Backup exec agent in dmz

[yehuda <yehuda () essutton com>]

Hi, I was wondering if anyone has ideas or a solution for this problem:

I'm trying to set up reliable backup of 3 servers in a dmz network: a
mail/antivirus server, a dns server, and a web server.
The mail server is running windows NT and the other two are Redhat linux.

I have a windows 2000 server running backup exec version 9 on the primary
network connected to a ten thousand dollar tape loader, and I'd rather not
have to set up a separate backup system for the dmz computers.

The networks are segmented by a pix 515 with three interfaces, one for the
inside, one for the outside, and one for the dmz.

The primary network has unrestricted access to the dmz, but computers on the
dmz network need specific permission - by ip and port - to connect to
servers in the primary network.

I installed the backup exec unix agent on the two linux machines in the dmz.
According to veritas's website,
(http://seer.support.veritas.com/docs/243611.htm), I need to open port 6101
and 1024-65535 both ways, because the unix agent uses rpc.

I don't have a problem giving dmz machines access to port 6101 on the backup
server, but I'd rather not give the dmz machines access to 1024-65535 on the
backup server. The backup server is a domain controller for our active
directory, as well as an internal ms-exchange mail server. I could filter
off the listening ports over 1024, but then if I don't keep watching it,
someone might install an app that listens above 1024, which would then be
available to the dmz.

They have a workaround for windows, by reconfiguring dcom and rpc to only
use specific ports, but it seems from the above-referenced document that
such an option isn't available for the unix agent.

Any ideas?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards