About this task
Every firewall is different, so the firewall administrator
might need to consult the instructions for the firewall software or
hardware in use.
There are two methods for enabling client
and server operations through a firewall:
- Method 1:
- To allow clients to communicate with a server across a firewall,
the following ports must be opened in the firewall by the firewall
administrator:
- TCP/IP port
- To enable the backup-archive client, command-line admin client,
and the scheduler to run outside a firewall, the port specified by
the server option tcpport (default 1500) must be opened
by the firewall administrator. This port is set on the client and
the server using the tcpport option. The setting must
be the same on the client and server. This allows Tivoli Storage Manager scheduler
communications in both polling and prompted mode, CAD-managed
schedulers, and regular backup-archive client operations.
Note: The
client cannot use the port specified by the tcpadminport option
(on the server) for a client session. That port can be used for administrative
sessions only.
- HTTP port
- To allow the Web client to communicate with remote workstations
across a firewall, the HTTP port for the remote workstation must be
opened. Use the httpport option in the remote workstation
client options file to specify this port. The default HTTP port is
1581.
- TCP/IP ports for the remote workstation
- The two TCP/IP ports for the remote workstation client must be
opened. Use the webports option in the remote workstation
client options file to specify these ports. If you do not specify
the values for the webports option, the default zero
(0) causes TCP/IP to randomly assign two free port numbers.
- TCP/IP port for administrative sessions
- Specifies a separate TCP/IP port number on which the server is
waiting for requests for administrative client sessions, allowing
secure administrative sessions within a private network.
- Method 2:
- For the client scheduler in prompted mode, it is unnecessary to
open any ports on the firewall. If you set the sessioninitiation option
to serveronly, the client will not attempt to contact the server. All
sessions are initiated by server prompted scheduling on the port
defined on the client with the tcpclientport option.
The sessioninitiation option only affects the behavior
of the client scheduler running in the prompted mode.
The Tivoli Storage Manager server
must set the SESSIONINITiation parameter on the register node and update
node commands for each node. If the server specifies SESSIONINITiation=clientorserver,
the default, the client can decide which method to use. If the server
specifies SESSIONINITiation=serveronly, all sessions are initiated
by the server.
Note: - If sessioninitiation is set to serveronly,
the value for the tcpclientaddress client option must
be the same as the value for the HLAddress option of
the update node or register node server command. The
value for the tcpclientport client option must be the
same as the value for the LLAddress option of the update
node or register node server command.
- If you set the sessioninitiation option
to serveronly, with the exception of CAD-managed schedulers,
the command-line client, backup-archive client Java™ GUI, and Web client GUI still attempts
to initiate sessions, but are blocked by the Tivoli Storage Manager server
for nodes that have the sessioninitiation option set
to serveronly.
- If you set the sessioninitiation option
to serveronly, with the exception of CAD-managed schedulers,
the command-line client, backup-archive client GUI, and Web client
GUI still attempts to initiate sessions, but are blocked by the Tivoli Storage Manager server
for nodes that have the sessioninitiation option set
to serveronly.
- When installing Tivoli Storage Manager scheduler
using the setup wizard, and the Tivoli Storage Manager server
is behind a firewall, the node password will not get stored on the
client workstation. As a result, the scheduler service might be unable
to authenticate to the server when the server contacts the client
to run a schedule. In this case, you can run the scheduler from the
command line (dsmc schedule), wait until a scheduled operation starts,
and enter the password for your node when prompted.
- When installing Tivoli Storage Manager scheduler
using the setup wizard or dsmcutil, and the Tivoli Storage Manager server
is behind a firewall, the node password will not get stored on the
client workstation. As a result, the scheduler service might be unable
to authenticate to the server when the server contacts the client
to run a schedule. In this case, you can run the scheduler from the
command line (dsmc schedule), wait until a scheduled operation starts,
and enter the password for your node when prompted. After you enter
the password for your node, restart the scheduler service. You can
also use the following dsmcutil command to write the password
into the registry:
dsmcutil updatepw /node:nnn /password:ppp /validate:no
If sessioninitiation option
is set to serveronly in your client options file (dsm.opt),
the client setup wizard and scheduler service is unable to initiate
authentication with the Tivoli Storage Manager server.
To avoid this problem, when configuring the client scheduler using
the setup wizard, ensure that the Contact the TSM Server to validate
password checkbox on the TSM Authentication page is unchecked.
A
similar problem can occur if an encryption key is required for backup
operations. In this case, you can run the scheduler from the command
line (dsmc schedule), wait until a scheduled backup starts, and enter
the encryption key when prompted. After the password and encryption
key are updated, you must restart the scheduler.
- When configuring the Tivoli Storage Manager scheduler
on a client workstation for the first time, the scheduler service
might be unable to authenticate to the server when the server contacts
the client scheduler to run a schedule. This can happen when the passwordaccess is
set to generate and the Tivoli Storage Manager server
is behind a firewall and the encrypted password cannot be locally
stored before the scheduler is started. To correct this problem, you
need to run the scheduler from the command line (dsmc schedule), wait
until a scheduled operation starts, and enter the password for your
node when prompted.
- The Tivoli Storage Manager
client cannot prompt for the encryption key password in scheduler
mode. If you are using Tivoli Storage
Manager data encryption, you must run an initial interactive backup
once to set up the encryption key by opening the TCP/IP connection
from the client workstation to the server workstation. See Method
1 for more information about setting up this communication. After
the encryption key is set, you can use server-initiated sessions to
back up the files using Tivoli Storage
Manager encryption.
If you set the sessioninitiation option
to client, the client initiates sessions with the server (Method
1) by communicating on the TCP/IP port defined with the server option tcpport.
This is the default. Server prompted scheduling can be used to prompt
the client to connect to the server.
When using Tivoli Storage Manager across
a firewall, consider the following:
- In prompted mode the Tivoli Storage Manager server
needs to contact the client. In order to do this, some software might
need to be installed on the Tivoli Storage Manager server
to route the request through the firewall. This software routes the
server request through a socks port on the firewall. This is typically
called socksifying a system. Proxies are not supported, because
they only route a few types of communication protocols (HTTP, FTP,
GOPHER). Tivoli Storage Manager communications
are not routed by proxies. It is important to note that the client
creates a new connection to the Tivoli Storage Manager server
when prompted. This means that the firewall configuration discussed
above must be in place.