Solved

Veritas - getting it to use just one port

Posted on 2002-05-22
16
251 Views
Last Modified: 2010-04-11
Normally Veritas will try and use a broad random range of TCP/UDP ports to transfer data to the backup server.  This is a problem when trying to backup something at a higher security level off of a firewall.  Is there a means to screw down Veritas so that it only uses one port?
0
Comment
Question by:mmedwid
  • 8
  • 4
  • 3
  • +1
16 Comments
 
LVL 1

Expert Comment

by:s0mvnguy
ID: 7027925
I think you can create user defined share (\\xxx.xxx.xx.x:port number) and backup from there.

Hope this help
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7028247
It's random on both ends?  How is the connection ever made?  Usually one end will be locked down to a single port.  
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7028454
It's the destination port that is many and random.  I know this to be the case because I've seen the syslogging of the denies on our pix.  And later we confirmed this is the default behavior of veritas.  
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 41

Accepted Solution

by:
stevenlewis earned 300 total points
ID: 7028654
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7028805
stevenlewis - that's just what I'm looking for.  Do you know if you can crank it down as low as one port?  e.g. a range of 5000 to 5000 or 4999 to 5000?  I imagine the issue would be if you had any other machines backing up at the same time and you had over-lap you'd be hosed.  But if you carefully arranged your backups not to have overlapping port #s - should be okay.  Any experience?
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7029706
Why can't you just lock it down by the end that already has a single static port?  Are there details around this that make this not trustable or possible?  

I have a hard time believing that the destination (target for initial SYN packet) is random.  

Either way, as long as you trust the "source" that has the static port and know that it is on a secure segment and spoofing cannot come into play, you should be able to lock it down by using that end.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030654
As the document states - the destination port is definitely different each time.  It's not exactly random - it starts and port 5000 and next session will use 4999 and next 4998 and so on.  It must be from some stupid old programming that only allowed one host at a time to reach the backup server at a particular port.  Just a guess.  

I'm not sure I follow your last paragraph.  The device would be on a secure dmz - pix security level 50.  I'd call that zone somewhat trusted.  More trusted than outside anyhow.  The backup server is inside.  I want to open as few ports as is absolutely possible.  One is best.  If I receive no other answer - I'll just test cranking it down to one port and see if it plays.

0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7030710
mmedwid I haven't tried it, test it and see.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030735
Will do.  Our backup guy is out for the long weekend.  Next week we'll try it out.  
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7030751
Our backup guy is out for the long weekend
Must be nice LOL
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030807
The grass is always greener.  :-)
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7039976
From our Mr. Backup dude...

"You can lower the number of ports, but that lowers the number for ALL clients.  Then you have all your clients competing for the few open ports that there are and only a few backup jobs run.  It's crazy, but that's the way their product works.  To back up through firewalls, you need a media server which is another expensive license, and another server on the other side of the firewall.  "

...anyone know any more on this?  
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7039991
btw - what crappy code that Veritas only allows on client to connect at on particular port at a time.  Unreal given what they charge for their crud.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7040016
I am still not exactly following how this transaction works.  The only way I can see it working from the way you are describing is if it works similar to FTP where a single port is used initially until new ports are negotiated at which point it is "deterministically random".  If this is not the case, than there has to be a single port or small group of ports that can be determined.

However, since you are not crossing the public interface and this is between you DMZ and your backup server, why not just allow all traffic from those servers to your backup server?  It's not ideal I will grant you, but unless there is something I am missing, it is really the only way.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7064939
At the end of the day - it looks like there is not good answer to my question.  But your pointing to that veritas documentation helped me get to that conclusion.  Thanks.
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7065580
mmedwid, wish we could have been more help
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 33
How to change the nameserver on Ubuntu Server 6 50
Internet options/Settings 1 46
Setup small office network 1 20
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question