't yet mentioned anyhtnig about keeping nsrports from 7939.

I will make changes and let you know how it goes..

Thanks once again.

I'm about to start playing with the connection port values as we have a phyical firewall between some clients, so the comments about ignoring connections ports isnt true.

Has anyone narrowed down the requirements or know roughly how they are used to calculate this to save me some time with testing?
Thanks in advance

On 1/4/12 12:32 PM, Lagerstars wrote:
I'm about to start playing with the connection port values as we have a phyical firewall between some clients, so the comments about ignoring connections ports isnt true.

Has anyone narrowed down the requirements or know roughly how they are used to calculate this to save me some time with testing?
Thanks in advance


In my opinion from what you have stated, your "phyical" firewall is defective.

I have firewalls between many of my clients and my NetWorker server and storage nodes. I have
my customers configure their clients to force the to use server ports 7937-7940 (still only
need four on the client side) tcp and 7938 udp, and the firewalls are configured to allow my
NetWorker server to connect to those ports. The way NetWorker winds up working, the client
initiates the connection to the storage node(s) required, so everything that happens after the
backup is initiated is covered by the "ESTABLISHED, RELATED" category which every firewall
should have.

--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)

On 1/4/12 12:32 PM, Lagerstars wrote:
I'm about to start playing with the connection port values as we have a phyical firewall between some clients, so the comments about ignoring connections ports isnt true.

Has anyone narrowed down the requirements or know roughly how they are used to calculate this to save me some time with testing?
Thanks in advance


In my opinion from what you have stated, your "phyical" firewall is defective.

I have firewalls between many of my clients and my NetWorker server and storage nodes. I have
my customers configure their clients to force the to use server ports 7937-7940 (still only
need four on the client side) tcp and 7938 udp, and the firewalls are configured to allow my
NetWorker server to connect to those ports. The way NetWorker winds up working, the client
initiates the connection to the storage node(s) required, so everything that happens after the
backup is initiated is covered by the "ESTABLISHED, RELATED" category which every firewall
should have.

--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)


via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

I just thought i'd put a reply in here in case it helps someone out there with this....

It seems that the information i was given by colleagues was incorrect.

From reading the docs (not the most helpful as i'm sure most will agree) and some testing i can confirm that the only config changes i required were for the service ports.

As our backup servers use locally attached tape drives, the firewall needed to be configured to allow the number of ports required for connection to a storage node, in our case, this was 17 ports from server to client and client to server.
Connection ports were left as 0-0 and from monitoring the flow of traffic in both directions can confirm the only traffic registered is the initial connections taking place on the service port range.

Simple really having got on with it myself instead of listening to people here saying its not possible without opening hundreds / thousands of ports!

Just to note, that by "Here" in my previous reply, i'm talking about my office, not this forum