[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Veritas - getting it to use just one port

Normally Veritas will try and use a broad random range of TCP/UDP ports to transfer data to the backup server.  This is a problem when trying to backup something at a higher security level off of a firewall.  Is there a means to screw down Veritas so that it only uses one port?
0
mmedwid
Asked:
mmedwid
  • 8
  • 4
  • 3
  • +1
1 Solution
 
s0mvnguyCommented:
I think you can create user defined share (\\xxx.xxx.xx.x:port number) and backup from there.

Hope this help
0
 
scraig84Commented:
It's random on both ends?  How is the connection ever made?  Usually one end will be locked down to a single port.  
0
 
mmedwidAuthor Commented:
It's the destination port that is many and random.  I know this to be the case because I've seen the syslogging of the denies on our pix.  And later we confirmed this is the default behavior of veritas.  
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
mmedwidAuthor Commented:
stevenlewis - that's just what I'm looking for.  Do you know if you can crank it down as low as one port?  e.g. a range of 5000 to 5000 or 4999 to 5000?  I imagine the issue would be if you had any other machines backing up at the same time and you had over-lap you'd be hosed.  But if you carefully arranged your backups not to have overlapping port #s - should be okay.  Any experience?
0
 
scraig84Commented:
Why can't you just lock it down by the end that already has a single static port?  Are there details around this that make this not trustable or possible?  

I have a hard time believing that the destination (target for initial SYN packet) is random.  

Either way, as long as you trust the "source" that has the static port and know that it is on a secure segment and spoofing cannot come into play, you should be able to lock it down by using that end.
0
 
mmedwidAuthor Commented:
As the document states - the destination port is definitely different each time.  It's not exactly random - it starts and port 5000 and next session will use 4999 and next 4998 and so on.  It must be from some stupid old programming that only allowed one host at a time to reach the backup server at a particular port.  Just a guess.  

I'm not sure I follow your last paragraph.  The device would be on a secure dmz - pix security level 50.  I'd call that zone somewhat trusted.  More trusted than outside anyhow.  The backup server is inside.  I want to open as few ports as is absolutely possible.  One is best.  If I receive no other answer - I'll just test cranking it down to one port and see if it plays.

0
 
stevenlewisCommented:
mmedwid I haven't tried it, test it and see.
0
 
mmedwidAuthor Commented:
Will do.  Our backup guy is out for the long weekend.  Next week we'll try it out.  
0
 
stevenlewisCommented:
Our backup guy is out for the long weekend
Must be nice LOL
0
 
mmedwidAuthor Commented:
The grass is always greener.  :-)
0
 
mmedwidAuthor Commented:
From our Mr. Backup dude...

"You can lower the number of ports, but that lowers the number for ALL clients.  Then you have all your clients competing for the few open ports that there are and only a few backup jobs run.  It's crazy, but that's the way their product works.  To back up through firewalls, you need a media server which is another expensive license, and another server on the other side of the firewall.  "

...anyone know any more on this?  
0
 
mmedwidAuthor Commented:
btw - what crappy code that Veritas only allows on client to connect at on particular port at a time.  Unreal given what they charge for their crud.
0
 
scraig84Commented:
I am still not exactly following how this transaction works.  The only way I can see it working from the way you are describing is if it works similar to FTP where a single port is used initially until new ports are negotiated at which point it is "deterministically random".  If this is not the case, than there has to be a single port or small group of ports that can be determined.

However, since you are not crossing the public interface and this is between you DMZ and your backup server, why not just allow all traffic from those servers to your backup server?  It's not ideal I will grant you, but unless there is something I am missing, it is really the only way.
0
 
mmedwidAuthor Commented:
At the end of the day - it looks like there is not good answer to my question.  But your pointing to that veritas documentation helped me get to that conclusion.  Thanks.
0
 
stevenlewisCommented:
mmedwid, wish we could have been more help
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now