Copyright (c) 2021, Oracle. All rights reserved. Oracle Confidential.

OSB: Configuring Backup / Restore Through Firewalls (Doc ID 727528.1)

In this Document

Goal
Solution

APPLIES TO:

Oracle Secure Backup - Version 10.1.0.1 to 12.1.0.1.0 [Release 10.1 to 12.1]

Information in this document applies to any platform.
Checked for relevance on 29-Jun-2011.

GOAL

Oracle Secure Backup uses TCP port 400 for UNIX, Linux and Windows and by default TCP port 10,000 for NAS hosts
within an OSB domain. The default TCP port for NAS devices may be configured to use an alternate TCP port if deemed
necessary because a conflict exists.

During backup and restore operations, OSB will dynamically select a TCP port from all available TCP ports. Some IT
organizations enforce restrictions on the TCP ports that are available for use by an application, particularly as in cases
where backups are being performed across a firewall.

SOLUTION

In OSB domains, you may configure a range of TCP ports available for use during backup / restore operations. TCP ports
400 and 10,000 (or another user-configured port) must be available to OSB along with a range of additional TCP ports (ie
20,000 – 20,024). Some general guidance on determining how many additional TCP ports should be available can be
estimated in one of two ways:

1. Multiply the estimated number # of concurrent OSB activities by 5

2. Multiply the number # of tape drives (inside the firewall) by the # of clients (outside the firewall).

When deploying OSB in an environment, which includes a firewall, some considerations and requirements must
be addressed for successful interoperability:

---Network Address Translation (NAT) cannot be used by the firewall.

---The firewall must permit unrestricted outbound (secure -> unsecure) connections.
---Once a (secure -> unsecure) connection is made, the firewall must permit unconstrained data transfer. 
---Consideration must given regarding any firewall data transfer constraints (ie time or volume) insuring       OSB would not
be hampered during backup / restore operations.
---Firewall timeout limits during periods of inactivity could be problematic for OSB since there are periods of inactivity
during a backup / restore operation.
---If a client host is configured to expect keep-alives or other messages, the firewall must allow the pass through and not
suppress the internal TCP messages.

When configuring a range of TCP ports to be used by OSB, follow these guidelines:

1. On the firewall, open port 400 and a range of other ports for OSB to use (i.e. 20,000 - 20,024). Note: the port numbers
should be above 20,000 but below 32,000.

2. Define the range of TCP ports available to OSB by editing the /etc/services file on any UNIX or Linux OSB
Administrative Server and clients in your domain:

ob-daemon-low <port low #>/tcp

ob-daemon-high <port high #>/tcp

Configuration tip:
If a NAS device outside the firewall has a tape drive attached to it that will be utilized for its backups (no backup of the NAS
device will be performed to devices inside the firewall) and the OSB Administrative Server is inside the firewall:
---TCP port 400 is still required to work in both the inbound and outbound directions.
---TCP port 10,000 is only required to be configured in the outbound (secure -> unsecure) direction. This is because the
NAS is on the “unsecure” side and won’t require bi-directional communication if the tape drive is also on the unsecure side
of the firewall.

Didn't find what you are looking for?