About the communication between a NetBackup client located in a demilitarized zone and a primary server through an HTTP tunnel
In a NetBackup deployment setup, the client computers can be in a demilitarized zone (DMZ) where the communication takes place only through specific web ports.
All NetBackup clients must be able to communicate with the web management service on the primary server to deploy security certificates and authorize peers for secure connections. For example, the NetBackup client sends requests to the primary server for deploying certificates, which is essential for secure NetBackup communication. In a DMZ setup, the client might not be able to send web service requests directly to the primary server. In this scenario, a NetBackup client sends a connection request and a web service request to the HTTP tunnel on the media server by the HTTP CONNECT proxy method. The HTTP tunnel accepts the connection request and forwards the web service request to the primary server.
The HTTP tunneling feature allows the NetBackup clients in a DMZ to send web service requests to the primary server. The NetBackup media server forms an HTTP tunnel that forwards the web service request from the NetBackup client to the primary server. The further web service communication uses Secure Socket Layer (SSL).
Note:
The port number 1556 on the media server must be accessible by the NetBackup client for sending web service requests.
In a single domain or multi-domain environment, when the NetBackup client in a DMZ tries to send a web service connection request to the primary server, it follows a particular sequence::
Table: Sequence to send a connection request
Sequence | Description |
|---|---|
1. The NetBackup client tries to send the connection request directly to the primary server. | In a DMZ, the web service connection request might not succeed. |
2. If the direct connection fails, then the client checks if a media server is specified to use HTTP tunneling to send the web service connection request to the primary server. | |
3. If a media server is not specified, then the client refers to a list of media servers that is available in the NetBackup configuration and uses them for sending web service connection requests. | NetBackup client maintains an internal cache file ( |
The following additional options are available for configuring the HTTP Tunnel feature:
WEB_SERVER_TUNNEL_USE - You can use this option on the NetBackup clients to configure the default communication behavior using the HTTP Tunnel.
WEB_SERVER_TUNNEL_ENABLE - By default, HTTP Tunnel is enabled on the media server. You can use this option on the media servers to disable the HTTP Tunnel feature.
For more information, refer to the NetBackup Administrator's Guide Volume I.
If your NetBackup client configuration does not contain information about the media servers in the domain, run the nbsetconfig command on the primary server. The registry on a Windows client or the
bp.conffile on a UNIX client includes the primary and the media servers that the client selects to send connection and web service requests.If you use the nbcertcmd -getCertificate command on the NetBackup client in a DMZ, and if you see one of the following errors:
EXIT STATUS 5955: The host name is not known to the primary server.
EXIT STATUS 5954: The host name could not be resolved to the requesting host's IP address.
Use a token to deploy the security certificate because the primary server cannot match the IP address of the HTTP tunnel to the identity of the host that requests the certificate.
NetBackup audit report lists the media server as the user if an HTTP tunnel is used to send a certificate request to the primary server.