NDMP thru Firewall

Excerpt from NDMP v4.0 Specifications
can be found at http://www.ndmp.org/download/sdk_v4/
5. Security
NDMP through firewalls is problematic if the data and tape services reside in the interior of separate firewalls such that an NDMP data connection must originate from the exterior of one firewall. If only a single firewall exists, the NDMP Server inside the firewall SHOULD originate the connection as firewalls generally allow any outbound connection.
NDMP Server implementations SHOULD resolve the two firewall problem by providing configurable control over the port number range that will be used for NDMP data connection listens. This control SHOULD be used by system administrators to constrain NDMP Servers to a limited range of TCP ports that correspond to ports the firewall will allow inbound connections on.
NDMP is incompatible with Network Address Translation (NAT) firewalls because IP address and TCP port information is conveyed as payload data between NDMP peers (connect_addr in NDMP_MOVER_LISTEN & NDMP_DATA_LISTEN replies).


Although, after reading this, I believe it refers to a 3-way NDMP session, where the server and tape service are on two different hosts(datamovers). And from the excerpt you provided from the EMC NDMP manual, it appears EMC has already limited this port range for 3-way NDMP to use 10001 thru 10004.

Thank you !

telenoiz,

please mark correct/helpfull answers, this will help other users querying for similar questions.