Backup Central

I would assume that this is a common topic, so forgive me in advance.

My NetWorker server is behind a firewall and I'm trying to back up a client
outside the firewall. I read the documentation, and I have opened up the
following:

tcp 7937-7945 server-client
tcp 7937-7945 client-server
tcp 8001-8014 client-server
tcp 10001-10600 client-server

I have also configured the client via nwadmin to use ports 7937-7945 and
ports 10001-10600.

My setup is pretty simple, I'm only backing up /etc on the client and the
server (Linux) has a single tape drive.

However, in my firewall logs, I see denies for ports outside that range
(8118, 8638, 8810).

Anyone have a suggestion as to what I may have done wrong?

Thanks in advance,
Roy






Roy Kidder
Network Engineer
Safelite Glass Corp.


*************************************************************
This message, including any attachments, may contain
confidential information intended for a specific individual
and purpose, and may be protected by law. If you are not
the intended recipient, please notify the sender by e-mail
or telephone immediately, and then immediately delete this
message. Any disclosure, copying or distribution of this
message, or the taking of any action based on it, by any
unintended recipient is strictly prohibited.

Checked by the Safelite e-mail scanner which may have
resulted in the attachments being modified or removed.

Note: To sign off this list, send a "signoff networker" command via email

Hi,

If you are refering to the Admin Guide, no use. You need to refer to the
technical bulletin #388 at legato's website to calculate the exact no. &
range of ports as Service Port and Communication Ports.

Regards,
Anuj Mediratta
Legato Certified Networker Administrator
Ace Data Devices Pvt. Ltd.
I-132, Ist Floor,
Kirti Nagar,
New Delhi - 110 015.
Phone : 011-51424914
Mobile - 011-32334262
-----Original Message-----
From: Legato NetWorker discussion [mailto:NETWORKER < at > LISTMAIL.TEMPLE.EDU] On
Behalf Of Kidder, Roy
Sent: Friday, September 24, 2004 19:43
To: NETWORKER < at > LISTMAIL.TEMPLE.EDU
Subject: [Networker] NetWorker through a firewall

I would assume that this is a common topic, so forgive me in advance.

My NetWorker server is behind a firewall and I'm trying to back up a client
outside the firewall. I read the documentation, and I have opened up the
following:

tcp 7937-7945 server-client
tcp 7937-7945 client-server
tcp 8001-8014 client-server
tcp 10001-10600 client-server

I have also configured the client via nwadmin to use ports 7937-7945 and
ports 10001-10600.

My setup is pretty simple, I'm only backing up /etc on the client and the
server (Linux) has a single tape drive.

However, in my firewall logs, I see denies for ports outside that range
(8118, 8638, 8810).

Anyone have a suggestion as to what I may have done wrong?

Thanks in advance,
Roy






Roy Kidder
Network Engineer
Safelite Glass Corp.


*************************************************************
This message, including any attachments, may contain
confidential information intended for a specific individual
and purpose, and may be protected by law. If you are not
the intended recipient, please notify the sender by e-mail
or telephone immediately, and then immediately delete this
message. Any disclosure, copying or distribution of this
message, or the taking of any action based on it, by any
unintended recipient is strictly prohibited.

Checked by the Safelite e-mail scanner which may have
resulted in the attachments being modified or removed.

Note: To sign off this list, send a "signoff networker" command via email

Note: To sign off this list, send a "signoff networker" command via email

Use nsrports to get a list (range) of the services & connection ports.





"Kidder, Roy" <Roy.Kidder < at > SAFELITE.COM>
Sent by: Legato NetWorker discussion <NETWORKER < at > LISTMAIL.TEMPLE.EDU>
09/24/04 10:12 AM
Please respond to Legato NetWorker discussion; Please respond to "Kidder,
Roy"


To: NETWORKER < at > LISTMAIL.TEMPLE.EDU
cc:
Subject: [Networker] NetWorker through a firewall


I would assume that this is a common topic, so forgive me in advance.

My NetWorker server is behind a firewall and I'm trying to back up a
client
outside the firewall. I read the documentation, and I have opened up the
following:

tcp 7937-7945 server-client
tcp 7937-7945 client-server
tcp 8001-8014 client-server
tcp 10001-10600 client-server

I have also configured the client via nwadmin to use ports 7937-7945 and
ports 10001-10600.

My setup is pretty simple, I'm only backing up /etc on the client and the
server (Linux) has a single tape drive.

However, in my firewall logs, I see denies for ports outside that range
(8118, 8638, 8810).

Anyone have a suggestion as to what I may have done wrong?

Thanks in advance,
Roy






Roy Kidder
Network Engineer
Safelite Glass Corp.


*************************************************************
This message, including any attachments, may contain
confidential information intended for a specific individual
and purpose, and may be protected by law. If you are not
the intended recipient, please notify the sender by e-mail
or telephone immediately, and then immediately delete this
message. Any disclosure, copying or distribution of this
message, or the taking of any action based on it, by any
unintended recipient is strictly prohibited.

Checked by the Safelite e-mail scanner which may have
resulted in the attachments being modified or removed.

Note: To sign off this list, send a "signoff networker" command via email



Note: To sign off this list, send a "signoff networker" command via email

On Fri, 24 Sep 2004, Kidder, Roy wrote:

I would assume that this is a common topic, so forgive me in advance.

My NetWorker server is behind a firewall and I'm trying to back up a client
outside the firewall. I read the documentation, and I have opened up the
following:

tcp 7937-7945 server-client
tcp 7937-7945 client-server
tcp 8001-8014 client-server
tcp 10001-10600 client-server

I have also configured the client via nwadmin to use ports 7937-7945 and
ports 10001-10600.

My setup is pretty simple, I'm only backing up /etc on the client and the
server (Linux) has a single tape drive.

Roy, did you open up the UDP ports on the firewall too?

Note: To sign off this list, send a "signoff networker" command via email

Roy, did you open up the UDP ports on the firewall too?

No, I didn't open any UDP ports. I watched the firewall (a PIX) log denies
and it only denied UDP packets. I even ran a sniffer to verify that there
wasn't any UDP traffic in either direction.




*************************************************************
This message, including any attachments, may contain
confidential information intended for a specific individual
and purpose, and may be protected by law. If you are not
the intended recipient, please notify the sender by e-mail
or telephone immediately, and then immediately delete this
message. Any disclosure, copying or distribution of this
message, or the taking of any action based on it, by any
unintended recipient is strictly prohibited.

Checked by the Safelite e-mail scanner which may have
resulted in the attachments being modified or removed.

Note: To sign off this list, send a "signoff networker" command via email

It's being spooled to a printer as I type... thanks for the pointer.

Roy

-----Original Message-----
From: Anuj < at > Ace Data [mailto:anuj < at > ACE-DATA.NET]
Sent: Friday, September 24, 2004 10:19 AM
To: NETWORKER < at > LISTMAIL.TEMPLE.EDU
Subject: Re: [Networker] NetWorker through a firewall

Hi,

If you are refering to the Admin Guide, no use. You need to refer to the
technical bulletin #388 at legato's website to calculate the exact no. &
range of ports as Service Port and Communication Ports.

Regards,
Anuj Mediratta
Legato Certified Networker Administrator
Ace Data Devices Pvt. Ltd.
I-132, Ist Floor,
Kirti Nagar,
New Delhi - 110 015.
Phone : 011-51424914
Mobile - 011-32334262
-----Original Message-----
From: Legato NetWorker discussion [mailto:NETWORKER < at > LISTMAIL.TEMPLE.EDU] On
Behalf Of Kidder, Roy
Sent: Friday, September 24, 2004 19:43
To: NETWORKER < at > LISTMAIL.TEMPLE.EDU
Subject: [Networker] NetWorker through a firewall

I would assume that this is a common topic, so forgive me in advance.

My NetWorker server is behind a firewall and I'm trying to back up a client
outside the firewall. I read the documentation, and I have opened up the
following:

tcp 7937-7945 server-client
tcp 7937-7945 client-server
tcp 8001-8014 client-server
tcp 10001-10600 client-server

I have also configured the client via nwadmin to use ports 7937-7945 and
ports 10001-10600.

My setup is pretty simple, I'm only backing up /etc on the client and the
server (Linux) has a single tape drive.

However, in my firewall logs, I see denies for ports outside that range
(8118, 8638, 8810).

Anyone have a suggestion as to what I may have done wrong?

Thanks in advance,
Roy






Roy Kidder
Network Engineer
Safelite Glass Corp.


*************************************************************
This message, including any attachments, may contain
confidential information intended for a specific individual
and purpose, and may be protected by law. If you are not
the intended recipient, please notify the sender by e-mail
or telephone immediately, and then immediately delete this
message. Any disclosure, copying or distribution of this
message, or the taking of any action based on it, by any
unintended recipient is strictly prohibited.

Checked by the Safelite e-mail scanner which may have
resulted in the attachments being modified or removed.

Note: To sign off this list, send a "signoff networker" command via email

Note: To sign off this list, send a "signoff networker" command via email

Note: To sign off this list, send a "signoff networker" command via email

I had a similiar issue with a Windows Server 2003 that sits in our DMZ. Aside from it being in the DMZ that server itself is hardened and most ports are shutdown by default. I have an IP Sec Policy opening up only the ports that the specific application needs.
Also Windows Firewall is enabled. Having said that this box runs SQL 2005 and I needed to get regular Networker backups. Networker backups would fail when the IPSec policy was enabled and would run just fine if I shutdown the IPSec Policy.
In this scenario I knew that the physical DMZ Firewall rules allowing my server to talk to my Networker servers was fine. It was my IPSec policy that needed to be tweaked. After doing some research I found that networker can allocate many ports to get the backup done. Far too many than what I would care to enter port by port into the IPSec policy.
To resolve this issue... create and IPSec Firewall Rule as follows

Mirrored Desc. Protocol Source Port Destination Port Source DNS Name Source Address Source Mask Dest DNS Name DestAdre

YES ANY ANY ANY My Ip Address My Ip Address 255.255.255.255 Specific Ip x.x.x.x

I then tested a bakcup from the client using Networker User for SQL Server... backup failed. I had to make one more change to this rule by adding an additional line within the same rule for my Networker Storage Node after adding my second Networker Storage Node (my first node only passes commands the second node actually process the backup) The backup worked just fine with the IP Sec Policy enabled.
Hope this helps......