Customizing the Data Protector Environment

Firewall Support

1. In order to determine which processes need to communicate across the firewall, see Table 11-2(Disk Agent column). It shows that the Disk Agent needs to accept connections from the Session Manager on port 5555. This leads to the following rule for the firewall:

Allow connections from the CM system to port 5555 on the DA system

2. See also Table 11-3for the Disk Agent. It shows that the Disk Agent

 

connects to a dynamically allocated port on the Media Agent. Since

 

you do not want to open the firewall for communication between the

 

Disk and Media Agent in general, you need to limit the range of ports

 

from which the Media Agent can allocate a listen port.

 

See Table 11-1 for the port consumption of the Media Agent. The

 

Media Agent requires only one port per running Media Agent. For

 

example, if you have four tape devices connected, you may have four

 

Media Agents running in parallel. This means that you need at least

 

four ports available. However, since other processes may allocate

 

ports from this range as well, you should specify a range of about ten

 

ports on the MA system:

 

OB2PORTRANGESPEC=xMA-NET:18000-18009

 

This leads to the following firewall rule for the communication with

 

the Media Agent:

 

Allow connections from the DA system to port 18000-18009 on the

 

MA system

 

 

NOTE

This rule allows connections from the DMZ to the intranet, which is a

 

potential security risk.

 

3. Table 11-3 also shows that the Disk Agent needs to connect to the

 

 

Session Manager (BSM/RSM) when the Reconnect broken

 

connections option is enabled. You can specify a required port

 

range on the CM system analogous to the previous item.

 

OB2PORTRANGESPEC=xSM:20100-20199

Chapter 11

539

Page 569
Image 569
HP B6960-90078 manual