Re: [Veritas-bu] Backup through firewalls
* smpt [EMAIL PROTECTED] [2006-09-15 07:05]: Hi, I've configured some firewaled NetBackup domains with vnetd and I never had any problem with streams. I have ages to hear from someone the port model. I had proposed this to some of my customers and when the firewall admin understood how many ports needed they refused it immediately. Yep. The only reason we had them at all was because of legacy firewall configs for NBU 3.2 and 3.4. We have been trying to get rid of all port range stupidity for several years, but it's always the old if it ain't broke... Incidentally, ACSLS 7 can be configured for single port communication over TCP only, too. That was another big pain. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Step by step notes I wrote when I did this: FYI the following is what I did in NetBackup for backing up client in the firewall. Open Netbackup Java GUI Go to Host Properties Go to Master Servers Double click on the master server. In Master Server Properties box go to Client Attributes Click Add Type in name of client(s) and hit enter to add to list. Select (highlight) the client(s) from list Under BPCD Connect Back click the VNETD Port radio button Click OK. Exit and you're done with the GUI. Was with ya up to here After that at command line on the master server run bprdreq -rereadconfig. (Note - this worked but manual and Datalink indicated bouncing daemons is the only SURE way to do it. Datalink said it works sometimes.) Never had to do any of this.the message that pops up telling you you need to bounce the daemons can be ingnored in my experienceonce you turn on the VNETD radio button, or the no connect back check box, depending on version, click OK, and it works. No need to bounce anything or re-read any configs IME. Paul La version française suit le texte anglais. This email may contain privileged and/or confidential information, and the Bank of Canada does not waive any related rights. Any distribution, use, or copying of this email or the information it contains by other than the intended recipient is unauthorized. If you received this email in error please delete it immediately from your system and notify the sender promptly by email that you have done so. Le présent courriel peut contenir de l'information privilégiée ou confidentielle. La Banque du Canada ne renonce pas aux droits qui s'y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu'il contient par une personne autre que le ou les destinataires désignés est interdite Si vous recevez ce courriel par erreur, veuillez le supprimer immédiatement et envoyer sans délai à l'expéditeur un message électronique pour l'aviser que vous avez éliminé de votre ordinateur toute copie du courriel reçu. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
Please post the iptables information. We are adding Linux to our environment and that information would help. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Friday, September 15, 2006 7:47 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Backup through firewalls Step by step notes I wrote when I did this: FYI the following is what I did in NetBackup for backing up client in the firewall. Open Netbackup Java GUI Go to Host Properties Go to Master Servers Double click on the master server. In Master Server Properties box go to Client Attributes Click Add Type in name of client(s) and hit enter to add to list. Select (highlight) the client(s) from list Under BPCD Connect Back click the VNETD Port radio button Click OK. Exit and you're done with the GUI. After that at command line on the master server run bprdreq -rereadconfig. (Note - this worked but manual and Datalink indicated bouncing daemons is the only SURE way to do it. Datalink said it works sometimes.) Also for above to you must open the following ports on the firewall: Media Client 13782 (bpcd) Client Media 13724 (vnetd) Media being the media server (which is the master server in our case). We also did this recently on some Linux clients on firewall so I have notes on iptables config if you need that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of smpt Sent: Friday, September 15, 2006 1:06 AM To: David Rock; Subject: Re: [Veritas-bu] Backup through firewalls Hi, I've configured some firewaled NetBackup domains with vnetd and I never had any problem with streams. I have ages to hear from someone the port model. I had proposed this to some of my customers and when the firewall admin understood how many ports needed they refused it immediately. ---Original Message--- From: David Rock [EMAIL PROTECTED] Subject: Re: [Veritas-bu] Backup through firewalls Sent: 14 Sep '06 23:06 * [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-09-14 13:48]: There's a whole section on this in the SAG. Shortanswer, you need bpcd from the master or media server to the client, vnetd the reverse direction. You have to make sure you configure the client for no callback connections via the bpclient command or, no doubt, someplace in the GUI. Users on the client cannot perform their own restores using this. I'm told, but have not verified, that you can enable bprd from client to master to allow this. Speaking as a backup guy who is now on the firewall team, using vnetd is by far the recommended way of dealing with the firewall. If all you are dealing with is backup servers to client machine, the short list is: Server - Client port 13782 (bpcd) Client - Server ports 13724 (vnetd) and 13720 (bprd) Yes client initiated restores will work with just these ports. If your backup servers are hanging off of a DMZ so that your admin clients using the Java GUI need to get access, you can also use: Admin Client - Server ports 13722 (bpjava) and 13724 (vnetd) This will also require the /usr/openv/java/nbj.conf file setting of NBJAVA_CONNECT_OPTION=1 (default is 0) The only downside to vnetd that I have heard of but not seen personally is that you are limited to a single stream for backups, which could impact your backup model if you are trying to use NEW_STREAM file directives. If that is the case, you can configure port ranges and I highly recommend using ALLOW_NON_RESERVED_PORTS as part of that. Using low ports (1024) by default is one of the stupidest things NBU ever did. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu [EMAIL PROTECTED] http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
As I said it worked for me doing the reread. The documentation says you have to restart the daemons so I noted it as such. I didn't try without the reread so it might have worked as you say. -Original Message- From: Paul Keating [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 9:11 AM To: Jeff Lightner; veritas-bu@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] Backup through firewalls -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Step by step notes I wrote when I did this: FYI the following is what I did in NetBackup for backing up client in the firewall. Open Netbackup Java GUI Go to Host Properties Go to Master Servers Double click on the master server. In Master Server Properties box go to Client Attributes Click Add Type in name of client(s) and hit enter to add to list. Select (highlight) the client(s) from list Under BPCD Connect Back click the VNETD Port radio button Click OK. Exit and you're done with the GUI. Was with ya up to here After that at command line on the master server run bprdreq -rereadconfig. (Note - this worked but manual and Datalink indicated bouncing daemons is the only SURE way to do it. Datalink said it works sometimes.) Never had to do any of this.the message that pops up telling you you need to bounce the daemons can be ingnored in my experienceonce you turn on the VNETD radio button, or the no connect back check box, depending on version, click OK, and it works. No need to bounce anything or re-read any configs IME. Paul ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
This is on RHEL 4: To add permission to iptables on client: Verify iptables is running with iptables .L and that its last entry is to block icmp. (If not running iptables .L will only show about 3 lines.) 1) iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ### Deletes the icmp rule 2) iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport bpcd -j ACCEPT --src master server IP ADDR ### Opens bpcd port for master server. 3) iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ### Readds the icmp rule as last rule. 4) iptables-save /etc/sysconfig/iptables ### Saves to file read on iptables start. Step 2 above assumes 13782 for bpcd tcp is in /etc/services already. Step 4 is necessary so after a reboot or bounce of iptables it will reestablish the rules. -Original Message- From: Allen, Jimmy [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 9:53 AM To: Jeff Lightner; veritas-bu@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] Backup through firewalls Please post the iptables information. We are adding Linux to our environment and that information would help. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Friday, September 15, 2006 7:47 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Backup through firewalls Step by step notes I wrote when I did this: FYI the following is what I did in NetBackup for backing up client in the firewall. Open Netbackup Java GUI Go to Host Properties Go to Master Servers Double click on the master server. In Master Server Properties box go to Client Attributes Click Add Type in name of client(s) and hit enter to add to list. Select (highlight) the client(s) from list Under BPCD Connect Back click the VNETD Port radio button Click OK. Exit and you're done with the GUI. After that at command line on the master server run bprdreq -rereadconfig. (Note - this worked but manual and Datalink indicated bouncing daemons is the only SURE way to do it. Datalink said it works sometimes.) Also for above to you must open the following ports on the firewall: Media Client 13782 (bpcd) Client Media 13724 (vnetd) Media being the media server (which is the master server in our case). We also did this recently on some Linux clients on firewall so I have notes on iptables config if you need that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of smpt Sent: Friday, September 15, 2006 1:06 AM To: David Rock; Subject: Re: [Veritas-bu] Backup through firewalls Hi, I've configured some firewaled NetBackup domains with vnetd and I never had any problem with streams. I have ages to hear from someone the port model. I had proposed this to some of my customers and when the firewall admin understood how many ports needed they refused it immediately. ---Original Message--- From: David Rock [EMAIL PROTECTED] Subject: Re: [Veritas-bu] Backup through firewalls Sent: 14 Sep '06 23:06 * [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-09-14 13:48]: There's a whole section on this in the SAG. Shortanswer, you need bpcd from the master or media server to the client, vnetd the reverse direction. You have to make sure you configure the client for no callback connections via the bpclient command or, no doubt, someplace in the GUI. Users on the client cannot perform their own restores using this. I'm told, but have not verified, that you can enable bprd from client to master to allow this. Speaking as a backup guy who is now on the firewall team, using vnetd is by far the recommended way of dealing with the firewall. If all you are dealing with is backup servers to client machine, the short list is: Server - Client port 13782 (bpcd) Client - Server ports 13724 (vnetd) and 13720 (bprd) Yes client initiated restores will work with just these ports. If your backup servers are hanging off of a DMZ so that your admin clients using the Java GUI need to get access, you can also use: Admin Client - Server ports 13722 (bpjava) and 13724 (vnetd) This will also require the /usr/openv/java/nbj.conf file setting of NBJAVA_CONNECT_OPTION=1 (default is 0) The only downside to vnetd that I have heard of but not seen personally is that you are limited to a single stream for backups, which could impact your backup model if you are trying to use NEW_STREAM file directives. If that is the case, you can configure port ranges and I highly recommend using ALLOW_NON_RESERVED_PORTS as part of that. Using low ports (1024) by default is one of the stupidest things NBU ever did. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu [EMAIL
Re: [Veritas-bu] Backup through firewalls
I have a script that runs bprdreq -rereadconfig 50 times (50 is completely arbitrary) and so far it has worked every time. Regards, Patrick Whelan NetBackup Specialist Architect Engineering +44 20 7863 5243 Of all the things I've lost, I miss my mind the most! - Unknown There are only 10 kinds of people on earth - those who understand binary and those who don't. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: 15 September 2006 15:32 To: Paul Keating; veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] Backup through firewalls As I said it worked for me doing the reread. The documentation says you have to restart the daemons so I noted it as such. I didn't try without the reread so it might have worked as you say. -Original Message- From: Paul Keating [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 9:11 AM To: Jeff Lightner; veritas-bu@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] Backup through firewalls -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Step by step notes I wrote when I did this: FYI the following is what I did in NetBackup for backing up client in the firewall. Open Netbackup Java GUI Go to Host Properties Go to Master Servers Double click on the master server. In Master Server Properties box go to Client Attributes Click Add Type in name of client(s) and hit enter to add to list. Select (highlight) the client(s) from list Under BPCD Connect Back click the VNETD Port radio button Click OK. Exit and you're done with the GUI. Was with ya up to here After that at command line on the master server run bprdreq -rereadconfig. (Note - this worked but manual and Datalink indicated bouncing daemons is the only SURE way to do it. Datalink said it works sometimes.) Never had to do any of this.the message that pops up telling you you need to bounce the daemons can be ingnored in my experienceonce you turn on the VNETD radio button, or the no connect back check box, depending on version, click OK, and it works. No need to bounce anything or re-read any configs IME. Paul ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu * The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. The contents of this message and its attachments are confidential and may also be subject to legal privilege. If you are not the named addressee and/or have received this message in error, please advise us by e-mailing [EMAIL PROTECTED] and delete the message and any attachments without retaining any copies. Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility for any viruses. No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates (COLT) and any other party by email Communications unless expressly agreed in writing with such other party. Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. For more information refer to www.colt.net or contact us on +44(0)20 7390 3900. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
* Whelan, Patrick [EMAIL PROTECTED] [2006-09-15 15:34]: I have a script that runs bprdreq -rereadconfig 50 times (50 is completely arbitrary) and so far it has worked every time. I have never had a problem with on-the-fly changes for vnetd. You can also use the CLI to make these changes a LOT faster than screwing with the Java GUI. Specifically, the -no_callback option in bpclient USAGE: bpclient -All [-M master_server] [-l|-L|-H|-FI] bpclient -client client_name [-M master_server] -l|-L|-H|-FI bpclient -client client_name [-M master_server] -add|-delete|-update For -add and -update the options are -connect_nr_port 0=no, 1=yes -no_callback 0=no, 1=yes -dynamic_address 0=no, 1=yes -free_browse 0=allow, 1=deny, 2=use -list_restore 0=not specified, 1=allow both, 2=allow list only, 3=deny both -max_jobs 1-99 -current_hostname host_name -current_ip_addr ip_address -current_host host_name[:ip_address]|:ip_address -WOFB_enabled 0=WOFB disabled, 1=WOFB_enabled -WOFB_FIM 0=VSP, 1=VSS -WOFB_usage 0=Individual Drive Snapshot, 1=Global Drive Snapshot -WOFB_error 0=Abort Backup on Error, 1=Disable Continue -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[Veritas-bu] Backup through firewalls
Title: Backup through firewalls Nb 5.0 mp6 Solaris 9 Do any of you backup servers through a firewall? What issues do you see in terms of failures? What ports do you typically open up for successful backups? Do you do anything special in the policy's for servers on the other side of a firewall? Greg This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
Title: Backup through firewalls Without vnetd its been my experience that you need these ports opened: 512-5000 13701-13783 -Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, Greg Sent: Thursday, September 14, 2006 12:16 To: NB List Mail Subject: [Veritas-bu] Backup through firewalls Nb 5.0 mp6 Solaris 9 Do any of you backup servers through a firewall? What issues do you see in terms of failures? What ports do you typically open up for successful backups? Do you do anything special in the policy's for servers on the other side of a firewall? Greg This e-mail and any attachments are confidential, may contain legal,professional or other privileged information, and are intended solely for theaddressee. If you are not the intended recipient, do not use the informationin this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
Title: Backup through firewalls There's a whole section on this in the SAG. Shortanswer, you need "bpcd" from the master or media server to the client, "vnetd" the reverse direction. You have to make sure you configure the client for "no callback connections" via the bpclient command or, no doubt, someplace in the GUI. Users on the client cannot perform their own restores using this. I'm told, but have not verified, that you can enable "bprd" from client to master to allow this. -M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hindle, GregSent: Thursday, September 14, 2006 1:16 PMTo: NB List MailSubject: [Veritas-bu] Backup through firewalls Nb 5.0 mp6 Solaris 9 Do any of you backup servers through a firewall? What issues do you see in terms of failures? What ports do you typically open up for successful backups? Do you do anything special in the policy's for servers on the other side of a firewall? Greg This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP2 ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-09-14 13:48]: There's a whole section on this in the SAG. Shortanswer, you need bpcd from the master or media server to the client, vnetd the reverse direction. You have to make sure you configure the client for no callback connections via the bpclient command or, no doubt, someplace in the GUI. Users on the client cannot perform their own restores using this. I'm told, but have not verified, that you can enable bprd from client to master to allow this. Speaking as a backup guy who is now on the firewall team, using vnetd is by far the recommended way of dealing with the firewall. If all you are dealing with is backup servers to client machine, the short list is: Server - Client port 13782 (bpcd) Client - Server ports 13724 (vnetd) and 13720 (bprd) Yes client initiated restores will work with just these ports. If your backup servers are hanging off of a DMZ so that your admin clients using the Java GUI need to get access, you can also use: Admin Client - Server ports 13722 (bpjava) and 13724 (vnetd) This will also require the /usr/openv/java/nbj.conf file setting of NBJAVA_CONNECT_OPTION=1 (default is 0) The only downside to vnetd that I have heard of but not seen personally is that you are limited to a single stream for backups, which could impact your backup model if you are trying to use NEW_STREAM file directives. If that is the case, you can configure port ranges and I highly recommend using ALLOW_NON_RESERVED_PORTS as part of that. Using low ports (1024) by default is one of the stupidest things NBU ever did. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] Backup through firewalls
Hi, I've configured some firewaled NetBackup domains with vnetd and I never had any problem with streams. I have ages to hear from someone the port model. I had proposed this to some of my customers and when the firewall admin understood how many ports needed they refused it immediately. ---Original Message--- From: David Rock [EMAIL PROTECTED] Subject: Re: [Veritas-bu] Backup through firewalls Sent: 14 Sep '06 23:06 * [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-09-14 13:48]: There's a whole section on this in the SAG. Shortanswer, you need bpcd from the master or media server to the client, vnetd the reverse direction. You have to make sure you configure the client for no callback connections via the bpclient command or, no doubt, someplace in the GUI. Users on the client cannot perform their own restores using this. I'm told, but have not verified, that you can enable bprd from client to master to allow this. Speaking as a backup guy who is now on the firewall team, using vnetd is by far the recommended way of dealing with the firewall. If all you are dealing with is backup servers to client machine, the short list is: Server - Client port 13782 (bpcd) Client - Server ports 13724 (vnetd) and 13720 (bprd) Yes client initiated restores will work with just these ports. If your backup servers are hanging off of a DMZ so that your admin clients using the Java GUI need to get access, you can also use: Admin Client - Server ports 13722 (bpjava) and 13724 (vnetd) This will also require the /usr/openv/java/nbj.conf file setting of NBJAVA_CONNECT_OPTION=1 (default is 0) The only downside to vnetd that I have heard of but not seen personally is that you are limited to a single stream for backups, which could impact your backup model if you are trying to use NEW_STREAM file directives. If that is the case, you can configure port ranges and I highly recommend using ALLOW_NON_RESERVED_PORTS as part of that. Using low ports (1024) by default is one of the stupidest things NBU ever did. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu [EMAIL PROTECTED] http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu