Manual: Veritas NetBackup (tm) 6.0 System Administrator's Guide for UNIX, Volume 1


Modification Type: Addition


Modification:
The NetBackup 6.0 Maintenance Pack 4 (MP4) release will introduce a new configurable setting called FIREWALL_IN for the NetBackup Java Administration console.  This new option will be useful for configuring Java GUI access to a NetBackup master that lies within a trusted network, or DMZ, from systems that lie outside the DMZ.  Previously the network administrator had to either (a) bypass the firewall by opening the bpjava-msvc port (13722) and map the private interface where the bpjava-msvc daemon runs to a public interface outside the firewall or (b) set up a Secure Shell (SSH) tunnel from the client to the server within the firewall.  These methods are known to cause various connection problems with NetBackup 6.0.  The new FIREWALL_IN option will map ports between systems and allow network administrators to continue using these two methodologies to bypass firewalls.  This new setting is configured in the /usr/openv/java/nbj.conf file on UNIX platforms or the <install_dir>\VERITAS\Java\setconf.bat file on Windows platforms.  These files are configured on the host that is running the Java admin console (referred to in the below examples as "Javahost").

The general syntax for FIREWALL_IN setting is:
FIREWALL_IN= HOST1:PORT1=HOST2:PORT2[;...;HOSTn:PORTn=HOSTm:PORTm]
Where HOST can either be a hostname or IP Address and multiple entries are separated by a semicolon.  It is only necessary to create entries for connections to the PBX service on port 1556.  

Consider the following example:
The master server NBUMaster.symc.com lies within in a DMZ and has an IP Address of 10.221.12.55.  The NetBackup Java Admin Console is installed on a local client outside of the DMZ. The master server is behind firewall and an SSH tunnel exists from the local client (Javahost) to the master NBUMaster.symc.com as follows:

bpjava-msvc port 13722 maps to Javahost:<port1>

vnetd port 13724 maps to Javahost:<port2>

pbx port 1556 maps to Javahost:12345

Note: Javahost:<port1> implies host name being used for the local client is Javahost and <port1> is the IP port defined in the SSH tunnel.

This also assumes that the relevant BPJAVA_PORT and VNETD_PORT entries are configured for bpjava-msvc and vnetd. This is done in the /usr/openv/java/nbj.conf file on UNIX platforms or the <install_dir>\VERITAS\Java\setconf.bat file on Windows platforms.  These are described in Chapter 8 of the NetBackup System Administrators Guide I in the subsection "Configuring the NetBackup-Java

Administration Console, Runtime Configuration Options".  This information can be found in TechNote 279263, found below, in the Related Documents section.

If the local client (Javahost) is a UNIX system, the following line would be appended to the nbj.conf file:
FIREWALL_IN=NBUMaster.symc.com:1556=Javahost:12345;10.221.12.55:1556=Javahost:12345

This line takes care of connections to the master server's host name and IP address and effectively means:
A connection to NBUMaster.symc.com on port 1556 is to be redirected Javahost:12345
A connection to 10.221.12.55:1556 is to be redirected to Javahost:12345

If the local client is a Windows system, the following two lines would be appended to the setconf.bat file:
SET FIREWALL_IN=NBUMaster.symc.com:1556=Javahost:12345;10.221.12.55:1556=Javahost:12345
SET FIREWALL_IN >> "%NBJDIR%"\nbjconf

Please note that the same options can be used, if NBUMaster.symc.com has a public interface NBUMasterpub.symc.com reachable from the internet. In such cases, the administrator should replace NBUMaster.symc.com with the NBUMasterpub.symc.com host name.

Please note also that the SET FIREWALL_IN entry is case sensitive.  It must exactly match the NetBackup server name.