All TSM features can work across firewall. The answer will they work depends on firewall software capabilities, company security policies and firewall administrator's good will. Usually firewall is configured to allow connections to be initiated only from one of the nets/subnets. And such behavior blocks some TSM features. - for B/A, GUI & API client connection firewall must allow port 1500 (or modified one) connection initiated from client's side - for scheduler in prompted mode - port 1501 and connection initiated from server (!!!) side + B/A client (1500 in opposite direction) - for Web Administrtive interface - port 1580 and connection initiated from browser to server - for Web client - port 1581 and connection from browser to client + B/A client (1500) - for T/EC events things are harder - if TEC server is using portmap firewall should allow both portmapper port 111 and TEC server port, if not TECPORT has to be set in dsmserv.opt and firewall must not block this port from TSM server to TEC server. Statements from the docks are not completely correct. However they are true for usual firewall configurations. Again - FW admin's good will and ability to do their job are important.
Zlatko Krastev IT Consultant Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Re: Documentation needed: Backing up through a firewall Remco, I posed this question to IBM Tivoli support a few weeks ago and here is their response: This is from Read me for the TSM Client code 4.2.X ftp://service.software.ibm.com/storage/tivoli-storage-management/maintenance/cl ient/v4r2/Windows/WinNT/v421/IP22373_READ1STC.TXT - The Tivoli Storage Manager server and clients can work across a firewall in most cases. Please see the 'Tivoli Storage Manager Firewall' subsection of the Getting Started chapter in the TSM Using the Backup-Archive Client book. Currently the following operations are known to have problems when a firewall is in place: The client scheduler operating in prompted mode does not work when the server is across a firewall. The client scheduler does work when operating in polling mode. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall. This is from the Book Using Backup Archive Clients : Chapter 2 Tivoli Storage Manager Firewall Support In most cases, the Tivoli Storage Manager server and clients can work across a firewall. The ports that the client and server need to communicate must be opened in the firewall by the firewall administrator. Because every firewall is different, the firewall administrator may need to consult the instructions for the firewall software or hardware in use. The ports that the firewall needs to define are those ports that are needed for the client to connect to the Tivoli Storage Manager server. If the server is listening on port 1500 then the firewall software needs to forward the port to the Tivoli Storage Manager server machine. To allow clients to communicate with a server across a firewall, you must open the TCP/IP port for the server using the tcpport option in the server options file. The default TCP/IP port is 1500. To allow the Web client to communicate with remote workstations across a firewall, you must open the HTTP port for the remote workstation using the httpport option in the remote workstation's client option file. The default HTTP port is 1581. You must open the two TCP/IP ports for the remote workstation client using the webports option in the remote workstation's option file. Values for the webports are required. If you do not specify the values for the webports option, the default zero (0) causes TCP/IP to randomly assign two free port numbers. See Webports for more information about the webports option. To use the administrative Web interface for a server across a firewall, you must open the port that is the HTTP port for the server using the httpport option in the server options file. The default HTTP port is 1580. In an enterprise environment, we strongly recommend that you use the Tivoli Storage Manager Secure Web Administrator Proxy for Web administration of the Tivoli Storage Manager server. Install the proxy on a Web server that sits on the firewall so that the Web server can access resources on both sides of the firewall (this is sometimes called the demilitarized zone). When you set up the proxy, you can use it to administer any Tivoli Storage Manager server at Version 3.7 or higher. For more information on how to install and use the proxy, see the appendix about the Web proxy in the Tivoli Storage Manager Quick Start manual. You can also increase security in this environment by enabling HTTPS services (also called secure socket layer or SSL) on the Web server where you install the proxy. Check your Web server documentation for information on how to set this up. When using Tivoli Storage Manager across a firewall, please consider the following: To use the Web client to connect to a client across a firewall, the Web client and the backup-archive client must be Version 4.1.2 or later. To enable the backup-archive client, command line admin client, and the scheduler (running in polling mode) to run outside a firewall, the port specified by the server option tcpport (default 1500) must be opened by the firewall administrator. Note: Tivoli Storage Manager does not support the scheduler running in prompted mode outside a firewall. In prompted mode the Tivoli Storage Manager server needs to contact the client. In order to do this, some software must be installed on the Tivoli Storage Manager server to route the request through the firewall. This software routes the server request through a sock port on the firewall. This is typically called sockifing a system. Proxies are not supported, since they only route a few types of communication protocols (HTTP, FTP, GOPHER) and Tivoli Storage Manager is not one of these communication protocols that are routed. It is important to note that the client creates a new connection to the Tivoli Storage Manager server when prompted. This mean that the firewall configuration discussed above must be in place. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall.
