Guidelines for running NDMP backups through a firewall

If you are using an NDMP storage unit in a firewall environment, make sure you know the different types of NDMP backups to be performed. The backup type
determines which ports need to be opened in the firewall. The following paragraphs describe the types of NDMP backups and how they pertain to
firewall use. These backup types include local, 3-way and remote NDMP, remote NDMP and local and 3-way TIR.

■ For local operations, the DMA needs access to port 10,000 on the NDMP server. In this case, the one NDMP server is both the NDMP tape server and
the NDMP data server.

■ For 3-way and remote NDMP, the DMA needs access to port 10,000 on the NDMP tape server and the NDMP data server. Also, there cannot be a
firewall between the NDMP tape server and the NDMP data server because there is no control over the TCP/IP ports used for the data movement.

■ For remote NDMP, it is not advisable to put a firewall between the DMA and the NDMP hosts. This is because the DMA can be on the same
computer as the NDMP tape server. In this case, you need an unlimited number of ports available to perform the data movement between the
NDMP tape server and the NDMP data server.

■ For local and 3-way TIR, the data requires an unlimited number of ports available because NetBackup has no control over the ports used.
 

However there is a workaround to this issue of having to open the entire NBU non-reserve port range on the firewall for NDMP 3-way and remote backups.
 

The NDMP agent uses port 10000 which must be open bi-directional. Once that connection is established then the data mover then sets up a socket connection back to NetBackup to send meta data, it is at that point that “unlimited ports” must be opened to allow the transfer of that information back to NetBackup. As you also know NDMP backups are different because there isn't any NetBackup software running so Netbackup has no control over the ports used.
 

Configure the following as a workaround:

 

Within the NetBackup media server attributes there is a value for Server Port Window whose default value is 1025 to 5000. This is the range of non-reserved TCP ports on which the media server will accept connections from other hosts.

 

You can set the SERVER_PORT_WINDOW = 65000 65009, which will allow only 10 open ports through the firewall.

 

The result will be that when the backup is started the media server will pass the “Server Port Window” to the NDMP host who will then connect back on within the ports specified. So the result is the firewall would only have to open 10 ports as opposed to thousands.

 

Note that only legacy NBU clients and servers would use that setting. So all currently supported NBU servers and clients would not be affected because they will still use the default pbx 1556 and vnetd port 13724.