Veritas - getting it to use just one port

Normally Veritas will try and use a broad random range of TCP/UDP ports to transfer data to the backup server.  This is a problem when trying to backup something at a higher security level off of a firewall.  Is there a means to screw down Veritas so that it only uses one port?
LVL 1
mmedwidAsked:
Who is Participating?
 
s0mvnguyCommented:
I think you can create user defined share (\\xxx.xxx.xx.x:port number) and backup from there.

Hope this help
0
 
scraig84Commented:
It's random on both ends?  How is the connection ever made?  Usually one end will be locked down to a single port.  
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
mmedwidAuthor Commented:
It's the destination port that is many and random.  I know this to be the case because I've seen the syslogging of the denies on our pix.  And later we confirmed this is the default behavior of veritas.  
0
 
mmedwidAuthor Commented:
stevenlewis - that's just what I'm looking for.  Do you know if you can crank it down as low as one port?  e.g. a range of 5000 to 5000 or 4999 to 5000?  I imagine the issue would be if you had any other machines backing up at the same time and you had over-lap you'd be hosed.  But if you carefully arranged your backups not to have overlapping port #s - should be okay.  Any experience?
0
 
scraig84Commented:
Why can't you just lock it down by the end that already has a single static port?  Are there details around this that make this not trustable or possible?  

I have a hard time believing that the destination (target for initial SYN packet) is random.  

Either way, as long as you trust the "source" that has the static port and know that it is on a secure segment and spoofing cannot come into play, you should be able to lock it down by using that end.
0
 
mmedwidAuthor Commented:
As the document states - the destination port is definitely different each time.  It's not exactly random - it starts and port 5000 and next session will use 4999 and next 4998 and so on.  It must be from some stupid old programming that only allowed one host at a time to reach the backup server at a particular port.  Just a guess.  

I'm not sure I follow your last paragraph.  The device would be on a secure dmz - pix security level 50.  I'd call that zone somewhat trusted.  More trusted than outside anyhow.  The backup server is inside.  I want to open as few ports as is absolutely possible.  One is best.  If I receive no other answer - I'll just test cranking it down to one port and see if it plays.

0
 
stevenlewisCommented:
mmedwid I haven't tried it, test it and see.
0
 
mmedwidAuthor Commented:
Will do.  Our backup guy is out for the long weekend.  Next week we'll try it out.  
0
 
stevenlewisCommented:
Our backup guy is out for the long weekend
Must be nice LOL
0
 
mmedwidAuthor Commented:
The grass is always greener.  :-)
0
 
mmedwidAuthor Commented:
From our Mr. Backup dude...

"You can lower the number of ports, but that lowers the number for ALL clients.  Then you have all your clients competing for the few open ports that there are and only a few backup jobs run.  It's crazy, but that's the way their product works.  To back up through firewalls, you need a media server which is another expensive license, and another server on the other side of the firewall.  "

...anyone know any more on this?  
0
 
mmedwidAuthor Commented:
btw - what crappy code that Veritas only allows on client to connect at on particular port at a time.  Unreal given what they charge for their crud.
0
 
scraig84Commented:
I am still not exactly following how this transaction works.  The only way I can see it working from the way you are describing is if it works similar to FTP where a single port is used initially until new ports are negotiated at which point it is "deterministically random".  If this is not the case, than there has to be a single port or small group of ports that can be determined.

However, since you are not crossing the public interface and this is between you DMZ and your backup server, why not just allow all traffic from those servers to your backup server?  It's not ideal I will grant you, but unless there is something I am missing, it is really the only way.
0
 
mmedwidAuthor Commented:
At the end of the day - it looks like there is not good answer to my question.  But your pointing to that veritas documentation helped me get to that conclusion.  Thanks.
0
 
stevenlewisCommented:
mmedwid, wish we could have been more help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.