Firewall configuration for backup server control connection
Last Updated: Mar 03, 2015 01:18PM CET
A control connection from the backup server to the backup client is necessary for tape autoloader backups and restores, because the backup server needs to signal tape changes to the client.
The control connection is opened on a port which is determined and bound by the backup client. The determination of the port is controlled by the file Hiback\fire.bal (Windows client) or /Hiback/fire.ball (UNIX and Linux client). The Hiback\fire.bal file has to exist with these same entries on the Backup Server node and the Client node, and if your Command Server is a Backup Server node it will also need this file in place.
The file contains port numbers either one port per line or port range (syntax: port1-port2). Example content:
15000
32320-32322
The client looks into the file and creates a list of ports (example: 15000, 32320, 32321 and 32322) . If the file does not exist, the port list begins with 1025 and ends with 65535. So using the fire.bal[l], the choice of the port can be controlled according to the settings in the firewall.
The client then iterates the list and tries to bind to the given port. If it fails, the next port in the list is taken until a port can be bound. The detected port number is then sending to the backup server, so that the backup server can connect to this client port to open the control connection.
Note: a definition of port numbers in fire.bal[l] config file still requires the unblocking of these ports (backup server to backup client network) on the firewall.