Omar Alvi_1 Absent Member.
Absent Member.
216 views

Client behind firewall - CM Package logical IP

Jump to solution
Hi,

I have my CM (DP 5.5) installed on a two node HP-UX 11.00 cluster.

I want to import a Windows client that's behind the firewall. I should need to open only the port 5555 with the CM as the source and client as destination (one way only), right?

My other concern is whether this port should be opened for the Physical IP addresses only or the logical package IP Address as well?

btw, what is the optimum way of checking whether this logical IP address is opened for 5555 for other installed clients?

Appreciate any assistance

Thanks and Regards,

-Alvi
0 Likes
1 Solution

Accepted Solutions
Highlighted
Kurt Beyers. Absent Member.
Absent Member.

Re: Client behind firewall - CM Package logical IP

Jump to solution
Alvi,

The ports must not be opened for the IP addresses of the MC/SG physical nodes. The cell manager runs on the IP address of the MC/SG package.

DP will use the IP address of the host it is running on. So if the DP client or server is your.server.com, the IP address of your.server.com as it returned from DNS (or another name resolution mechanism) will be used.

DP expects that the name resolution is consistent:

"A ping or nslookup of any client/server using it's IP address, short name or FQDN must always answer with the FQDN."

If this is allright, the import of the server will work too.

best regards,
Kurt
3 Replies
Kurt Beyers. Absent Member.
Absent Member.

Re: Client behind firewall - CM Package logical IP

Jump to solution
Alvi,

The port 5555 should be opened in both directions between the IP address of the client and the IP address of the MC/SG package of Data Protector.

A 'telnet 5555 from a client will tell you if the port is opened or not (Connection not allowed).

best regards,
Kurt
Omar Alvi_1 Absent Member.
Absent Member.

Re: Client behind firewall - CM Package logical IP

Jump to solution
Thanks Kurt, quick response.

So I'll open the port for the Package IP, but do I need to open for the physical IP addresses as well?

The schematics in the admin guide seem to be showing uni directional outgoing 5555 connectivity only. This is for initial connectivity, the rest of the actual data transfer, is that actually dynamic, using rpc?

The telnet to port command is fine for testing connectivity, but if I want to check the port and IP opened on the local system itself. Like we use rpccp for checking OVO stuff.

One other thing, for data Protector can we check what particular outgoing IP address its actually using - maybe there's a misconfiguration and its using the physical IP? Just to be sure. VBDA or something.

Again, thanks a lot.

Regards,

-Alvi

0 Likes
Highlighted
Kurt Beyers. Absent Member.
Absent Member.

Re: Client behind firewall - CM Package logical IP

Jump to solution
Alvi,

The ports must not be opened for the IP addresses of the MC/SG physical nodes. The cell manager runs on the IP address of the MC/SG package.

DP will use the IP address of the host it is running on. So if the DP client or server is your.server.com, the IP address of your.server.com as it returned from DNS (or another name resolution mechanism) will be used.

DP expects that the name resolution is consistent:

"A ping or nslookup of any client/server using it's IP address, short name or FQDN must always answer with the FQDN."

If this is allright, the import of the server will work too.

best regards,
Kurt
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.