Views:

Details

Contents
Firewall Support Requirements and Implementation.
Firewall Support Quick Reference.
DPX Port Usage.
Master Server
Management Console.
Autoupdate.
File or Raw.
NDMP Backup of the NetApp storage system.
Image.
Block Backup.
BMR.
Instant Availability.
Virtualization.
DPX Proxy OVA.
NDMP and Image Backups.
Configuration Scenarios.
Configuration Scenario 1: Windows Platform.
GUI node:
Master server firewall changes:
DPX client firewall changes:
NetApp storage system firewall changes:
Example 2.
Client node firewall changes:
NetApp storage system firewall changes:
Example 3.
NetApp storage system node firewall changes:
Virtualization proxy node firewall changes:
Example 4.
W2K8R2 master server changes to firewall:
W2K8 client node firewall changes:
Appendix A: Firewall NDMP Diagram.

Firewall Support Requirements and Implementation

This document describes firewall features and configuration settings for reducing the number of ports in a firewall environment.

Firewall Support Quick Reference

Note that a port number is required for all features.

Node Role	Description of the Node	Port Number
DPX master server	Contains the DPX Catalog and controls scheduling of all jobs. Only one master server per enterprise is allowed.	80, 443, 6122, 6123, 6124, 9101, 9104, 9202, 10000, 10566, 15660 UDP: 6123, 6124
DPX device server	A node that controls the tape device (physical or virtual).	6123, 6124, 10000, 10566, 15660 UDP: 6123, 6124
DPX client	Any node of the enterprise that can be protected.	3260, 6123, 6124, 9104, 9202, 10000, 10001, 10566, 15660 UDP: 6123, 6124
DPX Open Storage Server	Windows-attached storage that is managed by the DPX open storage server, which communicates with the master server.	3260, 3261, 6123, 6124, 9104, 9202, 10000, 10001, 10566, 15660 UDP: 6123, 6124
DPX vStor	Linux-attached storage that is managed by the DPX and communicates with the master server and clients.	22, 111, 2049, 3260, 8900, 20048
Feature Role	Description of the Feature	Port Number
http and https	Internet ports, required for multiple features such as the user interface and a ESX server.	80, 443
DPX management console	A node where the DPX management console is running. Can be any node of the enterprise.	6122, 6123
NDMP proxy	A node used to communicate with NetApp storage system. Can be any node of the enterprise.	6123, 6124, 10000, 10566, 15660, Required range for Block backup(1024-2048) UDP: 6123, 6124
DPX Virtualization proxy	A node used to perform Instant or Full virtualization. Often configured to be a node that is close to the ESX server on the network.	902, 6123, 10001 UDP: 902, 6123
NOSB to Clustered Data OnTap	Any client node that is backed up to or recovered from NetApp Clustered Data ONTAP storage using NFS.	111, 635, 2049,80, 443
NetApp storage system	NetApp storage system node.	3260, 10000, 10566
DPX Open Storage Server	The DPX Open Storage Server as a platform for restore operations.	3261
Windows BMR	A Windows node used to recover data through DPX Bare Metal Recovery.	3260
Linux BMR	A Linux node used to recover data through DPX Bare Metal Recovery.	6123, 10000, 10566, 15660
LDAP Server		389, 636
ESX server		902, 3260 UDP: 902
Kroll SharePoint Object Recovery		49177
DPX Proxy OVA	Node, used to backup VMware, as well as Perform Instant or Full virtualization.	80, 443, 3260, 6123,111,635, 2049, 9102, 9104, 20048, 8900 UDP:902,6123

DPX Port Usage

The following tables describe the required firewall port configurations for each area of functionality.
Note: Open the NetBIOS Naming Service UDP port 137 on the node’s firewall if the Windows DPX node uses a hostname as its address.

Master Server

Master Server * tcp -> LDAP server 389 tcp
Master Server * tcp -> LDAP server (SSL) 636 tcp

Management Console

Mgmt console* tcp -> master server 6122 tcp
Mgmt console* tcp -> master server 6123 tcp
Mgmt console * tcp -> DPX client 6123 tcp

Autoupdate

Autoupdate * tcp -> master server 9101 tcp (autoupdate)
DPX node * tcp -> Master server 9202 tcp (autoupdate )
Master server * tcp -> DPX client 9104 tcp (autoupdate data transfer)
Master server * tcp ->autoupdate.catalogicsoftware.com/support/ 443 tcp (autoupdate patch retrieval)

File or Raw

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX client 6123 tcp
Master server * tcp -> DPX device server 6123 tcp
DPX device server * tcp -> Master server 6123 tcp
DPX device server * tcp -> DPX client 6123 tcp
DPX node * tcp -> DPX device server 6123 tcp

NDMP Backup of the NetApp storage system

DPX client (proxy) node * tcp -> master server 6123 tcp
DPX client (proxy) node * udp -> master server 6123 udp
DPX client (proxy) node * udp -> master server 6124 udp
Master server * tcp -> DPX client (proxy) node 6123 tcp
DPX client (proxy) node 10000 ndmp -> NetApp storage system 10000 ndmp
NetApp storage system node 10000 ndmp -> DPX client (proxy) node 10000 ndmp
DPX device server node 10000 ndmp -> NetApp storage system node 10000 ndmp
NetApp storage system node 10000 ndmp -> DPX device server node 10000 ndmp

Image

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX client 6123 tcp
Master server * tcp -> DPX client 10000 tcp
DPX client * tcp -> DPX device server node * tcp (data flow)

Block Backup

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX node 6123 tcp
Master server * tcp -> NDMP proxy 6123 tcp
NDMP proxy *tcp -> NetApp storage system 10000 tcp
NDMP proxy *tcp -> DPX node 10000 tcp
NDMP proxy *tcp -> DPX node 6123 tcp
DPX node * tcp -> NetApp storage system 3260 tcp
Master server * tcp -> NetApp storage system 10000 tcp
NetApp storage system * tcp -> DPX client 10566 tcp
DPX node * tcp -> NetApp storage system 10566 tcp
DPX node * tcp -> NetApp storage system 80 /443(SSL) tcp
Master server * tcp -> DPX node 10000 tcp

BMR

Note: ICMP is used to check the specified Gateway of the BMR node during restore, however allowing ICMP traffic through the firewall is not necessary with recent version of BMR ISO.
BMR node * tcp -> DPX Open Storage Server 3260 tcp
BMR node * tcp -> DPX Open Storage Server 10001 tcp
BMR node * tcp -> NetApp storage system 3260 tcp
BMR node * tcp -> NetApp storage system * 80/443(SSL) tcp

Instant Availability

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
DPX node * tcp -> NetApp storage system or DPX Open Storage Server 3260 tcp
DPX node * tcp -> NetApp storage system 80/443(SSL) tcp
Master server * tcp -> DPX client 6123 tcp
Master server * tcp -> NetApp storage system 10000 tcp

Virtualization

DPX node * tcp -> master server 6123 tcp
DPX node * udp -> master server 6123 udp
DPX node * udp -> master server 6124 udp
Master server * tcp -> DPX node 6123 tcp
Virtualization proxy * udp -> ESX VM * udp (TFTP transfer)
ESX VM * tcp -> NetApp storage system or Advanced Server 3260 tcp
BSX VM * tcp -> NetApp storage system 80 /443(SSL) tcp
Master server * tcp -> DPX Open Storage Server 10000 tcp
DPX client * tcp -> ESX VM 10000 tcp
DPX client * tcp -> DPX Open Storage Server 10000 tcp
Virtualization proxy * tcp -> DPX Open Storage Server 10001 tcp
Virtualization proxy * tcp -> ESX VM 10001 tcp

DPX Proxy OVA

DPX Proxy OVA * tcp <-> ESXi / vCenter 80, 443, 3260 tcp
DPX Proxy OVA * upd <-> ESXi / vCenter 902 udp
DPX Proxy OVA * tcp <-> DPX master tcp 6123, 3260, 111, 635, 2049, 9102, 9104, 20048
DPX Proxy OVA * udp <-> DPX master udp 6123
DPX Proxy OVA * tcp <-> Storage tcp 111, 635, 2049, 3260, 8900, 20048

NDMP and Image Backups

Limit the available port range configuration using the NIB_PORT_RANGE option. Note that the number of ports in the range must be at least as many as the number of concurrent NDMP operations.
To configure the NIB_PORT_RANGE variable:

Open the Parameter Configuration Interface in the DPX management console.
Select the “nibbler (Advanced data/device server)” module on the Advanced Server tape server node.
With Basic Visibility enabled, check the NIB_PORT_RANGE option and define the range of ports, e.g., 8000-8003.
Ensure that the corresponding TCP port range remains open on the firewall.

See “Chapter 19: Parameter Configuration Interface” in the DPX Reference Guide.

Configuration Scenarios

Configuration Scenario 1: Windows Platform

A networked environment typically consists of one or more of the following DPX network node types:

GUI	DPX management console run from Internet Explorer 8.
Master	DPX master server with single port option enabled
Client	DPX client with single port option enabled
NetApp storage system	DPX client with single port option enabled

Each node runs a Windows firewall. Open the following TCP ports by adding them as a Windows firewall port exception before attempting to perform any backup operations.

GUI node:

Add the master server as trusted site to Internet Explorer.
No changes necessary to Windows firewall.

Master server firewall changes:

6122	GUI
6123	GUI, CMAGENT
6123 (UDP)	central logger
6124 (UDP)	job monitor
9101	Autoupdate GUI
10000	NDMP

DPX client firewall changes:

6123	CMAGENT
9104	Autoupdate patch push
9202	Autoupdate scan
10000	NDMP

NetApp storage system firewall changes:

6123	CMAGENT
10000	NDMP

Example 2

The following additional Windows firewall changes are necessary to make the volume backed up in example 1 and instantly available on the client node:

Client node firewall changes:

Enable and add Microsoft iSCSI Initiator Service as a firewall exception.

NetApp storage system firewall changes:

3260

iSCSI

Example 3

The following DPX nodes have been added to the example 1 network environment.

NetApp storage system	DPX Advanced server running on W2K8 x64 with Single Port option enabled
Virtualization proxy	DPX device node running XP SP3 with Single Port option enabled

Each of the above nodes is running Windows Firewall. The following TCP ports need to be opened by adding them as a Windows firewall port exception to do a virtualization backup / recover:

NetApp storage system node firewall changes:

Enable firewall with recommended settings: Core Networking & File and Printer Sharing exceptions enabled.

6123	CMAGENT
10000	NDMP
10001	IV client
3260	iSCSI

Virtualization proxy node firewall changes:

6123

CMAGENT

Example 4

To add a DPX W2K8 client node to a DPX W2K8R2 master server node and perform a file backup of files on the client where both machines have single port option and a Windows firewall enabled, the following windows firewall TCP port exceptions are necessary:

W2K8R2 master server changes to firewall:

Enable firewall with recommended settings: Core Networking & File and Printer Sharing exceptions enabled.

6123 inbound rule	CMAGENT
6123 UDP inbound rule	central logger
6124 UDP inbound rule	job monitor

W2K8 client node firewall changes:

Enable firewall with recommended settings: Core Networking & File and Printer Sharing exceptions enabled.

6123

CMAGENT

Appendix A: Firewall NDMP Diagram

Keywords: firewall, open ports, dpx ports, firewall support requirements, firewall settings

Comments (0)

Firewall Support Requirements and Implementation

Details

DPX Port Usage

Catalogic experts are here to help you.

Catalogic experts are here to help you.