Can't find what you are looking for?

Click here to open a case.



Reset Search
 

 

Article

Firewall Support Requirements and Implementation

« Go Back

Information

 
Details
 
Contents
Firewall Support Requirements and Implementation.
Firewall Support Quick Reference.
DPX Port Usage.
Master Server
Management Console.
Autoupdate.
File or Raw.
NDMP Backup of the NetApp storage system.
Image.
Block Backup.
BMR.
Instant Availability.
Virtualization.
NDMP and Image Backups.
Configuration Scenarios.
Configuration Scenario 1: Windows Platform.
GUI node:
Master server firewall changes:
DPX client firewall changes:
NetApp storage system firewall changes:
Example 2.
Client node firewall changes:
NetApp storage system firewall changes:
Example 3.
NetApp storage system node firewall changes:
Virtualization proxy node firewall changes:
Example 4.
W2K8R2 master server changes to firewall:
W2K8 client node firewall changes:
Appendix A: Firewall NDMP Diagram.
 

Firewall Support Requirements and Implementation

This document describes firewall features and configuration settings for reducing the number of ports in a firewall environment.

Firewall Support Quick Reference

Note that a port number is required for all features.
Node RoleDescription of the NodePort Number
DPX master serverContains the DPX Catalog and controls scheduling of all jobs.
Only one master server per enterprise is allowed.
80, 443, 6122, 6123, 6124, 9101, 9104, 9202, 10000, 10566, 15660
UDP: 6123, 6124
DPX device serverA node that controls the tape device (physical or virtual).6123, 6124, 10000, 10566, 15660
UDP: 6123, 6124
DPX clientAny node of the enterprise that can be protected.3260, 6123, 6124, 9104, 9202, 10000, 10001, 10566, 15660
UDP: 6123, 6124
DPX Open Storage ServerWindows-attached storage that is managed by the DPX open storage server, which communicates with the master server. 3260, 3261, 6123, 6124, 9104, 9202, 10000, 10001, 10566, 15660
UDP: 6123, 6124
DPX vStorLinux-attached storage that is managed by the DPX and communicates with the master server and clients.22, 111, 2049, 3260, 8900, 20048
Feature RoleDescription of the FeaturePort Number
http and httpsInternet ports, required for multiple features such as the user interface and a ESX server.80, 443
DPX management consoleA node where the DPX management console is running. Can be any node of the enterprise.6122, 6123
NDMP proxyA node used to communicate with NetApp storage system. Can be any node of the enterprise.6123, 6124, 10000, 10566, 15660, Required range for Block backup(1024-2048)
UDP: 6123, 6124
DPX Virtualization proxyA node used to perform Instant or Full virtualization. Often configured to be a node that is close to the ESX server on the network.902, 6123, 10001
UDP: 902, 6123
NOSB to Clustered Data OnTapAny client node that is backed up to or recovered from NetApp Clustered Data ONTAP storage using NFS.111, 635, 2049,80, 443
NetApp storage systemNetApp storage system node.3260, 10000, 10566
DPX Open Storage ServerThe DPX Open Storage Server as a platform for restore operations.3261
Windows BMRA Windows node used to recover data through DPX Bare Metal Recovery.3260
Linux BMRA Linux node used to recover data through DPX Bare Metal Recovery.6123, 10000, 10566, 15660
LDAP Server 389, 636
ESX server 902, 3260
UDP: 902
Kroll SharePoint Object Recovery 49177

DPX Port Usage

The following tables describe the required firewall port configurations for each area of functionality.
Note: Open the NetBIOS Naming Service UDP port 137 on the node’s firewall if the Windows DPX node uses a hostname as its address.

Master Server

Master Server * tcp -> LDAP server 389 tcp
Master Server * tcp -> LDAP server (SSL) 636 tcp

Management Console

Mgmt console* tcp -> master server 6122 tcp
Mgmt console* tcp -> master server 6123 tcp
Mgmt console * tcp -> DPX client 6123 tcp

Autoupdate

Autoupdate * tcp -> master server 9101 tcp (autoupdate)
DPX node * tcp -> Master server 9202 tcp (autoupdate )
Master server * tcp -> DPX client 9104 tcp (autoupdate data transfer)
Master server * tcp ->autoupdate.catalogicsoftware.com/support/ 443 tcp (autoupdate patch retrieval)

File or Raw

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX client 6123 tcp
Master server * tcp -> DPX device server 6123 tcp
DPX device server * tcp -> Master server 6123 tcp
DPX device server * tcp -> DPX client 6123 tcp
DPX node * tcp -> DPX device server 6123 tcp

NDMP Backup of the NetApp storage system

DPX client (proxy) node * tcp -> master server 6123 tcp
DPX client (proxy) node * udp -> master server 6123 udp
DPX client (proxy) node * udp -> master server 6124 udp
Master server * tcp -> DPX client (proxy) node 6123 tcp
DPX client (proxy) node 10000 ndmp -> NetApp storage system 10000 ndmp
NetApp storage system node 10000 ndmp -> DPX client (proxy) node 10000 ndmp
DPX device server node 10000 ndmp -> NetApp storage system node 10000 ndmp
NetApp storage system node 10000 ndmp -> DPX device server node 10000 ndmp

Image

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX client 6123 tcp
Master server * tcp -> DPX client 10000 tcp
DPX client * tcp -> DPX device server node * tcp (data flow)

Block Backup

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX node 6123 tcp
Master server * tcp -> NDMP proxy 6123 tcp
NDMP proxy *tcp -> NetApp storage system 10000 tcp
NDMP proxy *tcp -> DPX node 10000 tcp
NDMP proxy *tcp -> DPX node 6123 tcp
DPX node * tcp -> NetApp storage system 3260 tcp
Master server * tcp -> NetApp storage system 10000 tcp
NetApp storage system * tcp -> DPX client 10566 tcp
DPX node * tcp -> NetApp storage system 10566 tcp
DPX node * tcp -> NetApp storage system 80 /443(SSL) tcp
Master server * tcp -> DPX node 10000 tcp

BMR

Note: ICMP is used to check the specified Gateway of the BMR node during restore, however allowing ICMP traffic through the firewall is not necessary with recent version of BMR ISO.
BMR node * tcp -> DPX Open Storage Server 3260 tcp
BMR node * tcp -> DPX Open Storage Server 10001 tcp
BMR node * tcp -> NetApp storage system 3260 tcp
BMR node * tcp -> NetApp storage system * 80/443(SSL) tcp

Instant Availability

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
DPX node * tcp -> NetApp storage system or DPX Open Storage Server 3260 tcp
DPX node * tcp -> NetApp storage system 80/443(SSL) tcp
Master server * tcp -> DPX client 6123 tcp
Master server * tcp -> NetApp storage system 10000 tcp

Virtualization

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX node 6123 tcp
Virtualization proxy * udp -> ESX VM * udp (TFTP transfer)
ESX VM * tcp -> NetApp storage system or Advanced Server 3260 tcp
BSX VM * tcp -> NetApp storage system 80 /443(SSL) tcp
Master server * tcp -> DPX Open Storage Server 10000 tcp
DPX client * tcp -> ESX VM 10000 tcp
DPX client * tcp -> DPX Open Storage Server 10000 tcp
Virtualization proxy * tcp -> DPX Open Storage Server 10001 tcp
Virtualization proxy * tcp -> ESX VM 10001 tcp

NDMP and Image Backups

Limit the available port range configuration using the NIB_PORT_RANGE option. Note that the number of ports in the range must be at least as many as the number of concurrent NDMP operations.
To configure the NIB_PORT_RANGE variable:
  1. Open the Parameter Configuration Interface in the DPX management console.
  2. Select the “nibbler (Advanced data/device server)” module on the Advanced Server tape server node.
  3. With Basic Visibility enabled, check the NIB_PORT_RANGE option and define the range of ports, e.g., 8000-8003.
  4. Ensure that the corresponding TCP port range remains open on the firewall.
See “Chapter 19: Parameter Configuration Interface” in the DPX Reference Guide.

Configuration Scenarios

Configuration Scenario 1: Windows Platform

A networked environment typically consists of one or more of the following DPX network node types:
GUIDPX management console run from Internet Explorer 8.
MasterDPX master server with single port option enabled
ClientDPX client with single port option enabled
NetApp storage systemDPX client with single port option enabled
Each node runs a Windows firewall. Open the following TCP ports by adding them as a Windows firewall port exception before attempting to perform any backup operations.

GUI node:

Add the master server as trusted site to Internet Explorer.
No changes necessary to Windows firewall.

Master server firewall changes:

6122GUI
6123GUI, CMAGENT
6123 (UDP)central logger
6124 (UDP)job monitor
9101Autoupdate GUI
10000NDMP

DPX client firewall changes:

6123CMAGENT
9104Autoupdate patch push
9202Autoupdate scan
10000NDMP

NetApp storage system firewall changes:

6123CMAGENT
10000NDMP

Example 2

The following additional Windows firewall changes are necessary to make the volume backed up in example 1 and instantly available on the client node:

Client node firewall changes:

Enable and add Microsoft iSCSI Initiator Service as a firewall exception.

NetApp storage system firewall changes:

3260iSCSI

Example 3

The following DPX nodes have been added to the example 1 network environment.
 
NetApp storage systemDPX Advanced server running on W2K8 x64 with Single Port option enabled
Virtualization proxyDPX device node running XP SP3 with Single Port option enabled
Each of the above nodes is running Windows Firewall. The following TCP ports need to be opened by adding them as a Windows firewall port exception to do a virtualization backup / recover:

NetApp storage system node firewall changes:

Enable firewall with recommended settings: Core Networking & File and Printer Sharing exceptions enabled.
6123CMAGENT
10000NDMP
10001IV client
3260iSCSI

Virtualization proxy node firewall changes:

6123CMAGENT

Example 4

To add a DPX W2K8 client node to a DPX W2K8R2 master server node and perform a file backup of files on the client where both machines have single port option and a Windows firewall enabled, the following windows firewall TCP port exceptions are necessary:

W2K8R2 master server changes to firewall:

Enable firewall with recommended settings: Core Networking & File and Printer Sharing exceptions enabled.
6123 inbound ruleCMAGENT
6123 UDP inbound rulecentral logger
6124 UDP inbound rulejob monitor

W2K8 client node firewall changes:

Enable firewall with recommended settings: Core Networking & File and Printer Sharing exceptions enabled.
6123CMAGENT
 

Appendix A: Firewall NDMP Diagram

User-added image
 
Reference Document 
Article TypeLong Form
Article Number000005004
Last Modified Date2/6/2019 2:11 PM
Article Created Date4/5/2017 4:16 PM

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255