Unsolved
This post is more than 5 years old
161 Posts
0
16395
Backup won't run through firewall
Hey guys,
yeah another firewall-thread, sorry about that!
I need to implement a DMZ backup using EMC NetWorker.
The NetWorker server is a SLES 11 SP2 machine outside the DMZ, v8.0.1.6. The server is also storage node and nsrports is set to the default values: Service ports: 7937-9936, Connection ports: 0-0.
The NetWorker client is a Windows 2008 R2 running NetWorker version v8.0.1.6 and nsrports is set to: Service ports: 7937-7938, Connection ports: 0-0. Windows firewall is disabled.
On the firewall the ports 111 and 7937-7940 are opened from the NetWorker Server network 10.8.116.0 to the client network 1.1.110.0.
There is no DNS, so resolution is done through hosts-entries.
I can telnet into the ports from the NetWorker server: 111, 7937 and 7938 ok, 7939 + 7940 are blocked. Is that because I restricted the ports on the client? I guess so.
Anyway, I'm also not able to do a "nsradmin -p nsrexecd -s -> this times out.
And as you can guess, backup is not running:
savegrp -vvvvv -c
savegrp: :All level=incr
7236:savegrp: Group will not limit job parallelism
83643:savegrp: :All started
savefs -s -c -p -l full -R -v
3:savegrp: Group waiting for 1 jobs to complete
7224:savegrp: :All Port mapper failure - Timed out
84078:savegrp: command 'savefs -s -c -g -p -l full -R -v' for client exited with return code 127
Can anyone help me out?
If you need more information I'm more than happy to provide it.
Thanks in advance
Jan
TimQuan
2 Intern
2 Intern
•
1.2K Posts
0
August 18th, 2013 18:00
Opening 7937 and 7938 ports for the client is not enough. The client needs at least 4 service ports (If other add-ons installed, more service ports will be required). Therefore, open more ports on the client (best to open 7937-9936 if it is possible).
Please refer to the following document to calculate how many ports and what ports are needed in your enviroment.
1 Attachment
Configuring TCP Networks and Network Firewalls.pdf
JayJay9882
161 Posts
0
August 19th, 2013 06:00
This definitely a DNS issue.
I have no DNS resolution in this environment and need to do it by hosts-files. But this won't work.
I have the client DNS-information in networker servers hosts-file and the networker servers DNS-infos in the clients hosts-file.
I have no DNS-server specified in the /ets/resolv.conf and the nsswitch-file contains the line: hosts: files.
But no nslookup will go through, I always get a time out.
How can I realise forward and backward DNS-resolution via hosts-files?
TimQuan
2 Intern
2 Intern
•
1.2K Posts
0
August 21st, 2013 00:00
I hope you can read Page 5 to Page 7 "Calculating service port ranges".
JayJay9882
161 Posts
0
August 21st, 2013 00:00
Ok, we fixed the DNS issue. But we still have trouble with the ports which needs to be opened.
I tried with opening ports 111, 514 and 7937-7940 in both directions but the backup failed with a timeout.
Now ports 111, 514 and 7937-9936 are opened and backup is running.
When I read the "Configuring TCP Networks and Network Firewalls for EMC NetWorker"-Guide right, only ports 7937+7938 needs to be open. Is that right?
Do I need to set the nsrports on the server or the client side? Currently it is set to default.
Any help would be appreciated.
Regards
Jan
JayJay9882
161 Posts
0
August 21st, 2013 01:00
As far as I understand it, I don't need to calculate any ports since the networker server I'm running is outside the DMZ and it is also the storage node. There is nothing networker related inside the DMZ.
So it needs to be four ports (7937-7940), at least this is the statement on page 5. "NetWorker client: A NetWorker 7.3 or later client uses nsrexecd that requires four service ports: the reserved ports 7937 and 7938 and two user-configurable ports from the service port range."
However, I'm not sure where to set the nsrports portrange. On the networker server or the networker client?
CarlosRojas
1.7K Posts
0
September 9th, 2013 05:00
Hi Jayjay,
You have to set the ports in both, server and client with the following command:
nsrports -S xxxx-xxxx
If you want to use certain ports, you can also do as follows:
nsrports -S -S 7937-7938 8284-8333 8346-8395 8638-8694 8900-8942
This will use ports 7937 and 7938, from 8284 to 8333 etc.
Port 111 should be also open.
Can you please let us know what you have in the hosts file in regards to the loopback?
Thank you,
Carlos
Xao1
16 Posts
0
September 12th, 2013 15:00
1) Don't touch any nsrports setting on the server.
2) On the client, open a command line window and enter the command, "nsrports -S 7937-7940"
3) On the client, restart "Networker Remote Exec Service"
4) Try your backup again.
CarlosRojas
1.7K Posts
0
September 19th, 2013 01:00
Xao,
With that you are limiting the number of ports client can use to contact NW server and send data. I wouldn't do such restriction, as if there is for instance Oracle DB's running on it, it will definitely need more ports for the backup.
Thank you,
Carlos
Xao1
16 Posts
0
September 19th, 2013 11:00
Carlos,
I was giving answers base on JayJay's scenario which looks like he was just trying to do filesystem backups. You only need 4 ports on the client and 4 ports on the firewall to make filesystem backups work. Also JayJay mentioned the client is on the DMZ. I have not seen environment where someone will put their internal applications and database servers out on the DMZ. So pretty much filesystem backups is that's needed.
Xao
MoinMansuri
2 Intern
2 Intern
•
147 Posts
1
October 10th, 2013 00:00
Hi,
Networker’s default port range is 7937-9936; so on the firewall you will need to allow for bi-directional TCP traffic on ports 7937-9936.
Allow incoming service connections to the NetWorker server’s IP address on ports, from the IP addresses of each of the storage nodes or client machines (as well as any other machines on that subnet). The firewall is also configured to allow connections to the IP addresses for each storage node on ports , and to each client IP address on ports. Each NetWorker host must be configured with the appropriate port range for that machine, and the NetWorker services must be restarted on each machine after a change to the port range. A simpler configuration to administer these machines would be to assign a range of 24 ports, 7937–7960, to all machines, and configure the firewall to allow traffic to these ports on any host.