The intent with this document is to show how the ACSLS firewall feature is configured in Netbackup. To be true, both Symantec/Veritas and SUN/Storagetek has done a really sloppy job documenting how to implement this feature. I hope this page helps.
Firewall compliant ACSLS is supported from Netbackup 4.5 with FP9 and forward. If you have a 11.23 IA64 box you need at least 6.0MP4 to get the firewall compliant stuff to work. One port must be opened in the firewall. Traffic must be allowed in both directions (allowed to initiate traffic from both sides). The port is usually 30031 but can custom chosen. You need to configure the ACSLS server for firewall operations. See the ACSLS manual.
How to configure on the client side:
An existing ACSLS server named "emulator" run the old style port mapper feature. A new one server “Moldau” runs firewall compliant ACSLS. # denotes command issue.
1: Edit vm.conf. Add the following entries:
ACS_TCP_RPCSERVICE
ACS_CSI_HOSTPORT = {ACSLS_servername} 30031
ACS_SSI_INET_PORT = { ACSLS servername} 30031
From the real world:
ACS_TCP_RPCSERVICE ACS_CSI_HOSTPORT = emulator 0 ACS_SSI_INET_PORT = emulator 0 ACS_CSI_HOSTPORT = moldau 30031 ACS_SSI_INET_PORT = moldau 3003
A "0" (zero) in the port number sets the old style RPC portmapper feature (port 110). If you’re media server has multiple NIC’s and you plan to direct traffic to and from the ACSLS server through a NIC not connected to the default gateway, add ACS_SSI_HOSTNAME = { DNS host name to use } to vm.conf. Else traffic won't flow correct. If you are in doubt which IP address ACSLS think it uses see /usr/openv/volmgr/debug/acssi/event.log. Look for at line like this:
[csi_rpctinit.c:433] ONC RPC: csi_rpctinit(): B2 SOCKET 3: family= 2 port=30031 IPaddr= 10.1.22.37
2: Add devices in Netbackup (else acsd won't start any acssi daemons for the new robot).
3: Stop Netbackup on the media server - Make sure to kill all daemons not stopped. Especially acsd and acssi NEEDS to be killed for Netbackup 5.x.
4: Delete any previous registered RPC services on the Netbackup servers. A stop/start of Netbackup may not do the job.
#rpcinfo -d 1073741824 1
#rpcinfo -d 1073741824 2
5: Start Netbackup.
6: Verify with acstest and rpcinfo -p. Look for two entries like this
#rpcinfo -p
1073741824 2 tcp 49263 <-- Old style RPC
1073741825 2 tcp 30031 <-- Firewall compliant port.
Issue Netbackup's acstest like this
#acstest -r ACSLS_HOST -s SSI_SOCKET -C qserver
If you have multiple connected ACSLS server you need to specify the -s SSI socket option else you can omit the -s option. The first SSI socket runs on 13740, the next 13741 and so on.
9: Coffee or beer.
