Re: Backing up clients from DMZ on TSM server inside the firewall

2002-04-29 Thread Zlatko Krastev

Look at the post I've made last month
http://msgs.adsm.org/cgi-bin/get/adsm0203/1294.html
The official Tivoli document is called TSM for Windows Using the
Backup-Archive Client. This is the place I've got the info from.

Zlatko Krastev
IT Consultant




Please respond to ADSM: Dist Stor Manager [EMAIL PROTECTED]
Sent by:ADSM: Dist Stor Manager [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc:

Subject:Re: Backing up clients from DMZ on TSM server inside the firewall

NAT the TSM server address so that it appears to be in the DMZ.

That way if you need to change the layout of the LAN outside of the DMZ,
you don't have as many firewall rules to change.

Has anyone seen a document that describes exactly what ports the TSM
client
needs to use for a backup session? Using tcpdump to figure out what we
need
open seems kind of backwards.

Thanks, [RC]

Robert Clark
 The Regence Group
Storage Administrator
  503-220-4743



Makkar, Jas
JMakkar@ADT.To: [EMAIL PROTECTED]
COM cc:
Sent by: Subject: Backing up clients
from DMZ on TSM server inside the
ADSM: Dist  firewall
Stor Manager
[EMAIL PROTECTED]
RIST.EDU


04/23/2002
10:59 AM
Please
respond to
ADSM: Dist
Stor Manager






We are trying to develop an approach to backup the
clients who are in the DMZ via TSM server sitting
inside the firewall.  Please comment on the following
strategy:


To backup the Clients in DMZ from TSM Lib located
within the Intranet, install the TSM client on the
Client in DMZ and open a port in the firewall.
Additionally, use data encryption.   To do this, you
would use the include.exclude and exclude.encrypt
options in your options file. . The encryption key for
these can either be stored locally on your machine or
prompted for each time a backup or restore is
attempted. This is set with encryptkey option in your
options file.

TSM clients in DMZ should not be allowed do any
administrative function.   You can only prevent the
client from deleting backups and archives. This can be
performed by running (on the TSM server): update node
nodename archdelete=no backdelete=no .

Note:  You could also change password=prompt in the
client options file to require a password before a
client could perform any actions.  Not recommended
though.   Additionally, since the TSM server address
is required in client options file, you  can't hide
information about the TSM server, in case of security
breach.

ANY BETTER IDEA is appreciated.  Additionally, any red
flags in the strategy.

Thanks in Advance.
Jas
[EMAIL PROTECTED]



===
IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended solely
for the entity or individual to whom it is addressed.  If you are not the
intended recipient, you should delete this message and are hereby notified
that any disclosure, copying, or distribution of this message is strictly
prohibited.  Nothing in this email, including any attachment, is intended
to be a legally binding signature.



Backing up clients from DMZ on TSM server inside the firewall

2002-04-23 Thread Makkar, Jas

We are trying to develop an approach to backup the
clients who are in the DMZ via TSM server sitting
inside the firewall.  Please comment on the following
strategy:


To backup the Clients in DMZ from TSM Lib located
within the Intranet, install the TSM client on the
Client in DMZ and open a port in the firewall.
Additionally, use data encryption.   To do this, you
would use the include.exclude and exclude.encrypt
options in your options file. . The encryption key for
these can either be stored locally on your machine or
prompted for each time a backup or restore is
attempted. This is set with encryptkey option in your
options file.

TSM clients in DMZ should not be allowed do any
administrative function.   You can only prevent the
client from deleting backups and archives. This can be
performed by running (on the TSM server): update node
nodename archdelete=no backdelete=no .

Note:  You could also change password=prompt in the
client options file to require a password before a
client could perform any actions.  Not recommended
though.   Additionally, since the TSM server address
is required in client options file, you  can't hide
information about the TSM server, in case of security
breach.

ANY BETTER IDEA is appreciated.  Additionally, any red
flags in the strategy.

Thanks in Advance.
Jas
[EMAIL PROTECTED]



Re: Backing up clients from DMZ on TSM server inside the firewall

2002-04-23 Thread Robert Clark

NAT the TSM server address so that it appears to be in the DMZ.

That way if you need to change the layout of the LAN outside of the DMZ,
you don't have as many firewall rules to change.

Has anyone seen a document that describes exactly what ports the TSM client
needs to use for a backup session? Using tcpdump to figure out what we need
open seems kind of backwards.

Thanks, [RC]

Robert Clark
 The Regence Group
Storage Administrator
  503-220-4743



Makkar, Jas
JMakkar@ADT.To: [EMAIL PROTECTED]
COM cc:
Sent by: Subject: Backing up clients from DMZ on 
TSM server inside the
ADSM: Dist  firewall
Stor Manager
[EMAIL PROTECTED]
RIST.EDU


04/23/2002
10:59 AM
Please
respond to
ADSM: Dist
Stor Manager






We are trying to develop an approach to backup the
clients who are in the DMZ via TSM server sitting
inside the firewall.  Please comment on the following
strategy:


To backup the Clients in DMZ from TSM Lib located
within the Intranet, install the TSM client on the
Client in DMZ and open a port in the firewall.
Additionally, use data encryption.   To do this, you
would use the include.exclude and exclude.encrypt
options in your options file. . The encryption key for
these can either be stored locally on your machine or
prompted for each time a backup or restore is
attempted. This is set with encryptkey option in your
options file.

TSM clients in DMZ should not be allowed do any
administrative function.   You can only prevent the
client from deleting backups and archives. This can be
performed by running (on the TSM server): update node
nodename archdelete=no backdelete=no .

Note:  You could also change password=prompt in the
client options file to require a password before a
client could perform any actions.  Not recommended
though.   Additionally, since the TSM server address
is required in client options file, you  can't hide
information about the TSM server, in case of security
breach.

ANY BETTER IDEA is appreciated.  Additionally, any red
flags in the strategy.

Thanks in Advance.
Jas
[EMAIL PROTECTED]



===
IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended solely
for the entity or individual to whom it is addressed.  If you are not the
intended recipient, you should delete this message and are hereby notified
that any disclosure, copying, or distribution of this message is strictly
prohibited.  Nothing in this email, including any attachment, is intended
to be a legally binding signature.



Re: Backing up clients from DMZ on TSM server inside the firewall

2002-04-23 Thread Adamson, Matt

All I did was point the DMZ server to the TSM server inside the firewall by
IP address.  Then had the firewall guru's open up port 1500 for me allowing
traffic both ways

-Original Message-
From: Robert Clark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 23, 2002 11:08 AM
To: [EMAIL PROTECTED]
Subject: Re: Backing up clients from DMZ on TSM server inside the firewall


NAT the TSM server address so that it appears to be in the DMZ.

That way if you need to change the layout of the LAN outside of the DMZ,
you don't have as many firewall rules to change.

Has anyone seen a document that describes exactly what ports the TSM client
needs to use for a backup session? Using tcpdump to figure out what we need
open seems kind of backwards.

Thanks, [RC]

Robert Clark
 The Regence Group
Storage Administrator
  503-220-4743



Makkar, Jas
JMakkar@ADT.To: [EMAIL PROTECTED]
COM cc:
Sent by: Subject: Backing up clients
from DMZ on TSM server inside the
ADSM: Dist  firewall
Stor Manager
[EMAIL PROTECTED]
RIST.EDU


04/23/2002
10:59 AM
Please
respond to
ADSM: Dist
Stor Manager






We are trying to develop an approach to backup the
clients who are in the DMZ via TSM server sitting
inside the firewall.  Please comment on the following
strategy:


To backup the Clients in DMZ from TSM Lib located
within the Intranet, install the TSM client on the
Client in DMZ and open a port in the firewall.
Additionally, use data encryption.   To do this, you
would use the include.exclude and exclude.encrypt
options in your options file. . The encryption key for
these can either be stored locally on your machine or
prompted for each time a backup or restore is
attempted. This is set with encryptkey option in your
options file.

TSM clients in DMZ should not be allowed do any
administrative function.   You can only prevent the
client from deleting backups and archives. This can be
performed by running (on the TSM server): update node
nodename archdelete=no backdelete=no .

Note:  You could also change password=prompt in the
client options file to require a password before a
client could perform any actions.  Not recommended
though.   Additionally, since the TSM server address
is required in client options file, you  can't hide
information about the TSM server, in case of security
breach.

ANY BETTER IDEA is appreciated.  Additionally, any red
flags in the strategy.

Thanks in Advance.
Jas
[EMAIL PROTECTED]



===
IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended solely
for the entity or individual to whom it is addressed.  If you are not the
intended recipient, you should delete this message and are hereby notified
that any disclosure, copying, or distribution of this message is strictly
prohibited.  Nothing in this email, including any attachment, is intended
to be a legally binding signature.