My site has installed a filewall. Eventually all systems that need to be accessible from the Internet will be outside the firewall, and all systems used exclusively by our own staff and students will be inside the firewall. We would like to use our existing TSM server to back up the systems outside the firewall as well as those inside. As far as I can tell, there are essentially only two approaches to doing this.
The first approach is to configure the firewall to pass TCP traffic to and from port 1500 on the TSM server and configure clients outside the firewall to use polling mode scheduling. Some of my co-workers have suggested a variant of this approach in which the TSM server and its clients would be reconfigured to use a different port. The hope is that this would reduce the risk of attacks that depended on knowing the port number for TSM. There are some concerns about the firewall's ability to handle the volume of traffic to and from the TSM server. The second approach is to equip the TSM server with an additional network interface connected to the subnet outside the firewall. Our TSM server currently runs under OS/390, with one TCP/IP address space dedicated to supporting TSM connections. We could either configure the existing address space to support the new interface or add another address space to support the new interface. How are other TSM sites dealing with firewalls? Is there any security advantage in using a port other than 1500 for TSM? If we select the second approach, is there any security advantage in a separate TCP/IP address space for the new network interface?
