As I am sure with many organisations we operate our network with a DMZ in which our Brightmail Gateway is situated. In fact this practice is even recommended by Symantec in their installation guide.
Again as with most organisations we also need to take regular backups of all our servers and their data in the event of a disaster recovery situation. We have looked into using the automated backup schedule on the Brightmail Gateway, however after some investigation it is apparent that the system uses passive FTP (as opposed to non-passive).
For those of you unaware, passive ftp does not strictly use port 21. It also uses a range of ephemeral or dynamic ports to establish communication. On a typical Linux system that is a port range from 32768 to 61000, i.e. some 28200 ports.
To enable successful FTP communication through our firewall we would effectively need to open up each and every port in that range. This then presents a very unsecure channel from our DMZ to our main corporate network. As a government agency we are unable to take such risks and as such have been unable to use the FTP backup as provided.
On contacting Symantec support it was suggested that we use SCP, which can be executed via a command line from SSH. On initial testing this system seemed to provide the solution we required using only a single port for secure communication. However on further testing it would appear that we cannot schedule these jobs to run in an automated process.
As it is against Symantec policy to give customers access to the root of their Brightmail servers to be able to add cron jobs or edit the ephemeral port range, we still do not have a working solution for an automated secure backup of the Brightmail Gateway server.
In light of the problems we are experiencing I would make one of two requests. Either enable the option to have non-passive FTP, or provide an option for SCP where a job can be scheduled via the web GUI.
Mike Lewis
Case Ref# 415-882-969