cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

DMZ server backup

Go to solution
kraju
Level 2

‎03-19-2016 03:20 PM

Hello, I need to backup a good no of clients in the DMZ servers.The media server has been setup in same DMZ LAN, however the Storage is in internal network.So as to get a good throughput is there a way to Minimize / Avoid the traffic through FW during backup.

Thanks

 

Reply
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎03-24-2016 01:20 PM

In case you get challenged by your security team, you can point them to the fact that there are no public notifications of any known vulnerabilities in the latest versions of NetBackup Client:

https://www.us-cert.gov/ncas/current-activity

...and search for NetBackup.

.

As an additional measure IF you use specific physical NICs to create what is in effect a "DMZ backup subnet", then...    whilst not a firewall, you should be able to get your network admins to place an ACL on the network ports, and/or possibly restrict specific LAN switch network physical ports to specific tcp port numbers e.g. tcp/1556 in each direction to tcp/any - ok, it's not a firewall, but it should still block all other traffic, except for NetBackup - without imparing performance.  Ok, so you won't have stateful inspection of packets, but you should be able to restrict the the source to a specific TCP port (tcp/1556), and or whitelist the source and/or target IP or MAC addresses.

View solution in original post

0 Kudos
Reply
5 REPLIES 5

Go to solution
RamNagalla
Moderator
Moderator
Partner    VIP    Certified

‎03-19-2016 10:11 PM

could you let us know how you are connecting the Storage with media servers? does it though SAN( over FC) or though LAN ( using some OST plug in)? 

what is the storage that you are using?

if you are connecing the storage with media server using SAN.. there is no point of network/DMZ and firewall.. since SAN does not have all these..

if you are connecting the storage with Media server using LAN, you need to make sure that the requied network ports are opened.. and have good speed in network configurations and connectivty.. could be 10 gig depends on your network design.

you can look below T/N for port requirements

https://www.veritas.com/support/en_US/article.TECH136090

0 Kudos
Reply

Go to solution
kraju
Level 2

‎03-20-2016 04:28 AM

Hi Ram, thank you for your reply. The media server is in the same LAN of DMZ servers and the Storage is connected throug 10g. but in that case will it affect the throughput? What would be the best way to bypass the backup traffic through Firewall ? Is that only SAN? 

0 Kudos
Reply

Go to solution
Marianne
Level 6
Partner    VIP    Accredited Certified

‎03-20-2016 05:09 AM

Private network between DMZ media server and Storage Server that bypasses the Firewall can be deployed. The question about Firewall affect on backup throughput must be directed to your network and firewall team. Only proper understanding of type of Firewall, settings, etc, and network route will help to know affect on performance.

Handy NetBackup Links
0 Kudos
Reply

Go to solution
kraju
Level 2

‎03-24-2016 12:10 PM

Thanks Marianne,  "Private network between DMZ media server and Storage Server that bypasses the Firewall can be deployed" sounds good to me. So I hope this would help to avoid traffic through Firewall and help to backup clients in DMZ and Internal network to the same storage.I hope the network rout should not be a problem if Media server and clients are in the same LAN.

Thank you

0 Kudos
Reply

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎03-24-2016 01:20 PM

In case you get challenged by your security team, you can point them to the fact that there are no public notifications of any known vulnerabilities in the latest versions of NetBackup Client:

https://www.us-cert.gov/ncas/current-activity

...and search for NetBackup.

.

As an additional measure IF you use specific physical NICs to create what is in effect a "DMZ backup subnet", then...    whilst not a firewall, you should be able to get your network admins to place an ACL on the network ports, and/or possibly restrict specific LAN switch network physical ports to specific tcp port numbers e.g. tcp/1556 in each direction to tcp/any - ok, it's not a firewall, but it should still block all other traffic, except for NetBackup - without imparing performance.  Ok, so you won't have stateful inspection of packets, but you should be able to restrict the the source to a specific TCP port (tcp/1556), and or whitelist the source and/or target IP or MAC addresses.

0 Kudos
Reply