How does one do NetBackup Administration through Firewalls with the NB-Java Applications?

Article:TECH7301  |  Created: 2000-01-22  |  Updated: 2013-10-23  |  Article URL http://www.symantec.com/docs/TECH7301
Article Type
Technical Solution


Environment

Issue



How does one do NetBackup Administration through Firewalls with the NB-Java Applications?

Solution




Description
-----------
In NetBackup 3.2, the NB-Java GUI application and its application server
use port 13722 for its initial communication - the login.  Once logged in,
a random free port was used for all subsequent communication.  This
made it virtually impossible to use the NB-Java GUI applications for
remote administration in a firewall environment.

A new feature was added in NetBackup 3.2 jumbo patch J0820260
to force the subsequent port selection by the NB-Java application
server to be the first one available decrementing from port number
5000 (the initial communication remains the same - use of port 13722).
The number of consecutive free ports in addition to 13722 to 'open up' is
dependent on usage and a site's security policies.

Each execution instance of the "jbpSA" or "jnbSA" (i.e., the UNIX NB-Java GUI
application startup) commands will require one of these ports.  The same is
true when using the NB-Java Display Console for Microsoft Windows (WDC)
program.  In addition, there is one port used for communication between the
master server and all user server programs of the NB-Java application server
executing on the same UNIX NetBackup server or client.

So, at a minimum, a site will have to 'open up' ports 13722, 5000 and 4999
to allow one execution instance of a NB-Java application (jnbSA or jbpSA
command or the WDC) access to the relevant UNIX NetBackup server or client
inside the firewall.

The NB-Java application server will use the sequential port selection method
as described above by default.  However, if "RANDOM_PORTS" is specified in
the bp.conf file, ports will be selected randomly in the range 1025 to 5000.

Benefits
--------
This feature allows the configuration of a set of ports to allow administration
from a machine outside the firewall, e.g., a Windows machine at home on
which the NB-Java Display Console for Microsoft Windows software is
installed.

As long as access to other NetBackup servers is available from the one
logged in to (via the NB-Java login dialog), it will allow administration
Management, via the application's 'change server' capabilities.

Or, if the machine inside the firewall is a GDM, it will allow
administration of all of the GDM's KNOWN MASTERS.  The NB-Java GUI when
communicating to a GDM also allows the 'appending' of other masters to its
'tree' temporarily, so it will allow administration of others not configured as
KNOWN MASTERS as long as access from the GDM was initially configured.

Caveats/Risks
-------------
- The NB-Java login dialog requires the UNIX system's password for the
 account name.  This data sent to the application server is not encrypted.

- None of the NetBackup meta data visible in the GUI is encrypted when
 sent to or received from the NB-Java application server.

- NetBackup admin commands are used by NB-Java to get/set NetBackup meta
 data.  These commands are sent in clear text to the NB-Java application
 server.  This command execution and a limited set of other services are
 recognized by the application server via a communication protocol.

- Configuring the firewall for use by the NB-Java applications does not
 affect the scheduled backup operations of NetBackup in any way, i.e.,
 backing up clients on the other side of the firewall still requires
 use of the ALLOW_NON_RESERVED_PORTS bp.conf option as documented in the
 System Administrator's Guide.


Some other relevant facts about the NB-Java applications
--------------------------------------------------------
- The NB-Java GUI applications run on Solaris and HP to allow administering
 these machines directly, i.e., locally or native.

- The NB-Java GUI applications can be used to administer or perform backup
 and restore operations on ANY NetBackup UNIX server and client.

- The NB-Java GUI applications run on Windows 95/98/NT, but can ONLY be used
 to administer or perform backup and restore operations on NetBackup UNIX
 servers or clients.  This installed package on the Windows platforms is
 the NetBackup-Java Display Console for Microsoft Windows (informally
 referred to as the NB-Java WDC).

- All of the above require the NB-Java application server be available on
 the targeted (to which logging into) machine whether that machine is a
 different machine than where the GUI was initiated or not.  It is started
 automatically via "inetd".

- The NB-Java GUI applications can ONLY administer a NetBackup NT server via
 the 'change server' functionality present in most of the individual
 NB-Java applications, e.g., Backup Policy Management, or via a GDM.  In
 order to accomplish this via either of these methods, it is necessary to
 successfully complete the NB-Java GUI --> NB-Java application server login
 and currently the NB-Java application server is ONLY supported on all
 NetBackup supported UNIX platforms - not any of the Windows platforms.


Legacy ID



229539


Article URL http://www.symantec.com/docs/TECH7301


Terms of use for this information are found in Legal Notices