Firewall Wizards mailing list archives
RE: Backup exec agent in dmz
From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 11 Jun 2003 10:44:31 -0400
Samba comes to mind... (going far afield now) That said, what do you really need to back up on the DNS and web servers? Web sites are often mirrored internally - either in source control or just a flat-file system. The dns server records should be tiny text files. You can update two sets of DNS files, right? Or just pull down the zone file(s) after making changes... If you really want to minimize potential down-time, make a Ghost (or similar) image of each Red Hat box. If you need the logs, pull them out with ftp or samba or (insert file transfer protocol here). Your disaster-recovery model is pretty straightforward - ghost image to replacement disk, then drop in the most recent DNS and web-site files. No muss, no fuss, no *nix agents with open access to your AD/Exchange/BackupExec/eggs-in-one-basket box (sorry, couldn't resist any longer). Cheers, David -----Original Message----- From: yehuda [mailto:yehuda () essutton com] Sent: Tuesday, June 10, 2003 11:45 AM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] Backup exec agent in dmz Hi, I was wondering if anyone has ideas or a solution for this problem: I'm trying to set up reliable backup of 3 servers in a dmz network: a mail/antivirus server, a dns server, and a web server. The mail server is running windows NT and the other two are Redhat linux. I have a windows 2000 server running backup exec version 9 on the primary network connected to a ten thousand dollar tape loader, and I'd rather not have to set up a separate backup system for the dmz computers. The networks are segmented by a pix 515 with three interfaces, one for the inside, one for the outside, and one for the dmz. The primary network has unrestricted access to the dmz, but computers on the dmz network need specific permission - by ip and port - to connect to servers in the primary network. I installed the backup exec unix agent on the two linux machines in the dmz. According to veritas's website, (http://seer.support.veritas.com/docs/243611.htm), I need to open port 6101 and 1024-65535 both ways, because the unix agent uses rpc. I don't have a problem giving dmz machines access to port 6101 on the backup server, but I'd rather not give the dmz machines access to 1024-65535 on the backup server. The backup server is a domain controller for our active directory, as well as an internal ms-exchange mail server. I could filter off the listening ports over 1024, but then if I don't keep watching it, someone might install an app that listens above 1024, which would then be available to the dmz. They have a workaround for windows, by reconfiguring dcom and rpc to only use specific ports, but it seems from the above-referenced document that such an option isn't available for the unix agent. Any ideas? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Backup exec agent in dmz yehuda (Jun 10)
- Re: Backup exec agent in dmz Volker Tanger (Jun 11)
- <Possible follow-ups>
- RE: Backup exec agent in dmz TSimons (Jun 11)
- RE: Backup exec agent in dmz Sloane, David (Jun 11)
- RE: Backup exec agent in dmz Ahmed, Balal (Jun 13)