Re: Documentation needed: Backing up through a firewall
Hi All you have to think about is the ports that has to be open. The ports used for TSM are 1500 for the server, 1501 for the client. These ports can be changed using the opt/sys file on your client/server. This would mean Allow from secure to non-secure 1501 Allow from non-secure to secure 1500 (if the client are located in the non-secure network). Best Regards Daniel Sparrman --- Daniel Sparrman Exist i Stockholm AB Bergkällavägen 31D 192 79 SOLLENTUNA Växel: 08 - 754 98 00 Mobil: 070 - 399 27 51 Douglas Currell <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 2002-03-26 11:41 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Documentation needed: Backing up through a firewall I need someone to point in the direction of documentation about configuring TSM to backup through a firewall. "Installing the Clients" and "Using the BA Client" have scant information about the process other than identifying the ports that need to be opened Thank you. - File your taxes online! Yahoo! Canada Tax Centre
Re: Documentation needed: Backing up through a firewall
All TSM features can work across firewall. The answer will they work depends on firewall software capabilities, company security policies and firewall administrator's good will. Usually firewall is configured to allow connections to be initiated only from one of the nets/subnets. And such behavior blocks some TSM features. - for B/A, GUI & API client connection firewall must allow port 1500 (or modified one) connection initiated from client's side - for scheduler in prompted mode - port 1501 and connection initiated from server (!!!) side + B/A client (1500 in opposite direction) - for Web Administrtive interface - port 1580 and connection initiated from browser to server - for Web client - port 1581 and connection from browser to client + B/A client (1500) - for T/EC events things are harder - if TEC server is using portmap firewall should allow both portmapper port 111 and TEC server port, if not TECPORT has to be set in dsmserv.opt and firewall must not block this port from TSM server to TEC server. Statements from the docks are not completely correct. However they are true for usual firewall configurations. Again - FW admin's good will and ability to do their job are important. Zlatko Krastev IT Consultant Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by:"ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Re: Documentation needed: Backing up through a firewall Remco, I posed this question to IBM Tivoli support a few weeks ago and here is their response: This is from Read me for the TSM Client code 4.2.X ftp://service.software.ibm.com/storage/tivoli-storage-management/maintenance/cl ient/v4r2/Windows/WinNT/v421/IP22373_READ1STC.TXT - The Tivoli Storage Manager server and clients can work across a firewall in most cases. Please see the 'Tivoli Storage Manager Firewall' subsection of the Getting Started chapter in the TSM Using the Backup-Archive Client book. Currently the following operations are known to have problems when a firewall is in place: The client scheduler operating in prompted mode does not work when the server is across a firewall. The client scheduler does work when operating in polling mode. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall. This is from the Book Using Backup Archive Clients : Chapter 2 Tivoli Storage Manager Firewall Support In most cases, the Tivoli Storage Manager server and clients can work across a firewall. The ports that the client and server need to communicate must be opened in the firewall by the firewall administrator. Because every firewall is different, the firewall administrator may need to consult the instructions for the firewall software or hardware in use. The ports that the firewall needs to define are those ports that are needed for the client to connect to the Tivoli Storage Manager server. If the server is listening on port 1500 then the firewall software needs to forward the port to the Tivoli Storage Manager server machine. To allow clients to communicate with a server across a firewall, you must open the TCP/IP port for the server using the tcpport option in the server options file. The default TCP/IP port is 1500. To allow the Web client to communicate with remote workstations across a firewall, you must open the HTTP port for the remote workstation using the httpport option in the remote workstation's client option file. The default HTTP port is 1581. You must open the two TCP/IP ports for the remote workstation client using the webports option in the remote workstation's option file. Values for the webports are required. If you do not specify the values for the webports option, the default zero (0) causes TCP/IP to randomly assign two free port numbers. See Webports for more information about the webports option. To use the administrative Web interface for a server across a firewall, you must open the port that is the HTTP port for the server using the httpport option in the server options file. The default HTTP port is 1580. In an enterprise environment, we strongly recommend that you use the Tivoli Storage Manager Secure Web Administrator Proxy for Web administration of the Tivoli Storage Manager server. Install the proxy on a Web server that sits on the firewall so that the Web server can access resources on both sides of the firewall (this is sometimes called the demilitarized zone). When you set up the proxy, you can use it to administer any Tivoli Storage Manager server at Version 3.7 or higher. For more information on how to install and use the proxy, see the appendix about the Web proxy in the Tivoli Storage Manager Quick Start manual. You can also increase security in this environment by enabling HTTPS services (also called secure socket layer or SSL) on the Web server where you install the proxy. Check your Web server
Re: Documentation needed: Backing up through a firewall
Remco, I posed this question to IBM Tivoli support a few weeks ago and here is their response: This is from Read me for the TSM Client code 4.2.X ftp://service.software.ibm.com/storage/tivoli-storage-management/maintenance/cl ient/v4r2/Windows/WinNT/v421/IP22373_READ1STC.TXT - The Tivoli Storage Manager server and clients can work across a firewall in most cases. Please see the 'Tivoli Storage Manager Firewall' subsection of the Getting Started chapter in the TSM Using the Backup-Archive Client book. Currently the following operations are known to have problems when a firewall is in place: The client scheduler operating in prompted mode does not work when the server is across a firewall. The client scheduler does work when operating in polling mode. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall. This is from the Book Using Backup Archive Clients : Chapter 2 Tivoli Storage Manager Firewall Support In most cases, the Tivoli Storage Manager server and clients can work across a firewall. The ports that the client and server need to communicate must be opened in the firewall by the firewall administrator. Because every firewall is different, the firewall administrator may need to consult the instructions for the firewall software or hardware in use. The ports that the firewall needs to define are those ports that are needed for the client to connect to the Tivoli Storage Manager server. If the server is listening on port 1500 then the firewall software needs to forward the port to the Tivoli Storage Manager server machine. To allow clients to communicate with a server across a firewall, you must open the TCP/IP port for the server using the tcpport option in the server options file. The default TCP/IP port is 1500. To allow the Web client to communicate with remote workstations across a firewall, you must open the HTTP port for the remote workstation using the httpport option in the remote workstation's client option file. The default HTTP port is 1581. You must open the two TCP/IP ports for the remote workstation client using the webports option in the remote workstation's option file. Values for the webports are required. If you do not specify the values for the webports option, the default zero (0) causes TCP/IP to randomly assign two free port numbers. See Webports for more information about the webports option. To use the administrative Web interface for a server across a firewall, you must open the port that is the HTTP port for the server using the httpport option in the server options file. The default HTTP port is 1580. In an enterprise environment, we strongly recommend that you use the Tivoli Storage Manager Secure Web Administrator Proxy for Web administration of the Tivoli Storage Manager server. Install the proxy on a Web server that sits on the firewall so that the Web server can access resources on both sides of the firewall (this is sometimes called the demilitarized zone). When you set up the proxy, you can use it to administer any Tivoli Storage Manager server at Version 3.7 or higher. For more information on how to install and use the proxy, see the appendix about the Web proxy in the Tivoli Storage Manager Quick Start manual. You can also increase security in this environment by enabling HTTPS services (also called secure socket layer or SSL) on the Web server where you install the proxy. Check your Web server documentation for information on how to set this up. When using Tivoli Storage Manager across a firewall, please consider the following: To use the Web client to connect to a client across a firewall, the Web client and the backup-archive client must be Version 4.1.2 or later. To enable the backup-archive client, command line admin client, and the scheduler (running in polling mode) to run outside a firewall, the port specified by the server option tcpport (default 1500) must be opened by the firewall administrator. Note: Tivoli Storage Manager does not support the scheduler running in prompted mode outside a firewall. In prompted mode the Tivoli Storage Manager server needs to contact the client. In order to do this, some software must be installed on the Tivoli Storage Manager server to route the request through the firewall. This software routes the server request through a sock port on the firewall. This is typically called sockifing a system. Proxies are not supported, since they only route a few types of communication protocols (HTTP, FTP, GOPHER) and Tivoli Storage Manager is not one of these communication protocols that are routed. It is important to note that the client creates a new connection to the Tivoli Storage Manager server when prompted. This mean that the firewall configuration discussed above must be in place. The server cannot log events to a Tivoli Enterprise Console (T/EC) server across a firewall.
Re: Documentation needed: Backing up through a firewall
Doug, Where I used to work we did this all the time. All we ever needed was the correct IP address and port on the firewall that points to you TSM server. Set the IP and port in dsm.opt and you should be ok. Run a test if concerned. Douglas Currell To: [EMAIL PROTECTED] Subject: Documentation needed: Backing up through a firewall Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED] IST.EDU> 03/26/2002 05:41 AM Please respond to "ADSM: Dist Stor Manager" I need someone to point in the direction of documentation about configuring TSM to backup through a firewall. "Installing the Clients" and "Using the BA Client" have scant information about the process other than identifying the ports that need to be opened Thank you. - File your taxes online! Yahoo! Canada Tax Centre
Re: Documentation needed: Backing up through a firewall
Basically you have to open a port on the Firewall to allow the IP of the machine outside the firewall to talk to the IP of TSM Server inside via TCP and the port you are using, generally port 1500. And I believe open port 1501 the other way. That's the basic setup. If you are using different ports and other configs, then open up the firewall as approprate. In general no change is needed on server or client. We have several clients outside firewall and this works even with schedmode prompted. David Longo >>> [EMAIL PROTECTED] 03/26/02 05:41AM >>> I need someone to point in the direction of documentation about configuring TSM to backup through a firewall. "Installing the Clients" and "Using the BA Client" have scant information about the process other than identifying the ports that need to be opened Thank you. - File your taxes online! Yahoo! Canada Tax Centre "MMS " made the following annotations on 03/26/02 11:54:09 -- This message is for the named person's use only. It may contain confidential, proprietary, or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it, and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Health First reserves the right to monitor all e-mail communications through its networks. Any views or opinions expressed in this message are solely those of the individual sender, except (1) where the message states such views or opinions are on behalf of a particular entity; and (2) the sender is authorized by the entity to give such views or opinions. ==
Re: Documentation needed: Backing up through a firewall
> I need someone to point in the direction of documentation about configuring TSM to >backup through a firewall. "Installing the Clients" and "Using the BA Client" have >scant information about the process other than identifying the ports that need to be >opened Thank you. The server listens on port 1500 (unless you configured it to do otherwise) Clients in 'schedmode prompted' listen on port 1501, when the 'dsmc sched' is running. The client must allways be able to contact the server on port 1500, when you configure the client to do 'schedmode polling' the server doesn't need to be able to contact the client... -- Met vriendelijke groeten, Remco Post SARA - Stichting Academisch Rekencentrum Amsterdamhttp://www.sara.nl High Performance Computing Tel. +31 20 592 8008Fax. +31 20 668 3167 "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams