Messaging Gateway

 

As I am sure with many organisations we operate our network with a DMZ in which our Brightmail Gateway is situated. In fact this practice is even recommended by Symantec in their installation guide.

Again as with most organisations we also need to take regular backups of all our servers and their data in the event of a disaster recovery situation. We have looked into using the automated backup schedule on the Brightmail Gateway, however after some investigation it is apparent that the system uses passive FTP (as opposed to non-passive).

For those of you unaware, passive ftp does not strictly use port 21. It also uses a range of ephemeral or dynamic ports to establish communication. On a typical Linux system that is a port range from 32768 to 61000, i.e. some 28200 ports.

To enable successful FTP communication through our firewall we would effectively need to open up each and every port in that range. This then presents a very unsecure channel from our DMZ to our main corporate network. As a government agency we are unable to take such risks and as such have been unable to use the FTP backup as provided.

On contacting Symantec support it was suggested that we use SCP, which can be executed via a command line from SSH. On initial testing this system seemed to provide the solution we required using only a single port for secure communication. However on further testing it would appear that we cannot schedule these jobs to run in an automated process.

As it is against Symantec policy to give customers access to the root of their Brightmail servers to be able to add cron jobs or edit the ephemeral port range, we still do not have a working solution for an automated secure backup of the Brightmail Gateway server.

In light of the problems we are experiencing I would make one of two requests. Either enable the option to have non-passive FTP, or provide an option for SCP where a job can be scheduled via the web GUI.

Mike Lewis

Case Ref# 415-882-969

Most firewalls should have an option for PASV FTP so it will open the port only when needed and not have to permanently open them.

You don't specify the version or if it is in an appliance, or as a VM, but if your intentions are protection of the system itself, then protect the system itself at the hypervisor.  No need to deal with any of the internals of what is inside the VM.  If it is not a VM, well then, as you can see this would be a pretty good reason to transition to one.  My Symantec gateway VM's are protected onsite and offsite through a variety of mechanisms (hypervisor aware backups, LUN based replication, etc.)

But if you insist, or if the requirements are otherwise, the other poster is correct.  Most firewalls will have toggles for active and passive FTP. 

Hi Mike,

I solved similar situtation in our company. SMG is located in DMZ and how to backup SMG per FTP? We are using Windows2008R2 in LAN in virtual modes.

I installed FileZilla FTP server to our backup server in LAN. In FileZilla you can specify small range for the passive ports per GUI. I had to enable these ports on Firewall of Win2k8r2 and I "backup" SMG every day. "Every" realy firewalls have the possibility for passive FTP today like the previous people wrote. Usualy the problems are on the server internal firewall, not by the firewall between zones. I used independent soft, because I didn't want to propagate our AD into DMZ. FileZilla has its managing of users and groups. I don't offer it to you, I described you one of the most possible ways.....

Sure you can use IIS too, but there is more difficult to set the range for the passive ports. You have to use script to do that:

cd \Inetpub\Adminscripts
adsutil.vbs set /MSFTPSVC/PassivePortRange "5001-5024"

NEVER use ports under 1024. But I never tested these settings by IIS, because I don't like to enable login from other zones with nonequal security settings into AD. But it is company policies problem.....

FTP passive uses port 21 for the initialization. Then the server answers the "opened" nonprivileged (>1023) passive port.

Pavel