Solved

Veritas - getting it to use just one port

Posted on 2002-05-22
16
244 Views
Last Modified: 2010-04-11
Normally Veritas will try and use a broad random range of TCP/UDP ports to transfer data to the backup server.  This is a problem when trying to backup something at a higher security level off of a firewall.  Is there a means to screw down Veritas so that it only uses one port?
0
Comment
Question by:mmedwid
  • 8
  • 4
  • 3
  • +1
16 Comments
 
LVL 1

Expert Comment

by:s0mvnguy
ID: 7027925
I think you can create user defined share (\\xxx.xxx.xx.x:port number) and backup from there.

Hope this help
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7028247
It's random on both ends?  How is the connection ever made?  Usually one end will be locked down to a single port.  
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7028454
It's the destination port that is many and random.  I know this to be the case because I've seen the syslogging of the denies on our pix.  And later we confirmed this is the default behavior of veritas.  
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 41

Accepted Solution

by:
stevenlewis earned 300 total points
ID: 7028654
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7028805
stevenlewis - that's just what I'm looking for.  Do you know if you can crank it down as low as one port?  e.g. a range of 5000 to 5000 or 4999 to 5000?  I imagine the issue would be if you had any other machines backing up at the same time and you had over-lap you'd be hosed.  But if you carefully arranged your backups not to have overlapping port #s - should be okay.  Any experience?
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7029706
Why can't you just lock it down by the end that already has a single static port?  Are there details around this that make this not trustable or possible?  

I have a hard time believing that the destination (target for initial SYN packet) is random.  

Either way, as long as you trust the "source" that has the static port and know that it is on a secure segment and spoofing cannot come into play, you should be able to lock it down by using that end.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030654
As the document states - the destination port is definitely different each time.  It's not exactly random - it starts and port 5000 and next session will use 4999 and next 4998 and so on.  It must be from some stupid old programming that only allowed one host at a time to reach the backup server at a particular port.  Just a guess.  

I'm not sure I follow your last paragraph.  The device would be on a secure dmz - pix security level 50.  I'd call that zone somewhat trusted.  More trusted than outside anyhow.  The backup server is inside.  I want to open as few ports as is absolutely possible.  One is best.  If I receive no other answer - I'll just test cranking it down to one port and see if it plays.

0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7030710
mmedwid I haven't tried it, test it and see.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030735
Will do.  Our backup guy is out for the long weekend.  Next week we'll try it out.  
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7030751
Our backup guy is out for the long weekend
Must be nice LOL
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7030807
The grass is always greener.  :-)
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7039976
From our Mr. Backup dude...

"You can lower the number of ports, but that lowers the number for ALL clients.  Then you have all your clients competing for the few open ports that there are and only a few backup jobs run.  It's crazy, but that's the way their product works.  To back up through firewalls, you need a media server which is another expensive license, and another server on the other side of the firewall.  "

...anyone know any more on this?  
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7039991
btw - what crappy code that Veritas only allows on client to connect at on particular port at a time.  Unreal given what they charge for their crud.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7040016
I am still not exactly following how this transaction works.  The only way I can see it working from the way you are describing is if it works similar to FTP where a single port is used initially until new ports are negotiated at which point it is "deterministically random".  If this is not the case, than there has to be a single port or small group of ports that can be determined.

However, since you are not crossing the public interface and this is between you DMZ and your backup server, why not just allow all traffic from those servers to your backup server?  It's not ideal I will grant you, but unless there is something I am missing, it is really the only way.
0
 
LVL 1

Author Comment

by:mmedwid
ID: 7064939
At the end of the day - it looks like there is not good answer to my question.  But your pointing to that veritas documentation helped me get to that conclusion.  Thanks.
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7065580
mmedwid, wish we could have been more help
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 80
Secure Connection Failed - Sonicwall FW 1 82
extend vlan through a layer 3 connection 31 144
MAC address learning of Riverbed 4 41
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question