RE: [fw-wiz] Backup exec agent in dmz

TSimons_at_Delphi-Tech.com
Date: 06/11/03

  • Next message: Pierre-Yves Bonnetain: "[fw-wiz] Automatic ACL update on Cisco boxes"
    To: yehuda@essutton.com, firewall-wizards@honor.icsalabs.com
    Date: Wed, 11 Jun 2003 08:28:04 -0400
    
    

    As far as MS Exchange is concerned, you may want to restrict it to static
    TCP Ports. This way you could block these specific ports inbound from the
    DMZ/

    -----Original Message-----
    From: yehuda [mailto:yehuda@essutton.com]
    Sent: Tuesday, June 10, 2003 11:45 AM
    To: 'firewall-wizards@honor.icsalabs.com'
    Subject: [fw-wiz] Backup exec agent in dmz

    Hi, I was wondering if anyone has ideas or a solution for this problem:

    I'm trying to set up reliable backup of 3 servers in a dmz network: a
    mail/antivirus server, a dns server, and a web server.
    The mail server is running windows NT and the other two are Redhat linux.

    I have a windows 2000 server running backup exec version 9 on the primary
    network connected to a ten thousand dollar tape loader, and I'd rather not
    have to set up a separate backup system for the dmz computers.

    The networks are segmented by a pix 515 with three interfaces, one for the
    inside, one for the outside, and one for the dmz.

    The primary network has unrestricted access to the dmz, but computers on the
    dmz network need specific permission - by ip and port - to connect to
    servers in the primary network.

    I installed the backup exec unix agent on the two linux machines in the dmz.
    According to veritas's website,
    (http://seer.support.veritas.com/docs/243611.htm), I need to open port 6101
    and 1024-65535 both ways, because the unix agent uses rpc.

    I don't have a problem giving dmz machines access to port 6101 on the backup
    server, but I'd rather not give the dmz machines access to 1024-65535 on the
    backup server. The backup server is a domain controller for our active
    directory, as well as an internal ms-exchange mail server. I could filter
    off the listening ports over 1024, but then if I don't keep watching it,
    someone might install an app that listens above 1024, which would then be
    available to the dmz.

    They have a workaround for windows, by reconfiguring dcom and rpc to only
    use specific ports, but it seems from the above-referenced document that
    such an option isn't available for the unix agent.

    Any ideas?
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Pierre-Yves Bonnetain: "[fw-wiz] Automatic ACL update on Cisco boxes"

    Relevant Pages

    • RE: [fw-wiz] Backup exec agent in dmz
      ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
      ... OWA front ended by ISA 2003 is solid. ... DMZ - it is designed to "publish" MS products including MS CRM. ... The DMZ server should be able to do ... more than just port filtering and *shouldn't* require all those ports to ...
      (Firewall-Wizards)
    • Re: DMZ & Security
      ... > yes, deployement price, security level (depending what ... > open ports... ... > case what sense has my DMZ? ... if I have a web server on DMZ that have to access sqlserver database ...
      (microsoft.public.security)
    • Re: Best Practices for exposing Exchange to web
      ... >server in the DMZ that handles web access. ... >We are in the process of migrating to Exchange server and I am investigating ... This seems a little scary opening up all these ports ...
      (microsoft.public.exchange.admin)
    • Re: W2K3 domain in DMZ
      ... as each one is the gate to that entire private network. ... > Yes a single domain DMZ ... > Main concerns is getting a DMZ that we can centrally manage and backup ... > server, ...
      (microsoft.public.windows.server.security)