cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Required network access for high protected network

Sasha_phd
Level 1

‎09-02-2018 11:29 AM

Hello Guys,
I'am trying to find the best way how to handle with protected networks, as example DMZ. For my opinion, it could be done by dedicated media server which will have access only to master serever and clients in DMZ. I'am not sure that it is possible without providing access to master server from clients as well.

Also I would like to store backup copies on Data Domain, DDBoost and OST protocol.

I have AIX/Linux hosts, Oracle and Sybase.

Any suggestions?

0 Kudos
3 REPLIES 3

Marianne
Level 6
Partner    VIP    Accredited Certified

‎09-02-2018 01:22 PM

All documented in NetBackup Network Ports Reference Guide
https://www.veritas.com/content/support/en_US/doc-viewer.80731497-127431417-0.index.html

Handy NetBackup Links
0 Kudos

Nicolai
Moderator
Moderator
Partner    VIP   

‎09-03-2018 04:58 AM - edited ‎09-03-2018 07:07 AM

In general it's just bad mojo to open IP connections in the DMZ to the inside. Consider to deploy a entire NBU enviroment in the DMZ and use DDBoost over Fibrechannel. As a alternative pull entire traffic thru firewall. 

I don't see any gains in placing a media server in the DMZ, as clients want to talk to the master server - e.g. for restore requests for BMR.

If all hosts in the DMZ is VM's, use hypervisor based backups from the inside of the hypervisor network. This recommendation doesn't work 

Nicolai

0 Kudos

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

‎09-04-2018 12:08 AM

In theory file-level backups might work without direct access to the master server. However, it's a very limiting approach.

If a high level level of security required, I'd either build the entire domain in the DMZ and AIR it to the open network through Data Domain - this avoids connectivity between any active NBU components and leaves all communication channels with storage.

One more thing to worry about is the firewall throughput. More frequently than not I've seen these devices in the middle slow things down dramatically, so even if you punch holes in the firewall you might suffer from performance penalty. You avoid it either using with DD Boost over FC or SAN client, or as mentioned above, using AIR