Remco, I posed this question to IBM Tivoli support a few weeks ago and here is their response:
This is from Read me for the TSM Client code 4.2.X ftp://service.software.ibm.com/storage/tivoli-storage-management/maintenance/cl ient/v4r2/Windows/WinNT/v421/IP22373_READ1STC.TXT - The Tivoli Storage Manager server and clients can work across a firewall in most cases. Please see the 'Tivoli Storage Manager Firewall' subsection of the Getting Started chapter in the TSM Using the Backup-Archive Client book. Currently the following operations are known to have problems when a firewall is in place: The client scheduler operating in prompted mode does not work when the server is across a firewall. The client scheduler does work when operating in polling mode. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall. This is from the Book Using Backup Archive Clients : Chapter 2 Tivoli Storage Manager Firewall Support In most cases, the Tivoli Storage Manager server and clients can work across a firewall. The ports that the client and server need to communicate must be opened in the firewall by the firewall administrator. Because every firewall is different, the firewall administrator may need to consult the instructions for the firewall software or hardware in use. The ports that the firewall needs to define are those ports that are needed for the client to connect to the Tivoli Storage Manager server. If the server is listening on port 1500 then the firewall software needs to forward the port to the Tivoli Storage Manager server machine. To allow clients to communicate with a server across a firewall, you must open the TCP/IP port for the server using the tcpport option in the server options file. The default TCP/IP port is 1500. To allow the Web client to communicate with remote workstations across a firewall, you must open the HTTP port for the remote workstation using the httpport option in the remote workstation's client option file. The default HTTP port is 1581. You must open the two TCP/IP ports for the remote workstation client using the webports option in the remote workstation's option file. Values for the webports are required. If you do not specify the values for the webports option, the default zero (0) causes TCP/IP to randomly assign two free port numbers. See Webports for more information about the webports option. To use the administrative Web interface for a server across a firewall, you must open the port that is the HTTP port for the server using the httpport option in the server options file. The default HTTP port is 1580. In an enterprise environment, we strongly recommend that you use the Tivoli Storage Manager Secure Web Administrator Proxy for Web administration of the Tivoli Storage Manager server. Install the proxy on a Web server that sits on the firewall so that the Web server can access resources on both sides of the firewall (this is sometimes called the demilitarized zone). When you set up the proxy, you can use it to administer any Tivoli Storage Manager server at Version 3.7 or higher. For more information on how to install and use the proxy, see the appendix about the Web proxy in the Tivoli Storage Manager Quick Start manual. You can also increase security in this environment by enabling HTTPS services (also called secure socket layer or SSL) on the Web server where you install the proxy. Check your Web server documentation for information on how to set this up. When using Tivoli Storage Manager across a firewall, please consider the following: To use the Web client to connect to a client across a firewall, the Web client and the backup-archive client must be Version 4.1.2 or later. To enable the backup-archive client, command line admin client, and the scheduler (running in polling mode) to run outside a firewall, the port specified by the server option tcpport (default 1500) must be opened by the firewall administrator. Note: Tivoli Storage Manager does not support the scheduler running in prompted mode outside a firewall. In prompted mode the Tivoli Storage Manager server needs to contact the client. In order to do this, some software must be installed on the Tivoli Storage Manager server to route the request through the firewall. This software routes the server request through a sock port on the firewall. This is typically called sockifing a system. Proxies are not supported, since they only route a few types of communication protocols (HTTP, FTP, GOPHER) and Tivoli Storage Manager is not one of these communication protocols that are routed. It is important to note that the client creates a new connection to the Tivoli Storage Manager server when prompted. This mean that the firewall configuration discussed above must be in place. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall.