HP B6960-90078 User Manual

Customizing the Data Protector Environment

Firewall Support

Chapter 11

539

1. In order to determine which processes need to communicate across

the firewall, see Table 11-2 (Disk Agent column). It shows that the
Disk Agent needs to accept connections from the Session Manager on
port 5555. This leads to the following rule for the firewall:

✓ Allow connections from the CM system to port 5555 on the DA

system

2. See also Table 11-3 for the Disk Agent. It shows that the Disk Agent

connects to a dynamically allocated port on the Media Agent. Since
you do not want to open the firewall for communication between the
Disk and Media Agent in general, you need to limit the range of ports
from which the Media Agent can allocate a listen port.

See Table 11-1 for the port consumption of the Media Agent. The
Media Agent requires only one port per running Media Agent. For
example, if you have four tape devices connected, you may have four
Media Agents running in parallel. This means that you need at least
four ports available. However, since other processes may allocate
ports from this range as well, you should specify a range of about ten
ports on the MA system:

OB2PORTRANGESPEC=xMA-NET:18000-18009

This leads to the following firewall rule for the communication with
the Media Agent:

✓ Allow connections from the DA system to port 18000-18009 on the

MA system

NOTE

This rule allows connections from the DMZ to the intranet, which is a
potential security risk.

3. Table 11-3 also shows that the Disk Agent needs to connect to the

Session Manager (BSM/RSM) when the

Reconnect broken

connections

option is enabled. You can specify a required port

range on the CM system analogous to the previous item.

OB2PORTRANGESPEC=xSM:20100-20199