See my responses inline. Paul D. Seay, Jr. Technical Specialist Naptheon Inc. 757-688-8180
-----Original Message----- From: William Rosette [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 10:01 AM To: [EMAIL PROTECTED] Subject: Re: TSM backing up in a DMZ zone. HI TSMr's, I have a DMZ Zone going in this Tuesday and they are asking me (TSM admin) to see if TSM can backup servers/clients in the DMZ zone. I have heard some talk on this ADSM user group about that very thing. We are going to be using a Cisco Pix Firewall and eventually use a Nokia Checkpoint. I gave them some options but I want to know if there are any more options that y'all might have. Here are the ones I suggested. 1. Put a TSM remote server in the DMZ and share the library (3494) with the other server. This one requires port 3494 to be opened through the firewall so that the TSM server can talk to the library. This one to me has some serious risks if the TSM server is broken into. The reason is there is no security in the library to block the mtlib and lmcpd interfaces from being used to mount tapes belonging to other systems from being mounted in the drives of this remote TSM server. 2. Since most clients (NT & Linux servers) backup in 5 to 15 minutes and will not need to be backed up maybe once a week, open an obscure port once a week for 30 minutes for all backups. The port on the TSM server side has to be set for all clients. But, you could create a small second TSM server processs on the machine inside the firewall or locate the remote one inside the firewall that uses this specific port and only allows connections from the NT & LINIX servers. Then, set your firewall up so that only port and connection works to the TSM server. This is probably the most secure. The big negative is that the backup will be slow depending on your firewall and network. 3. Port access through Cisco script when backup happens. I am not familiar with this but it looks like 2 with some more security. 4. Direct connect to TSM server. Not sure what you meen by Direct Connect. I understand that probably each one has its security leaks and some more than others. Is there someone who can share a good DMZ SLA? Thank You, Bill Rosette Data Center/IS/Papa Johns International WWJD
