Configuring IBM Spectrum Protect client/server communication across a firewall

In most cases, the IBM Spectrum Protect™ server and clients can work across a firewall.

About this task

Every firewall is different, so the firewall administrator might need to consult the instructions for the firewall software or hardware in use.

There are two methods for enabling client and server operations through a firewall:

Method 1:

To allow clients to communicate with a server across a firewall, the following ports must be opened in the firewall by the firewall administrator:

TCP/IP port: To enable the backup-archive client, command-line admin client, and the scheduler to run outside a firewall, the port specified by the server option tcpport (default 1500) must be opened by the firewall administrator. This port is set on the client and the server using the tcpport option. The setting must be the same on the client and server. This allows IBM Spectrum Protect scheduler communications in both polling and prompted mode, client acceptor-managed schedulers, and regular backup-archive client operations.
Note: The client cannot use the port specified by the tcpadminport option (on the server) for a client session. That port can be used for administrative sessions only.
HTTP port: To allow the web client to communicate with remote workstations across a firewall, the HTTP port for the remote workstation must be opened. Use the httpport option in the remote workstation client options file to specify this port. The default HTTP port is 1581.
TCP/IP ports for the remote workstation: The two TCP/IP ports for the remote workstation client must be opened. Use the webports option in the remote workstation client options file to specify these ports. If you do not specify the values for the webports option, the default zero (0) causes TCP/IP to randomly assign two free port numbers.
TCP/IP port for administrative sessions: Specifies a separate TCP/IP port number on which the server is waiting for requests for administrative client sessions, allowing secure administrative sessions within a private network.

Method 2:

For the client scheduler in prompted mode, it is unnecessary to open any ports on the firewall. If you set the sessioninitiation option to serveronly, the client will not attempt to contact the server. All sessions are initiated by server prompted scheduling on the port defined on the client with the tcpclientport option. The sessioninitiation option only affects the behavior of the client scheduler running in the prompted mode.

The IBM Spectrum Protect server must set the SESSIONINITiation parameter on the register node and update node commands for each node. If the server specifies SESSIONINITiation=clientorserver, the default, the client can decide which method to use. If the server specifies SESSIONINITiation=serveronly, all sessions are initiated by the server.

Note:

If sessioninitiation is set to serveronly, the value for the tcpclientaddress client option must be the same as the value for the HLAddress option of the update node or register node server command. The value for the tcpclientport client option must be the same as the value for the LLAddress option of the update node or register node server command.
If you set the sessioninitiation option to serveronly, with the exception of client acceptor-managed schedulers, the command-line client, backup-archive client Java™ GUI, and web client GUI still attempts to initiate sessions, but are blocked by the IBM Spectrum Protect server for nodes that have the sessioninitiation option set to serveronly.
If you set the sessioninitiation option to serveronly, with the exception of client acceptor-managed schedulers, the command-line client, backup-archive client GUI, and web client GUI still attempts to initiate sessions, but are blocked by the IBM Spectrum Protect server for nodes that have the sessioninitiation option set to serveronly.
When installing the scheduler using the setup wizard or dsmcutil, and the IBM Spectrum Protect server is behind a firewall, the node password will not get stored on the client workstation. As a result, the scheduler service might be unable to authenticate to the server when the server contacts the client to run a schedule. In this case, you can run the scheduler from the command line (dsmc schedule), wait until a scheduled operation starts, and enter the password for your node when prompted. After you enter the password for your node, restart the scheduler service. You can also use the following dsmcutil command to save the password:
```
dsmcutil updatepw /node:nnn /password:ppp /validate:no
```
If sessioninitiation option is set to serveronly in your client options file (dsm.opt), the client setup wizard and scheduler service is unable to initiate authentication with the IBM Spectrum Protect server. To avoid this problem, when configuring the client scheduler using the setup wizard, ensure that the Contact the IBM Spectrum Protect Server to validate password check box on the IBM Spectrum Protect Authentication page is unchecked.

A similar problem can occur if an encryption key is required for backup operations. In this case, you can run the scheduler from the command line (dsmc schedule), wait until a scheduled backup starts, and enter the encryption key when prompted. After the password and encryption key are updated, you must restart the scheduler.
When configuring the scheduler on a client workstation for the first time, the scheduler service might be unable to authenticate to the server when the server contacts the client scheduler to run a schedule. This can happen when the passwordaccess is set to generate and the IBM Spectrum Protect server is behind a firewall and the encrypted password cannot be locally stored before the scheduler is started. To correct this problem, you need to run the scheduler from the command line (dsmc schedule), wait until a scheduled operation starts, and enter the password for your node when prompted.
The client cannot prompt for the encryption key password in scheduler mode. If you are using IBM Spectrum Protect data encryption, you must run an initial interactive backup once to set up the encryption key by opening the TCP/IP connection from the client workstation to the server workstation. See Method 1 for more information about setting up this communication. After the encryption key is set, you can use server-initiated sessions to back up the files using encryption.

If you set the sessioninitiation option to client, the client initiates sessions with the server (Method 1) by communicating on the TCP/IP port defined with the server option tcpport. This is the default. Server prompted scheduling can be used to prompt the client to connect to the server.

When using the backup-archive client across a firewall in prompted mode, the IBM Spectrum Protect server needs to contact the client. In order to complete this action, some software might need to be installed on the IBM Spectrum Protect server to route the request through the firewall. This software routes the server request through a socks port on the firewall. This method is typically called socksifying a system. Proxies are not supported, because they only route a few types of communication protocols (HTTP, FTP, GOPHER). IBM Spectrum Protect communications are not routed by proxies. It is important to note that the client creates a new connection to the IBM Spectrum Protect server when prompted. This means that the firewall configuration discussed above must be in place.