In regard to: [Networker] configuring a NW server with two NICs (DMZ...:
I spoke with our LAN people, who are vehemently opposed to punching holes
in the firewall but instead suggested that I enable another NIC on the bkup
server and and hook it into the DMZ network.
I don't understand that; doesn't that punch a pretty huge hole in your
firewall too? Your backup server now sits astride both networks. Anyone
that can get onto it can get onto your internal network, and your Legato
backup server certain presents a much broader target than a firewall with
a dozen ports punched open in it.
We've done this, so now the
config looks like this:
clientIP: x.x.x.19 (DMZ space)
serverIP: x.x.9.26 (LAN IP)
and x.x.x.23 (DMZ space, same subnet as clientIP)
It shouldn't be too bad then. For best results, your client needs to be
able to resolve your server's DMZ address. It doesn't need to know
anything about the server's internal address or hostname. Resolution
of the server's DMZ name might come from your DNS or it might come from
/etc/hosts on your client -- it depends on your situation.
Once your client knows that x.x.x.23 points to the server's DMZ name, and
your server's DMZ name points to x.x.x.23, you should modify /nsr/res/servers
on the client, and change the name there to be appropriate name -- the DMZ
name for your server. Then restart nsrexecd.
Based on what you describe, your server should already be able to resolve
the client's DMZ address and hostname. If that's the case, the only thing
you have to do on the server is make sure that you have the server's
operating system's routing set up correctly. There shouldn't be anything
that needs to change within NetWorker. The change would be at the OS
level, to make sure that pinging and doing something like
rpcinfo -p clients.dmz.hostname
go over the server's DMZ interface. That may just involve a netmask
setting, it may involve a static route, or it may involve something else.
BTW, I would be very careful about using dynamic routing via something
like gated on your server. That might make the fact that your server sits
astride both networks an even bigger problem.
Tim
--
Tim Mooney mooney AT dogbert.cc.ndsu.NoDak DOT edu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|