Network security, Tcp/ip ports, Network firewalls – Storix Software SBAdmin User Guide User Manual

27. Network Security

SBAdmin was created with safeguards in place to prevent breaches in security without disrupting the security
and integrity of the remaining network. This section outlines the flow of network traffic, the security measures
that have been implemented, and what steps need to be taken by security personnel to insure that your
software will function properly between network firewalls.

TCP/IP Ports

SBAdmin configured with a Network Edition license communicates via the Transmission Control
Protocol/Internet Protocol (TCP/IP). This communication is handled through two different ports, the Data port
and the Status port. By default, the SBAdmin uses port numbers 5026 and 5027 which are registered with the
Internet Assigned Numbers Authority (previously used 8191 and 8192). These ports numbers are determined
during the installation of the software and can be changed by the user at that time. If you need to change the
port numbers used, simply reinstall the software and update the port numbers at that time. If you change your
port numbers, previously made boot images on tapes or CDs will attempt to communicate through the old port
numbers if installing from a remote server. It is advised to create your boot media/images after changing your
port numbers.

It is very important that all Administrators, Servers and Clients using System
Backup Administrator are configured to use the same port numbers. You can
verify this by checking in the /.stdefaults file for the following entries:

DATAPORT=5026

STATPORT=5027

These two ports are listening ports and must be open to incoming TCP/IP traffic from other systems within your
SBAdmin network. SBAdmin uses the ports specified above to transfer backup data, status messages, and to
run remote commands. Only the SBAdmin network daemon process “strexecd” can properly answer requests
on these ports. Any other process attempting to open these ports will receive a connection error.

Network Firewalls

When a backup or restore is performed remotely, commands are initiated between the Admin and Client as well
as the Client and Server. The network communications on these ports are setup automatically when SBAdmin is
installed on any system. If you have a network firewall between any of your systems utilizing SBAdmin, you will
need to open the communication on these ports, or select other port numbers to use that are allowed by the
firewall.

Some firewalls will close inactive ports after a certain period of time. It is advisable to turn off this timeout, if
possible. When performing a remote backup, volume prompt messages are sent over the network, and no other
communication takes place until a new tape volume is inserted. If the next tape is not inserted before the
firewall timeout, the firewall may close the ports. SBAdmin will continue the backup, but no further messages
will appear and SBAdmin will not receive the exit status of the command. Although the backup usually
completes successfully, SBAdmin will appear to have hung.

Remote Command Execution

SBAdmin is the only application that can communicate over the SBAdmin network ports. In addition, only
specific commands can be run remotely.

Storix System Backup Administrator

162

Version 8.2 User Guide