Re: [Veritas-bu] Firewall setup
* Anas Kayal <[EMAIL PROTECTED]> [2006-12-21 09:29]: > Guys, I have 2 servers in my DMZ. Now after reading this forum I opened > ports 13720 and 13724 and permitted access from my master server to both > servers in DMZ in both directions. Now how do I specify that this port > should be used by this client and the other port by the other client? Don't forget that you also need 13782 (bpcd) from the backup server TO the client. 13720 (bprd) and 13724 (vnetd) are for traffic FROM the client TO the backup server. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Firewall setup
Run "bpclient -client $CLIENT -add -no_callback 1" on your master server (replacing $CLIENT with your client's name). Or from the GUI : NetBackup Management --> Host Properties --> Master Servers (right click on the relevant one) --> Properties --> Client Attributes --> Add. Add your client & set BPCD Connect Back to VNETD port. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anas Kayal Sent: 21 December 2006 06:29 To: NB List Mail Subject: Re: [Veritas-bu] Firewall setup Guys, I have 2 servers in my DMZ. Now after reading this forum I opened ports 13720 and 13724 and permitted access from my master server to both servers in DMZ in both directions. Now how do I specify that this port should be used by this client and the other port by the other client? Anas Kayal IT Department System Administrator _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: Monday, December 18, 2006 9:30 PM To: Weber, Philip; NB List Mail Subject: Re: [Veritas-bu] Firewall setup OK. So on the firewall you only open ports 13782, 13724 and 13720? And then configure the clients to use the same 3 ports? All other are closed? Greg _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Weber, Philip Sent: Monday, December 18, 2006 10:38 AM To: NB List Mail Subject: Re: [Veritas-bu] Firewall setup We've gone firewall-mad over the last couple of years and now pretty much all of our clients are behind at least one firewall from the perspective of the NetBackup servers. In general we open ports 13782, 13724 and 13720 in both directions, to make life simpler. This can be reduced so that only 13782 is open from the DMZ - which is what we do for clients in the "real" DMZ. Set the clients to use vnetd, in the clients tab of the master server properties (or use bpclient). We do occasionally have connection errors and currently have a big issue in our NB 5.1 MP5 environment, with frequent but irregular "hanging backups", where the backup has apparently completed but hangs at 99% or 100%. Seems to be because the final call from the client back to bpbrm is not being received by the media server. Seems to be something in our environment but we are in the process of trying to prove this between Symantec and our Network support team. Also in some cases have firewalls between media/master servers which is a whole new problem... Phil Weber Business Technology (Egg) Storage Technical Services - Senior UNIX Technologist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: 18 December 2006 13:06 To: NB List Mail Subject: [Veritas-bu] Firewall setup Nb 5.0 mp6 Solaris 9 We have a DMZ zone setup that has 10 servers in it. We back up these servers through our firewall. We occasionally get connection errors. I would like to know if anyone else out there would be interested in sharing their setup, port ranges etc on how they backup servers through a firewall. We currently do not use the firewall section in the host properties and I am thinking that maybe I should be adding the servers that are on the other side of the firewall to this tab. Greg >>> This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 _ Egg is a trading name of the Egg group of companies which includes: Egg plc (reg no 2448340), Egg Financial Intermediation Ltd (reg no 3828289), and Egg Banking plc (reg no 2999842). Egg Banking plc and Egg Financial Intermediation Ltd are authorised and regulated by the Financial Services Authority (FSA) and are entered in the FSA register under numbers 205621 and 309551 respectively. These members of the Egg group are registered in England and Wales. Registered office: Laurence Pountney Hill, London EC4R 0HH. This e-mail is confidential and for use by the addressee only. If you are not the intended recipient of this e-mail and have received it in error, please return the message to the sender by replying to it and then delete it from your mailbox. Internet e-mails are not necessarily secure. The Egg group of companies do not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by the Egg group of companies in this regard and the recipient should carry out such virus and other checks as it considers app
Re: [Veritas-bu] Firewall setup
Guys, I have 2 servers in my DMZ. Now after reading this forum I opened ports 13720 and 13724 and permitted access from my master server to both servers in DMZ in both directions. Now how do I specify that this port should be used by this client and the other port by the other client? Anas Kayal IT Department System Administrator From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: Monday, December 18, 2006 9:30 PM To: Weber, Philip; NB List Mail Subject: Re: [Veritas-bu] Firewall setup OK. So on the firewall you only open ports 13782, 13724 and 13720? And then configure the clients to use the same 3 ports? All other are closed? Greg From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Weber, Philip Sent: Monday, December 18, 2006 10:38 AM To: NB List Mail Subject: Re: [Veritas-bu] Firewall setup We've gone firewall-mad over the last couple of years and now pretty much all of our clients are behind at least one firewall from the perspective of the NetBackup servers. In general we open ports 13782, 13724 and 13720 in both directions, to make life simpler. This can be reduced so that only 13782 is open from the DMZ - which is what we do for clients in the "real" DMZ. Set the clients to use vnetd, in the clients tab of the master server properties (or use bpclient). We do occasionally have connection errors and currently have a big issue in our NB 5.1 MP5 environment, with frequent but irregular "hanging backups", where the backup has apparently completed but hangs at 99% or 100%. Seems to be because the final call from the client back to bpbrm is not being received by the media server. Seems to be something in our environment but we are in the process of trying to prove this between Symantec and our Network support team. Also in some cases have firewalls between media/master servers which is a whole new problem... Phil Weber Business Technology (Egg) Storage Technical Services - Senior UNIX Technologist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: 18 December 2006 13:06 To: NB List Mail Subject: [Veritas-bu] Firewall setup Nb 5.0 mp6 Solaris 9 We have a DMZ zone setup that has 10 servers in it. We back up these servers through our firewall. We occasionally get connection errors. I would like to know if anyone else out there would be interested in sharing their setup, port ranges etc on how they backup servers through a firewall. We currently do not use the firewall section in the host properties and I am thinking that maybe I should be adding the servers that are on the other side of the firewall to this tab. Greg >>> This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 Egg is a trading name of the Egg group of companies which includes: Egg plc (reg no 2448340), Egg Financial Intermediation Ltd (reg no 3828289), and Egg Banking plc (reg no 2999842). Egg Banking plc and Egg Financial Intermediation Ltd are authorised and regulated by the Financial Services Authority (FSA) and are entered in the FSA register under numbers 205621 and 309551 respectively. These members of the Egg group are registered in England and Wales. Registered office: Laurence Pountney Hill, London EC4R 0HH. This e-mail is confidential and for use by the addressee only. If you are not the intended recipient of this e-mail and have received it in error, please return the message to the sender by replying to it and then delete it from your mailbox. Internet e-mails are not necessarily secure. The Egg group of companies do not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by the Egg group of companies in this regard and the recipient should carry out such virus and other checks as it considers appropriate. This communication does not create or modify any contract. This mail has been scanned by Symantec Mail Security for SMTP at UP.ORG.QA___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Firewall setup
OK. So on the firewall you only open ports 13782, 13724 and 13720? And then configure the clients to use the same 3 ports? All other are closed? Greg From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Weber, Philip Sent: Monday, December 18, 2006 10:38 AM To: NB List Mail Subject: Re: [Veritas-bu] Firewall setup We've gone firewall-mad over the last couple of years and now pretty much all of our clients are behind at least one firewall from the perspective of the NetBackup servers. In general we open ports 13782, 13724 and 13720 in both directions, to make life simpler. This can be reduced so that only 13782 is open from the DMZ - which is what we do for clients in the "real" DMZ. Set the clients to use vnetd, in the clients tab of the master server properties (or use bpclient). We do occasionally have connection errors and currently have a big issue in our NB 5.1 MP5 environment, with frequent but irregular "hanging backups", where the backup has apparently completed but hangs at 99% or 100%. Seems to be because the final call from the client back to bpbrm is not being received by the media server. Seems to be something in our environment but we are in the process of trying to prove this between Symantec and our Network support team. Also in some cases have firewalls between media/master servers which is a whole new problem... Phil Weber Business Technology (Egg) Storage Technical Services - Senior UNIX Technologist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: 18 December 2006 13:06 To: NB List Mail Subject: [Veritas-bu] Firewall setup Nb 5.0 mp6 Solaris 9 We have a DMZ zone setup that has 10 servers in it. We back up these servers through our firewall. We occasionally get connection errors. I would like to know if anyone else out there would be interested in sharing their setup, port ranges etc on how they backup servers through a firewall. We currently do not use the firewall section in the host properties and I am thinking that maybe I should be adding the servers that are on the other side of the firewall to this tab. Greg >>> This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 Egg is a trading name of the Egg group of companies which includes: Egg plc (reg no 2448340), Egg Financial Intermediation Ltd (reg no 3828289), and Egg Banking plc (reg no 2999842). Egg Banking plc and Egg Financial Intermediation Ltd are authorised and regulated by the Financial Services Authority (FSA) and are entered in the FSA register under numbers 205621 and 309551 respectively. These members of the Egg group are registered in England and Wales. Registered office: Laurence Pountney Hill, London EC4R 0HH. This e-mail is confidential and for use by the addressee only. If you are not the intended recipient of this e-mail and have received it in error, please return the message to the sender by replying to it and then delete it from your mailbox. Internet e-mails are not necessarily secure. The Egg group of companies do not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by the Egg group of companies in this regard and the recipient should carry out such virus and other checks as it considers appropriate. This communication does not create or modify any contract. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Firewall setup
You've pretty much described my env also. as for your backups that hang at 99 or 100%, have your network guys inspect their FW logs for "drops" with a message like "SYN ACK recieved out of order" or something along those lines. it's probably because your firewall session timeout has expired. Paul -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Weber, Philip Sent: December 18, 2006 10:38 AM To: NB List Mail Subject: Re: [Veritas-bu] Firewall setup We've gone firewall-mad over the last couple of years and now pretty much all of our clients are behind at least one firewall from the perspective of the NetBackup servers. In general we open ports 13782, 13724 and 13720 in both directions, to make life simpler. This can be reduced so that only 13782 is open from the DMZ - which is what we do for clients in the "real" DMZ. Set the clients to use vnetd, in the clients tab of the master server properties (or use bpclient). We do occasionally have connection errors and currently have a big issue in our NB 5.1 MP5 environment, with frequent but irregular "hanging backups", where the backup has apparently completed but hangs at 99% or 100%. Seems to be because the final call from the client back to bpbrm is not being received by the media server. Seems to be something in our environment but we are in the process of trying to prove this between Symantec and our Network support team. Also in some cases have firewalls between media/master servers which is a whole new problem... La version française suit le texte anglais. This email may contain privileged and/or confidential information, and the Bank of Canada does not waive any related rights. Any distribution, use, or copying of this email or the information it contains by other than the intended recipient is unauthorized. If you received this email in error please delete it immediately from your system and notify the sender promptly by email that you have done so. Le présent courriel peut contenir de l'information privilégiée ou confidentielle. La Banque du Canada ne renonce pas aux droits qui s'y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu'il contient par une personne autre que le ou les destinataires désignés est interdite. Si vous recevez ce courriel par erreur, veuillez le supprimer immédiatement et envoyer sans délai à l'expéditeur un message électronique pour l'aviser que vous avez éliminé de votre ordinateur toute copie du courriel reçu. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Firewall setup
We've gone firewall-mad over the last couple of years and now pretty much all of our clients are behind at least one firewall from the perspective of the NetBackup servers. In general we open ports 13782, 13724 and 13720 in both directions, to make life simpler. This can be reduced so that only 13782 is open from the DMZ - which is what we do for clients in the "real" DMZ. Set the clients to use vnetd, in the clients tab of the master server properties (or use bpclient). We do occasionally have connection errors and currently have a big issue in our NB 5.1 MP5 environment, with frequent but irregular "hanging backups", where the backup has apparently completed but hangs at 99% or 100%. Seems to be because the final call from the client back to bpbrm is not being received by the media server. Seems to be something in our environment but we are in the process of trying to prove this between Symantec and our Network support team. Also in some cases have firewalls between media/master servers which is a whole new problem... Phil Weber Business Technology (Egg) Storage Technical Services - Senior UNIX Technologist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: 18 December 2006 13:06 To: NB List Mail Subject: [Veritas-bu] Firewall setup Nb 5.0 mp6 Solaris 9 We have a DMZ zone setup that has 10 servers in it. We back up these servers through our firewall. We occasionally get connection errors. I would like to know if anyone else out there would be interested in sharing their setup, port ranges etc on how they backup servers through a firewall. We currently do not use the firewall section in the host properties and I am thinking that maybe I should be adding the servers that are on the other side of the firewall to this tab. Greg >>> This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 - Egg is a trading name of the Egg group of companies which includes: Egg plc (reg no 2448340), Egg Financial Intermediation Ltd (reg no 3828289), and Egg Banking plc (reg no 2999842). Egg Banking plc and Egg Financial Intermediation Ltd are authorised and regulated by the Financial Services Authority (FSA) and are entered in the FSA register under numbers 205621 and 309551 respectively. These members of the Egg group are registered in England and Wales. Registered office: Laurence Pountney Hill, London EC4R 0HH. This e-mail is confidential and for use by the addressee only. If you are not the intended recipient of this e-mail and have received it in error, please return the message to the sender by replying to it and then delete it from your mailbox. Internet e-mails are not necessarily secure. The Egg group of companies do not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by the Egg group of companies in this regard and the recipient should carry out such virus and other checks as it considers appropriate. This communication does not create or modify any contract. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[Veritas-bu] Firewall setup
Nb 5.0 mp6 Solaris 9 We have a DMZ zone setup that has 10 servers in it. We back up these servers through our firewall. We occasionally get connection errors. I would like to know if anyone else out there would be interested in sharing their setup, port ranges etc on how they backup servers through a firewall. We currently do not use the firewall section in the host properties and I am thinking that maybe I should be adding the servers that are on the other side of the firewall to this tab. Greg >>> This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu