Re: Backups through a firewall
Rick Harderwijk wrote: Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? There's not a great deal of advantage to using non-standard ports, and it just confuses things... Any good firewall (And firewall admin) will only open up the traffic between the client and the tsm server anway. So a hacker would have to be on one of those boxes first in order to do anything (Discounting forged packets here that should be denied at your ISP link anyway) through that port. Plus any hacker worth their salt will probably port scan you nayway (And lots of script kiddies doit just to see). So if your ruls ISN'T tight, it doesn't matter what port you put it on... But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick -- I don't suffer from Insanity... | Linux User #16396 I enjoy every minute of it... | | http://www.travellingkiwi.com/ |
Re: Backups through a firewall
Search www.adsm.org and you will find more complete discussion of this issue. It's pretty simple; you just have to set up a hole in your firewall that allows the traffic. All our clients use POLLING for SCHEDMODE. (I.e., client contacts the server first). By default, the client and server communicate on port 1500. All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want. Depending on your firewall config, you may also have to increase the default firewall timeout for TSM. Some firewall software will automatically close the connection after n minutes, if there is no traffic; it is not uncommon for a TSM client to go silent for a while as it noodles around in the client directory looking for things to back up. Symptoms of that problem: on the client in dsmsched.log you will see that during the backup the TSM session is terminated, then it reconnects and backs up some more, then gets disconnected, then reconnects, etc. many times during the backup window. May or may not ever finish the backup completely. Increase the firewall timeout so that the firewall doesn't close the connection. Check adsm.org for more discussion. Wanda Prather The Johns Hopkins Applied Physics Lab 443-778-8769 [EMAIL PROTECTED] Intelligence has much less practical application than you'd think - Scott Adams/Dilbert -Original Message- From: Coats, Jack [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 10:56 AM To: [EMAIL PROTECTED] Subject: Backups through a firewall What is the minimal connectivity that TSM needs (like ports enabled, protocols, etc) that it would take to do a TSM backup through a firewall? This is basically backing up a server inside a 'firewall sandwich' to a TSM server on an internal network. TIA ... Jack
Re: Backups through a firewall
Hiya, Using NAT seems like a valid solution too, but how about IP spoofing? Regards, Rick - Original Message - From: Bill Boyer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 21, 2002 10:00 PM Subject: Re: Backups through a firewall ALso depending on your firewal, you could always NAT the TSM server address. Through the firewall you could assign an OUTSIDE address that gets translated to the INSIDE address of the TSM server. You can also put rules to limit the connections through port 1500 only to the TSM server address. If you change the default port of 1500 for the TSM server you need to change ALL of your clients to use this new port number. If you use POLLING (which the TSM Clients manual says is the only supported schedmode for backups thru firewalls) then you only need the 1500 port open. I wouldn't recomment running the CAD server for webclient on those servers outside the firewall, either. Just gives those hackers another open port to play with... Bill Boyer DSS, Inc. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Harderwijk Sent: Tuesday, May 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Re: Backups through a firewall Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
Re: Backups through a firewall
You cannot hide them so I see no reason to change them. If firewall is set-up correct it should allow traffic outside DMZ to those ports. If an intruder compromised a TSM node in DMZ you modified ports are known. The main security issue (IMO) is than *SM is using same port for backups and for admin client sessions. And opening this port in the firewall opens ability to connect as administrator to the server. Zlatko Krastev IT Consultant Please respond to ADSM: Dist Stor Manager [EMAIL PROTECTED] Sent by:ADSM: Dist Stor Manager [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject:Re: Backups through a firewall Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
Backups through a firewall
What is the minimal connectivity that TSM needs (like ports enabled, protocols, etc) that it would take to do a TSM backup through a firewall? This is basically backing up a server inside a 'firewall sandwich' to a TSM server on an internal network. TIA ... Jack
Re: Backups through a firewall
Providing they know the admin userid and password. Admin sessions don't use the PASSWORDACCESS GENERATE. A good reason to either lock, delete or change the default ADMIN/ADMIN userid in TSM. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Zlatko Krastev Sent: Wednesday, May 22, 2002 8:29 AM To: [EMAIL PROTECTED] Subject: Re: Backups through a firewall You cannot hide them so I see no reason to change them. If firewall is set-up correct it should allow traffic outside DMZ to those ports. If an intruder compromised a TSM node in DMZ you modified ports are known. The main security issue (IMO) is than *SM is using same port for backups and for admin client sessions. And opening this port in the firewall opens ability to connect as administrator to the server. Zlatko Krastev IT Consultant Please respond to ADSM: Dist Stor Manager [EMAIL PROTECTED] Sent by:ADSM: Dist Stor Manager [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject:Re: Backups through a firewall Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
Re: Backups through a firewall
Hiya, You got me convinced. Maybe that's why I'm not a firewall operator Regards, Rick - Original Message - From: Zlatko Krastev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 22, 2002 2:28 PM Subject: Re: Backups through a firewall You cannot hide them so I see no reason to change them. If firewall is set-up correct it should allow traffic outside DMZ to those ports. If an intruder compromised a TSM node in DMZ you modified ports are known. The main security issue (IMO) is than *SM is using same port for backups and for admin client sessions. And opening this port in the firewall opens ability to connect as administrator to the server. Zlatko Krastev IT Consultant Please respond to ADSM: Dist Stor Manager [EMAIL PROTECTED] Sent by:ADSM: Dist Stor Manager [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject:Re: Backups through a firewall Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
Re: Backups through a firewall
Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
Re: Backups through a firewall
ALso depending on your firewal, you could always NAT the TSM server address. Through the firewall you could assign an OUTSIDE address that gets translated to the INSIDE address of the TSM server. You can also put rules to limit the connections through port 1500 only to the TSM server address. If you change the default port of 1500 for the TSM server you need to change ALL of your clients to use this new port number. If you use POLLING (which the TSM Clients manual says is the only supported schedmode for backups thru firewalls) then you only need the 1500 port open. I wouldn't recomment running the CAD server for webclient on those servers outside the firewall, either. Just gives those hackers another open port to play with... Bill Boyer DSS, Inc. -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Harderwijk Sent: Tuesday, May 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Re: Backups through a firewall Hi, Wanda wrote: All the firewall guy had to do was create a rull that allows TCP/IP traffic through the firewall for port 1500 for the particular client address. If you use SCHEDMODE PROMPTED, I believe you also have to enable port 1501. If you want to use the web client to do TSM backups/restores remotely, that uses port 1581. All those ports are configurable, i.e., you can tell TSM client and server to use different ports if you want I would STRONGLY suggest to choose different ports. I believe there's a list out there, I think it's through IANA (www.iana.org - somebody please confirm that) that tells which port is 'registered' . Pick some free ports high up, preferably not next to each other (I would go pick like 7492, 9816 and 9752- handpicked these :) ). Wouldn't want some h*cker discovering you're using 1234 with some sec hole somewhere and let him just try 1235 and 1236, now would we? But hey, waddah I know, it's just my $.02 - maybe I'm wrong. At least someone on the list will tell you, and you'll never forget (and neither will I). Regards, Rick
LARGE FILE BACKUPS THROUGH A FIREWALL.
I'm new to this site so I'd thought I'd throw this out here. I'm running TSM Server, ver 4.1, on OS/390 and I'm having problems backing up large files from our Web Production NT/2000 servers through our IBM AIX Firewalls running Checkpoint. I got a 25 GB SQL DB that takes over 40-50 hours to backup. I've tested the same backup but bypassing the FW's and the backup took only about 1 hour! It is not only the SQL DB but any large file takes a tremendous amount of time to backup through the FW. I've called TSM support and they basically said it was a networking issue (no surprise there). I'm suspecting something like NAT is confusing TSM. Any Ideas? Thanks, Steve Martin [EMAIL PROTECTED]
Re: LARGE FILE BACKUPS THROUGH A FIREWALL.
On Mon, 16 Jul 2001 11:14:35 -0500, you wrote: I'm running TSM Server, ver 4.1, on OS/390 and I'm having problems backing up large files from our Web Production NT/2000 servers through our IBM AIX Firewalls running Checkpoint. I got a 25 GB SQL DB that takes over 40-50 hours to backup. I've tested the same backup but bypassing the FW's and the backup took only about 1 hour! It is not only the SQL DB but any large file takes a tremendous amount of time to backup through the FW. I've called TSM support and they basically said it was a networking issue (no surprise there). I'm suspecting something like NAT is confusing TSM. Any Ideas? It's a larger issue than that. Backups through a firewall are not supported in TSM (officially). Two suggestions: 1. Use prompted scheduling, rather than polled. This allows you to specify the TCP port used for server-client communication. (The default for prompted schedules is 1500.) Keep in mind that if you set up multiple machines in this manner, and they are performing concurrent backups, they'll all be using the same port, thus impacting throughput. 2. Make sure that the proper TCP ports are open. The defaults are 1500 and 1501; they need to be open to traffic in both directions. -- Mark Stapleton ([EMAIL PROTECTED])
Re: LARGE FILE BACKUPS THROUGH A FIREWALL.
With 4.2, they are supported. You can get the details in the readme. lisa Mark Stapleton [EMAIL PROTECTED] 07/16/2001 12:32 PM Please respond to ADSM: Dist Stor Manager To: [EMAIL PROTECTED] cc: (bcc: Lisa Cabanas/SC/MODOT) Subject:Re: LARGE FILE BACKUPS THROUGH A FIREWALL. On Mon, 16 Jul 2001 11:14:35 -0500, you wrote: I'm running TSM Server, ver 4.1, on OS/390 and I'm having problems backing up large files from our Web Production NT/2000 servers through our IBM AIX Firewalls running Checkpoint. I got a 25 GB SQL DB that takes over 40-50 hours to backup. I've tested the same backup but bypassing the FW's and the backup took only about 1 hour! It is not only the SQL DB but any large file takes a tremendous amount of time to backup through the FW. I've called TSM support and they basically said it was a networking issue (no surprise there). I'm suspecting something like NAT is confusing TSM. Any Ideas? It's a larger issue than that. Backups through a firewall are not supported in TSM (officially). Two suggestions: 1. Use prompted scheduling, rather than polled. This allows you to specify the TCP port used for server-client communication. (The default for prompted schedules is 1500.) Keep in mind that if you set up multiple machines in this manner, and they are performing concurrent backups, they'll all be using the same port, thus impacting throughput. 2. Make sure that the proper TCP ports are open. The defaults are 1500 and 1501; they need to be open to traffic in both directions. -- Mark Stapleton ([EMAIL PROTECTED])
Re: LARGE FILE BACKUPS THROUGH A FIREWALL.
Steve, Instead of a traditional firewall, have you proposed using either a Gigabit router with filter rules or a switch with filter rules restricting access between the ports. Other routers limit throughput to 100 Meg and firewalls may be even worse. Jeff Bach Home Office Open Systems Engineering Wal-Mart Stores, Inc. WAL-MART CONFIDENTIAL -Original Message- From: Mark Stapleton [SMTP:[EMAIL PROTECTED]] Sent: Monday, July 16, 2001 12:32 PM To: [EMAIL PROTECTED] Subject:Re: LARGE FILE BACKUPS THROUGH A FIREWALL. On Mon, 16 Jul 2001 11:14:35 -0500, you wrote: I'm running TSM Server, ver 4.1, on OS/390 and I'm having problems backing up large files from our Web Production NT/2000 servers through our IBM AIX Firewalls running Checkpoint. I got a 25 GB SQL DB that takes over 40-50 hours to backup. I've tested the same backup but bypassing the FW's and the backup took only about 1 hour! It is not only the SQL DB but any large file takes a tremendous amount of time to backup through the FW. I've called TSM support and they basically said it was a networking issue (no surprise there). I'm suspecting something like NAT is confusing TSM. Any Ideas? It's a larger issue than that. Backups through a firewall are not supported in TSM (officially). Two suggestions: 1. Use prompted scheduling, rather than polled. This allows you to specify the TCP port used for server-client communication. (The default for prompted schedules is 1500.) Keep in mind that if you set up multiple machines in this manner, and they are performing concurrent backups, they'll all be using the same port, thus impacting throughput. 2. Make sure that the proper TCP ports are open. The defaults are 1500 and 1501; they need to be open to traffic in both directions. -- Mark Stapleton ([EMAIL PROTECTED]) ** This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this email in error destroy it immediately. **
Re: LARGE FILE BACKUPS THROUGH A FIREWALL.
Another idea . . . . Sounds like the backup is working correctly, just taking a long time. What is the load on the firewall system during the backup? You might be hitting a max throughput on the firewall. Try turning on client compression to ease the firewalls load. Rick On 16 Jul 2001, at 11:14, Steve Martin wrote: Firewalls running Checkpoint. I got a 25 GB SQL DB that takes over 40-50 hours to backup. I've tested the same backup but bypassing the FW's and the backup took only about 1 hour! It is not only the SQL DB but any large file takes a tremendous amount of time to backup through the FW.
Re: LARGE FILE BACKUPS THROUGH A FIREWALL.
We NAT'ted out TSM server and we perform backups via the firewall. When we did this we only allowed the TSM TCP/IP ports to talk through the firewall. Mahesh [EMAIL PROTECTED] 07/16/01 02:02PM Steve, Instead of a traditional firewall, have you proposed using either a Gigabit router with filter rules or a switch with filter rules restricting access between the ports. Other routers limit throughput to 100 Meg and firewalls may be even worse. Jeff Bach Home Office Open Systems Engineering Wal-Mart Stores, Inc. WAL-MART CONFIDENTIAL -Original Message- From: Mark Stapleton [SMTP:[EMAIL PROTECTED]] Sent: Monday, July 16, 2001 12:32 PM To: [EMAIL PROTECTED] Subject:Re: LARGE FILE BACKUPS THROUGH A FIREWALL. On Mon, 16 Jul 2001 11:14:35 -0500, you wrote: I'm running TSM Server, ver 4.1, on OS/390 and I'm having problems backing up large files from our Web Production NT/2000 servers through our IBM AIX Firewalls running Checkpoint. I got a 25 GB SQL DB that takes over 40-50 hours to backup. I've tested the same backup but bypassing the FW's and the backup took only about 1 hour! It is not only the SQL DB but any large file takes a tremendous amount of time to backup through the FW. I've called TSM support and they basically said it was a networking issue (no surprise there). I'm suspecting something like NAT is confusing TSM. Any Ideas? It's a larger issue than that. Backups through a firewall are not supported in TSM (officially). Two suggestions: 1. Use prompted scheduling, rather than polled. This allows you to specify the TCP port used for server-client communication. (The default for prompted schedules is 1500.) Keep in mind that if you set up multiple machines in this manner, and they are performing concurrent backups, they'll all be using the same port, thus impacting throughput. 2. Make sure that the proper TCP ports are open. The defaults are 1500 and 1501; they need to be open to traffic in both directions. -- Mark Stapleton ([EMAIL PROTECTED]) ** This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this email in error destroy it immediately. **