Let me get this straight. They're willing to do one outside initiated IP-IP rule on the firewall (your server-server communication), they're just not willing to multiple IP-IP port limiting rules, one for each client?
Then what about dropping a second NIC in each client and in the TSM server, then create a private segment or VLAN? It can be packet/IP filtered pretty easily and cheaply if desired, and if the segment is switched, you don't have to worry too much about packet sniffing. Personally, I think having a DMZ TSM server is overkill. Heh, heh, heh. Just thought of something. Drop in a NAT router/firewall in the DMZ, define a route for all your DMZ clients to use that router to talk to TSM. Viola, only one outside IP-IP rule through the firewall, from the NAT to your TSM server, basically what you have now. Nice, eh? But personally, I think the second NIC idea is better. Another possibility is a SAN to share your tape, library, and, if you like, your diskpools (using SANergy). Then your external TSM server can have access to the tape without having to buy a second library, and you'll get your collocation. Alex Paschal Storage Administrator Freightliner, LLC (503) 745-6850 phone/vmail -----Original Message----- From: Peter Bjoern [mailto:pebjn@;WMDATASDC.DK] Sent: Thursday, October 17, 2002 9:00 AM To: [EMAIL PROTECTED] Subject: Re: Question about backup scenario (long) >Have you thought about having the clients in >question being backed up directly to the internal TSM server? It would mean >having TCP ports 1500 and 1501 open. Hi Mark That was our first preference (seen from a functionality point of view), however having those ports open from all the clients to the internal side is unacceptable to the network security people since it would involve having to allow sessions being initiated from clients on the outside to the server on the inside and they will not allow outside initiated connections. The solution with the external server placed between two firewalls and other stuff where you only needed to permit traffic from on IP to one IP on specific ports was the only way to transport data from the outside to the inside that could be approved. Regards Peter