freemode.net

NetBackup through your firewall    [ Software ]

We've finally got a President-elect, and snow in Northern Virginia to boot! It's a happy time, Christmas is drawing near, and while presents appear 'round the tree and a fire blazes in the hearth, you're stuck at work.

There's a new Enterprise Backup Solution, and gosh darn it, the company is determined to make it back up everything from the mail servers to the CEO's nephew's PalmPilot. This, of course, involves getting through your firewall, and while you're able to put to rest some of the more outlandish ideas (doing remote backups of dialed-in employees' desktops to the DLT7000 tape library), you are going to have to back up those web and ftp servers in your DMZ to the backup servers inside your firewall.

So now I get to learn How to get Veritas NetBackup working through a Raptor firewall.

This is Real Fun, since according to Veritas' TechNote ID #187321, "NetBackup is not designed to support backups through a firewall."  That's okay, we can make this work anyway.

These instructions apply to Veritas NetBackup 3.4GA, Data Center version, and possibly other versions as well. The firewall configuration is intended for Raptor 6.0, but the information is applicable to any kind of proxy or filtering firewall.

The example covered here is where NetBackup clients are situated outside of the firewall, and the NetBackup Master Server and Media Server are situated inside of the firewall. The TechNote has one sentence on the connection needed between the Master Server and the Media Server, if you're brave enough to separate those two by a virtual gateway.

Verify that the NetBackup client service port (BPCD) and NetBackup request service port (BPRD) is set up on each client. By default, these are 13782 for the BPCD and 13720 for the BPRD. The instructions in TechNote ID #187321 assume that these are set at the defaults. Your mileage may vary if these are changed, I haven't tried it.

If you'd rather not have source & destination ports 512-1023 opened between the clients and the master backup server, adjust the Server Reserved Port Window (SRPW for short) and Client Reserved Port Window (CRPW for short) accordingly. If you adjust the SRPW on the Master Server, you should also adjust it on the Media Servers that it uses. By default, the SRPW and the CRPW include TCP ports 512 through 1023.

You can also adjust the range used for connections to the BPCD and BPRD. By default, this is a random high port. This is adjusted by the Server Port Window (SPW for short) setting and the Client Port Window (CPW for short) setting. Again, if you adjust the SPW on the Master Server, you should also adjust it on the Media Servers that it uses.

Verify that you can back up clients inside of the firewall with your configuration before trying to back up clients outside of the firewall, it will reduce your headaches tremendously.

On the firewall, create a rule from the clients to the master server, allowing

• Rule #1: server [source tcp/SPW] -> client [destination tcp/BPCD]

  
  

• Rule #2: client [source tcp/CPW] -> server [destination tcp/BPRD]

  
  

• Rule #3: client [source tcp/CRPW] -> server [destination tcp/SRPW]

Using the default ports, this would be:

• Rule #1: server [source tcp/1024-65535] -> client [destination tcp/13782]

  
  

• Rule #2: client [source tcp/1024-65535] -> server [destination tcp/13720]

  
  

• Rule #3: client [source tcp/512-1023] -> server [destination tcp/512-1023]

In Raptor, you would need to create three new protocols:

In Raptor, you would then create two new GSPs to handle the first two protocols:

Since GSPs in Raptor 6.0 can only handle a single destination port, you'll have to create a filter (aka Local Tunnel, created in the "Secure Tunnels" window) to handle the third protocol.

Create the first rule from the client entity to the server entity, including the NetBackup-Tcp-13720 GSP we created. Create the second rule from the server entity to the client entity, including the NetBackup-Tcp-13782 GSP we created. Add a useful description to both rules - nothing's more irritating than looking back at a rule 6 months later and trying to remember what it was created for or who was responsible for it.

Make sure that the Master Server and the clients are set up as Secure Subnets inside of the "Net Entities" window. Tunnels in Raptor 6.0 require endpoints identified as Secure Subnets. To define a single host as a secure subnet, set its mask to 255.255.255.255 and its key profile to match its nearest firewall interface.

If all clients aren't in the same subnet, create a group for them and use that group in the filter. Packet filters aren't restricted to using Secure Subnets as entities like tunnels are. When a filter is applied to a tunnel, the firewall uses a logical AND of the tunnel and filter entities to determine traffic endpoints. The filter entities must be contained within the tunnel entities, though.

To illustrate:

See the Raptor Configuration Guide on page 13-7 for more explanation.

Click on "Filters..." in the "Secure Tunnels" window to access the "Packet Filtering" window. Create a filter named "pf-NetBackup" between the clients as Entity A and the server as Entity B. Add "A->B netbackup_tcp_xfer" as the protocol in this filter.

Go back to the "Secure Tunnels" window, and create a new tunnel between the clients (or a secure subnet that includes the clients) as Entity A and the server (or a secure subnet that includes the server) as Entity B. Use the "pf-NetBackup" filter, and use SWIPE encapsulation (doesn't really matter for a local tunnel).

Save and apply your changes, then test your connection by doing a manual backup of the clients outside of the firewall.