IT Services



Connecting to the HFS Through a Firewall


Contents



1. HFS configuration details

The HFS can be accessed from behind a firewall. Although all client sessions, even automatic scheduled backup sessions, are initiated from the client, it is necessary to place a rule in the firewall to allow traffic both to and from the TSM server in order to allow the TSM server to communicate with the TSM client. The current IP addresses/port number combinations for the service are:

Server Name DNS Name IP Address Port HFS Service
OX_HFS dsma.ox.ac.uk 163.1.219.9 2000 Archive
OX_HFS_B1 dsmb1.ox.ac.uk 163.1.219.1 1500 Desktop backup
OX_HFS_B3 dsmb3.ox.ac.uk 163.1.219.3 1600 Desktop backup
OX_HFS_B5 dsmb5.ox.ac.uk 163.1.219.5 1700 Desktop backup
OX_HFS_B7 dsmb7.ox.ac.uk 163.1.219.7 1800 Desktop backup
OX_HFS_B2 dsmb2.ox.ac.uk 163.1.219.2 2500 Server backup
OX_HFS_B4 dsmb4.ox.ac.uk 163.1.219.4 2600 Server backup
OX_HFS_B6 dsmb6.ox.ac.uk 163.1.219.6 2700 Large server backup
OX_HFS_B8 dsmb8.ox.ac.uk 163.1.219.8 2800 Server backup
OX_HFS_B10 dsmb10.ox.ac.uk 163.1.219.15 2900 Server backup
OX_HFS_B12 dsmb12.ox.ac.uk 163.1.219.16 3300 Large server backup
OX_HFS_VPN dsmvpn.ox.ac.uk 163.1.219.10 3200 Desktop VPN-based backup
OX_HFS_DD1 dsmbdd1.hfs.ox.ac.uk 163.1.219.13 3400 TSM for VE server backup


2. Trouble-shooting firewall-related issues

A number of HFS users have had problems when connecting to the HFS through a firewall. These problems are characterised by backups/restores stalling half-way through and by repeated reconnections being made though a long scheduled backup. This is normally seen in the client logs as a large number of messages of ANS1809W messages, which take one of the following forms:

ANS1809W Session is lost; initializing session reopen procedure.

ANS1809W A session with the TSM server has been disconnected. 
An attempt will be made to reestablish the connection.

It appears that these problems usually arise with firewalls based upon Linux 2.6 kernels. The workaround successfully used by a number of HFS users is to set the value of ip_conntrack_tcp_be_liberal to 1 with:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

This setting means that any packets interpreted by the firewall's connection tracking as being outside the TCP window will still be allowed through, unless they are reset segments.

We have also seen similar issues with commercial firewalls not based on Linux, where turning off flow consistency checking has alleviated this problem.

If you experience slow or intermittently slow backup or restore performance rather than a loss of connection, then the cause could nonetheless still be firewall-related. Please check any intervening firewalls for active anti-virus/anti-malware scanning. Packet-scanning in transit can seriously affect data rates, even on otherwise uncongested network links.

Some departments have reported problems related to deep packet inspection (DPI) firewalls and access to the archive service (please note this does not affect the backup service). The HFS archive service uses TCP port 2000, and this port is also used by SCCP (Cisco's Skinny Client Control Protocol). DPI firewalls with support for SCCP expect only to see SCCP connections using port 2000 - they view the TSM connection to the HFS archive service as erroneous and terminate it. On the client machine this is normally seen as a hang while starting the TSM software for archiving. To fix this problem, DPI must be disabled for SCCP/port 2000 on the firewall. On Juniper firewalls, the Application Layer Gateway settings need to be changed. For example, on the Juniper SSG140, issue the following command in the firewall command line interface:

unset alg sccp enable

The equivalent command on the Juniper SRX650 is:

set security alg sccp disable