RE: Backup exec agent in dmz

["Sloane, David" <DSloane () vfa com>]

Samba comes to mind...

(going far afield now)

That said, what do you really need to back up on the DNS and web servers?

Web sites are often mirrored internally - either in source control or just a
flat-file system.

The dns server records should be tiny text files.  You can update two sets
of DNS files, right?  Or just pull down the zone file(s) after making
changes...

If you really want to minimize potential down-time, make a Ghost (or
similar) image of each Red Hat box.  If you need the logs, pull them out
with ftp or samba or (insert file transfer protocol here).

Your disaster-recovery model is pretty straightforward - ghost image to
replacement disk, then drop in the most recent DNS and web-site files.


No muss, no fuss, no *nix agents with open access to your
AD/Exchange/BackupExec/eggs-in-one-basket box (sorry, couldn't resist any
longer).

Cheers,

David





-----Original Message-----
From: yehuda [mailto:yehuda () essutton com] 
Sent: Tuesday, June 10, 2003 11:45 AM
To: 'firewall-wizards () honor icsalabs com'
Subject: [fw-wiz] Backup exec agent in dmz


Hi, I was wondering if anyone has ideas or a solution for this problem:

I'm trying to set up reliable backup of 3 servers in a dmz network: a
mail/antivirus server, a dns server, and a web server.
The mail server is running windows NT and the other two are Redhat linux.

I have a windows 2000 server running backup exec version 9 on the primary
network connected to a ten thousand dollar tape loader, and I'd rather not
have to set up a separate backup system for the dmz computers.

The networks are segmented by a pix 515 with three interfaces, one for the
inside, one for the outside, and one for the dmz.

The primary network has unrestricted access to the dmz, but computers on the
dmz network need specific permission - by ip and port - to connect to
servers in the primary network.

I installed the backup exec unix agent on the two linux machines in the dmz.
According to veritas's website,
(http://seer.support.veritas.com/docs/243611.htm), I need to open port 6101
and 1024-65535 both ways, because the unix agent uses rpc.

I don't have a problem giving dmz machines access to port 6101 on the backup
server, but I'd rather not give the dmz machines access to 1024-65535 on the
backup server. The backup server is a domain controller for our active
directory, as well as an internal ms-exchange mail server. I could filter
off the listening ports over 1024, but then if I don't keep watching it,
someone might install an app that listens above 1024, which would then be
available to the dmz.

They have a workaround for windows, by reconfiguring dcom and rpc to only
use specific ports, but it seems from the above-referenced document that
such an option isn't available for the unix agent.

Any ideas?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards