Firewall Traffic From NetBackup

Randy_Samora · ‎08-17-2006

I have NetBackup running across a firewall with the 8 ports recommended by Veritas. Everything works great. My WAN guys are complaining about the traffic so I want to try to decrease the backup traffic. If I put a media server on the other side of the firewall where the clients are, and share the tape library with that media server, is that going to help me much or is there data the clients have to send to the Master themselves?

This might be a question for Veritas but this is always a good place to start.

Thanks,
Randy

Lance_Hoskins · ‎08-17-2006

Randy,

Putting a media server on the other side of the firewall is a perfect option! Some companies don't let their backup administrators put clients on the other side of the firewall, so that can sometimes be tricky. If you have the ability to put a media server on the other side however, it will take care of 99.9% of the traffic. There's still a little going to the master server, but I'm guessing it won't cause any problems on the firewall.

Lance

Stumpr2 · ‎08-17-2006

easiest configuration would be to have dedicated library and storage. If not, then still do not use SSO.

Randy_Samora · ‎08-17-2006

Thanks Lance, I was hoping that would be the answer.

Bob, no SSO? Why not. When it works, it's great. I have one complaint and that is with any little network hiccup, I have to reboot the entire things, library and servers. It seems like any kind of communication interruption and NetBackup cannot recover. Windows gets back on line fine without a reboot but NetBackup wants a reboot every time.

Dennis_Strom · ‎08-17-2006

If you put a media server in the firewall the amount of traffic you get will depend on how you have it configured. If you keep the volume database on the media server then the traffic will be reduced. I like to keep everything on the Master server. With this config there is a lot more traffic. That should not be an issue for the network folks as long as they know what the traffic is.
I have not been able to get our network group to open up more than one port so as a solution I put a master server with a small library out in the firewall. This adds a bit of cost with licensing but it is a simple solution. For added security I put ipf on the box and only allow traffic to and from that box from that subnet. The master server is a sol9 box. Initially I wanted everything on my Master Server but now that this is working I really like. Clean, simple, and nobody knows it is there.

Dennis_Strom · ‎08-17-2006

After taking over the backup operations here, one of the first things that I did was getting rid of SSO. My failures went down and the amount of maintence work (reboots ect..) went down significantly. I would not use SSO unless I had to.

Randy_Samora · ‎08-17-2006

I have the same setup here; a master with a small outdated 2-drive SDLT library in it and I want to get away from the SDLT technology. Don't get me wrong, it works great and I'm hoping to sneak that old library home for use there :) But I want to get all of my backups on the LTO2 library.

I agree about SSO, don't use it unless you have to. It really does complicate things. But with 750 clients and over 28TB of data backing up every weekend, I'm in a "have to" environment.

Stumpr2 · ‎08-17-2006

problem with SSO and media servers on the wrong side of the firewall is that you will need to open more ports. media server to media server communication, depending on who happens to be the scan host at a particular moment. The only work around I've been able to make wrk is to only let the master server be the scan host. This is done via an entry in the vm.conf file. SSO_SCAN_ABILITY = 0 in every SSO media server and SSO_SCAN_ABILITY = 9 in the master's vm.conf

Randy_Samora · ‎08-17-2006

Oh THIS should be fun. Well, if nothing else, that will also get rid of the hundreds of "Host is not the scan host for this shared drive (304)" errors i see on my media servers.

VOX

Firewall Traffic From NetBackup