One of our TSM AIX servers has several clients outside the firewall, we just opened port 1500 for its IP address. We normally run in polling mode, anway.
The only problem we have seen was timeouts caused by the firewall. Apparently some firewall software is set up to close the connection if traffic stops for more than x minutes/seconds. Sometimes a TSM client will spend enough time noodling around in its directories without actually sending anything, that it exceeds the firewall timeout. The result you see in TSM is errors on both the client and server indicating a network problem, where the TSM session gets terminated, then restarts, then terminates, then restarts... All you have to do is have the firewall administrator update the parms for that port/connection to allow a longer timeout value. SInce we did that, no problems at all. ************************************************************************ Wanda Prather The Johns Hopkins Applied Physics Lab 443-778-8769 [EMAIL PROTECTED] "Intelligence has much less practical application than you'd think" - Scott Adams/Dilbert ************************************************************************ -----Original Message----- From: Sam Sheppard [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 5:35 PM To: [EMAIL PROTECTED] Subject: Dealing with firewalls ---------------------------- Top of message ---------------------------- >>--> 01-04-02 14:29 S.SHEPPARD (SHS) Dealing with firewalls I can comment on a couple of things we saw in a similar configuration. One of our TSM OS/390 servers has a client behind a firewall. We just opened up the appropriate ports and everything worked fine, except the performance was terrible. We installed an additional OSA card attached directly to the switch on the subnet behind the firewall and performance improved by a factor of 10. Sam Sheppard San Diego Data Processing Corp. -----------------------------------------------------------------------` ---------------------------- Top of message ---------------------------- >>--> 01-04-02 13:01 ..NETMAIL () Dealing with firewalls Date: Fri, 4 Jan 2002 15:38:19 -0500 From: "Thomas Denier" <[EMAIL PROTECTED]> Subject: Dealing with firewalls To: [EMAIL PROTECTED] _________________________________Top_of_Message_____________________________ ____ My site has installed a filewall. Eventually all systems that need to be accessible from the Internet will be outside the firewall, and all systems used exclusively by our own staff and students will be inside the firewall. We would like to use our existing TSM server to back up the systems outside the firewall as well as those inside. As far as I can tell, there are essentially only two approaches to doing this. The first approach is to configure the firewall to pass TCP traffic to and from port 1500 on the TSM server and configure clients outside the firewall to use polling mode scheduling. Some of my co-workers have suggested a variant of this approach in which the TSM server and its clients would be reconfigured to use a different port. The hope is that this would reduce the risk of attacks that depended on knowing the port number for TSM. There are some concerns about the firewall's ability to handle the volume of traffic to and from the TSM server. The second approach is to equip the TSM server with an additional network interface connected to the subnet outside the firewall. Our TSM server currently runs under OS/390, with one TCP/IP address space dedicated to supporting TSM connections. We could either configure the existing address space to support the new interface or add another address space to support the new interface. How are other TSM sites dealing with firewalls? Is there any security advantage in using a port other than 1500 for TSM? If we select the second approach, is there any security advantage in a separate TCP/IP address space for the new network interface? -----------------------------------------------------------------------`
