NDMP backups through a firewall running Netbackup releases 6.0, 6.5, 7.0 and 7.1

Article:TECH128609  |  Created: 2010-01-09  |  Updated: 2012-01-09  |  Article URL http://www.symantec.com/docs/TECH128609
Article Type
Technical Solution


Environment

Issue



NDMP backups through a firewall running Netbackup releases 6.0, 6.5, 7.0, and 7.1.


Solution



The Netbackup port usage guide states the following on page 42-

If you are using an NDMP storage unit in a firewall environment, make sure you know the different types of NDMP backups to be performed. The backup type
determines which ports need to be opened in the firewall. The following paragraphs describe the types of NDMP backups and how they pertain to
firewall use. These backup types include local, 3-way and remote NDMP, remote NDMP and local and 3-way TIR.

■ For local operations, the DMA needs access to port 10,000 on the NDMP server. In this case, the one NDMP server is both the NDMP tape server and
the NDMP data server.

■ For 3-way and remote NDMP, the DMA needs access to port 10,000 on the NDMP tape server and the NDMP data server. Also, there cannot be a
firewall between the NDMP tape server and the NDMP data server because there is no control over the TCP/IP ports used for the data movement.

■ For remote NDMP (5.0 / 5.1), it is not advisable to put a firewall between the DMA and the NDMP hosts. This is because the DMA can be on the same
computer as the NDMP tape server. In this case, you need an unlimited number of ports available to perform the data movement between the
NDMP tape server and the NDMP data server.

■ For local and 3-way TIR, the data requires an unlimited number of ports available because NetBackup has no control over the ports used.
 
However there is a workaround to this issue of having to open the entire NBU non-reserve port range on the firewall for NDMP 3-way and remote backups.
 
The NDMP agent uses port 10000 which must be open bi-directional. Once that connection is established then the data mover then sets up a socket connection back to NetBackup to send meta data, it is at that point that “unlimited ports” must be opened to allow the transfer of that information back to NetBackup. As you also know NDMP backups are different because there isn't any NetBackup software running so Netbackup has no control over the ports used.
 
A way to work around this is as following. Within the NetBackup media server attributes there is a value for Server Port Window whose default value is 1025 to 5000. This is the range of non-reserved TCP ports on which the media server will accept connections from other hosts. You can set the SERVER_PORT_WINDOW = 65000 65009, also allow only 10 ports through on the firewall. The result will be that when the backup is started the media server will pass the “Server Port Window” to the NDMP host who will then connect back on within the ports specified. So the result is the firewall would only have to open 10 ports as opposed to thousands. Only legacy NBU clients and server would use that setting. So all normal 6.0, 6.5, and 7.0 NBU servers and clients would not be effected because they will still use the default pbx 1556 and vnetd port 13724.
 

 



Legacy ID



350083


Article URL http://www.symantec.com/docs/TECH128609


Terms of use for this information are found in Legal Notices