Bucky Backup - Operating the TSM Client with Firewalls

This document is intended to give people a little more background on how Bucky Backup's IBM Tivoli Storage Manager (TSM) operates and how to deal with firewalls while still protecting their data.

Tivoli Storage Manager (TSM) Communication Methods

There are 2 methods of communication for the TSM client scheduler: PROMPTED and POLLING. The Bucky Backup Support Team recommends using POLLING. The POLLING option requires less work on the firewall and some simple changes to the client configurations. Also, the Bucky Backup Support Team has found the POLLING option decreases the chance of missed backups (regardless of the existence of a firewall), so it is the recommended method. But either option is a valid solution.

Information on the Polling Communication Method

POLLING Summary: When the TSM client scheduler starts, it contacts the server and synchronizes what the server knows about the local client. It retrieves the backup schedule, and then checks in with the server every 4 hours up until it's time to do the backup. When the time comes, the client scheduler polls the server, basically asking "Can I back myself up now?" The server will tell the client scheduler to begin backing up, or to wait a period of time and ask again. The client scheduler will continue polling the server throughout the backup window until it gets backed up. The machine inside the firewall is initiating all the communications, so this approach is instantly compatible with most firewall installations.

If your firewall does not permit outbound connections you may wish to permit connections to the server's IP address, and at least to the port(s) that the TSM server is using. You may also need to permit "related" connections through the firewall also.

How to Change the Method of Communication to Polling

To change the client scheduler mode, look in dsm.sys or dsm.opt for the SCHEDMODE directive and change it from PROMPTED to POLLING. If it is missing this directive, add the line. You will need to save your changes & restart the TSM client scheduler for it to take effect.

Information on the Prompted Communication Method

PROMPTED Summary: When the TSM client scheduler starts, it opens and begins listening on a port on the local machine. It then contacts the server and synchronizes what the server knows about the local client. The client scheduler retrieves the backup schedule and then sits in the background and waits for the server to contact it. At some point the server will contact the client scheduler, using the local port that was registered with the server at startup, and initiate a backup. That works quite well, because the server can then manage its load and only start new backups when it has the capacity. And with a firewall, the TSM client scheduler startup sequence works well, because many firewalls are configured to allow all outbound connections while blocking most inbound ones.

However, when it comes time for the TSM server to tell the client scheduler to start backing up, the firewall blocks the connection from the TSM server, so your client scheduler never receives the message and the backup never occurs. There are two good solutions for this:

  1. Configure the firewall to permit connections from the TSM server to the client scheduler port (by default TCP 1501, but you can set that). This approach permits the old behavior of the TSM server, but will require that you change the firewall rules for all the hosts you are backing up if the TSM server IP ever changes.

    • Note: The Bucky Backup servers and associated ports are:

      Bucky Backup Enterprise Server Addresses Bucky Backup Enterprise Port Numbers
      bucky1.doit.wisc.edu 1499
      bucky2.doit.wisc.edu 1500
      bucky5.doit.wisc.edu 1503
      bucky6.doit.wisc.edu 1504

       

      Bucky Backup Lite Server Addresses
      Bucky Backup Lite Port Numbers
      bl1.doit.wisc.edu 1501
      bl2.doit.wisc.edu
      		1502
      bl3.doit.wisc.edu1503

       

       Bucky Backup Archive Server Addresses
      		 Bucky Backup Archive Port Numbers
      ba1.doit.wisc.edu 1501

  2. Change your method of communication to polling (see above) -- Recommended.