Network security, Tcp/ip ports, Network firewalls – Storix Software SBAdmin TSM Edition Users Guide User Manual

23. Network Security

SBAdmin was created with safeguards in place to prevent breaches in security without disrupting the security
and integrity of the remaining network. This section outlines the flow of network traffic, the security measures
that have been implemented, and what steps need to be taken by security personnel to insure that your
software will function properly between network firewalls.

TCP/IP Ports

SBAdmin configured with a TSM Edition license communicates via the

Transmission Control

Protocol/Internet Protocol (TCP/IP). This communication is handled through two different ports, the Dataport
and the

Statusport. By default, the SBAdmin uses port numbers 5026 and 5027 which are registered with the

Internet Assigned Numbers Authority (previously used 8191 and 8192). These ports numbers are determined
during the installation of the software and can be changed by the user at that time. If you need to change the
port numbers used, simply reinstall the software and update the port numbers at that time. If you change your
port numbers, previously made boot images on CDs will attempt to communicate through the old port numbers if
installing from a remote server. It is advised to create your boot media/images after changing your port
numbers.

It is very important that the Administrator and Clients using SBAdmin are
configured to use the same port numbers. You can verify this by checking in the
/.stdefaults

file for the following entries:

DATAPORT=5026

STATPORT=5027

These two ports are listening ports and must be open to incoming TCP/IP traffic from other systems within your
SBAdmin network. SBAdmin uses the ports specified above to transfer backup data, status messages, and to
run remote commands. Only the SBAdmin network daemon process “

strexecd” can properly answer requests

on these ports. Any other process attempting to open these ports will receive a connection error.

Network Firewalls

When a backup or restore is performed remotely, commands are initiated between the Admin and Client. The
network communications on these ports are setup automatically when SBAdmin is installed on any system. If
you have a network firewall between any of your systems utilizing SBAdmin, you will need to open the
communication on these ports, or select other port numbers to use that are allowed by the firewall.

Some firewalls will close inactive ports after a certain period of time. It is advisable to turn off this timeout, if
possible. Should a firewall timeout occur, SBAdmin will continue a backup, but no further messages will appear
and SBAdmin will not receive the exit status of the command. Although the backup usually completes
successfully, SBAdmin will appear to have hung.

Remote Command Execution

SBAdmin is the only application that can communicate over the SBAdmin ports. In addition, only specific
commands can be run remotely.

All remote commands are executed using the “

strexec” executable, which may be executed only by the root

user on the system.

All attempts to run remote commands are checked for authenticity as follows:

Storix System Backup Administrator

109

Version 8.2 TSM Edition User Guide