About NAT support in NetBackup
NetBackup supports NetBackup clients and servers in a private network that are connected to NetBackup servers in a public network via a device that performs Network Address Translation (NAT). This document refers to such NetBackup clients and servers as NAT clients and NAT servers respectively.
NAT clients and NAT servers together are referred to as NAT hosts.
NetBackup supports NAT clients and NAT servers (or a NAT host) in a network topology where the following conditions are met:
A NAT host should be able to resolve the host names of the NetBackup servers that are deployed in a public network and initiate connections with them. It is not required that the NetBackup servers be able to initiate connections to the NAT host.
A host name assigned to a NAT host should be resolvable in the private network. It is not required that the host name of the NAT host be resolvable from the NetBackup servers in the public network.
Bi-directional connectivity should exist between the primary server and all media servers.
Bi-directional connectivity is required between media servers and clients that are behind NAT.
The NetBackup software on the NetBackup servers and NAT hosts must be configured for NAT support as described in this document.
When working with NAT hosts, NetBackup software ensures that all network connections are initiated from the NAT client to the NetBackup servers in the public network. In other words, no connections are directly initiated from the NetBackup servers to the NAT hosts. The NAT host support relies on a new NetBackup Messaging Broker (nbmqbroker) service on the primary server and a subscriber service on each NAT host that maintains a persistent connection to the messaging broker service on the primary server. This enables the NetBackup servers to send commands to the NAT hosts via the messaging service. When a NetBackup server needs to connect to a NAT client (for example to perform a backup) it sends a 'reverse connection request' message to the NAT host via the primary server. On receiving this message, the NAT client initiates a connection to the requesting NetBackup server.
Here is how a connection between a media server and a NAT client takes place:
The NetBackup Messaging Broker (nbmqbroker) service starts on the primary server if NAT support is enabled.
The subscriber service starts on the NAT host along with other client services and subscribes to nbmqbroker service on the primary server if NAT support is enabled on the host.
When a media server wants to connect to a NAT client or a primary server wants to connect to a NAT server, it publishes the NAT host's reverse connection request message to the message broker that exists on the primary server.
The message broker delivers the message to the subscriber service on the NAT host.
The subscriber service initiates a connection from the NAT host to the requesting NetBackup server.
The media server uses this connection to communicate with the NAT client or the primary server uses this connection to communicate with the NAT server.
See Workflow to enable NAT hosts in NetBackup domain.
NetBackup NAT support can also be used in the following non-NAT environments where it is desirable or mandatory for the NetBackup clients to initiate all connections to the NetBackup servers:
Clients or servers are behind a firewall that is configured to disallow incoming connections
Host names of clients or servers cannot be resolved to an IP address from the NetBackup servers, for example DHCP clients without a Dynamic DNS
Clients or servers to which media servers or primary servers cannot directly connect for any reason