Firewall rules

[popak]

Hello,

 

Our Firewall administrator asked me about the ports that need to be open for retrospect, the client is in another subnet behind a very restricted firewall. In the documentation it is saying that port 497 needs to be open for UDP and TCP. Appreantly these ports are open and still no connection between the server and client (error -1028 client is not visiable). Is that all? Is this true that broadcast and mulitcast needs to be allowed as well. what would the rules for those? why do we need to use UDP? IS anybody kind enough to provide a list of firewall rules that needs to be open for retrospect?

 

thank you very much,

 

-Popak

[CallMeDave]

Quote:

---

Appreantly these ports are open and still no connection between the server and client (error -1028 client is not visiable)

 

---

 

- When do you see the -1028 error? Are you using Configure->Clients->Network->Test ?

 

UDP is used for client discovery. This allows clients to be found even if their IP address changes. If you're using static addresses, you might be able to get away with only TCP 497 open.

 

Some additional information about how you are configuring the program would go a long way towards others recognizing where your problem migh lie.

 

Dave

[popak]

Yes I do use static IP. I also went to configure-> Clients-> Network-> test and also configure the subnet broadcasting for that IP as well. The server is at my end and at this moment I have turned off the firewall (system firewall) but the clients is unreachable (restricted subnet). When I took a look at the other servers which they are in the same subnet as the server is they have another rule like this from 224.0.0.1 to any port 497 UDP and TCP. Do you know if I need to add this broadcast rule to the restricted client behind the firewall?

 

-Popak

[CallMeDave]

Quote:

---

The server is at my end and at this moment I have turned off the firewall (system firewall) but the clients is unreachable (restricted subnet).

 

---

 

Sorry, but this is just not clear. Are you saying that the Firewall Administrator has allowd you to completely disable his "very restricted" configuration?

 

If you decide to configure Retrospect to access clients directly by TCP/IP address, you won't need to configure the program's Subnet Broadcast capabalities. And I _think_ that it would be ok if UDP 497 was not open.

 

But without knowing more accurately the network topology you're working in (such as, for example, the operating sytem of the firewall being used), it would be irresponsible for people to suggest rule text.

 

More information, please.

 

Dave

[smartin]

 

Hi:

The network people here tell me Retrospect uses multi-casting broadcasts for their discovery. I believe you'll need to get the networking guys to open a hole for the autodiscovery to work.

Hope it helps.

-s

[Mayoff]

Adding a client by IP address will allow you to avoid all UDP and broadcast traffic but port 497 must be open.

 

Normally Retrospect would use UDP and TCP along with Subnet Broadcast and Multicast. The UDP is used to locate the client and TCP is used for the data transfer.

[twickland]

You haven't told us what type of client (Windows, OS X, etc.) you're trying to access and what version of the client software is installed. Also, are there multiple Ethernet cards in the client machine?

[popak]

so here is the topology of the network:

the server (mac os server X 10.3.9, retro 6.1.126) running in the subnet A (this subnet is not behind any firewall).

the client ( OS X server 10.4.7, Retro: 6.1.107) running in the subnet B (this subnet is behind a very restricted firewall, this is a hardware firewall).

When I configure the server to see the client, I also set the subnet broadcasting as well. My problem is I keep getting error -1028 and The firewall administrator is telling me that he had open 497 UDP and TCP for bothway incomming and outgoing to the remote machine. My question is if I need to add any rules for broadcasting or multicasting?

 

thank you guys

 

-Popak

[CallMeDave]

Quote:

---

When I took a look at the other servers which they are in the same subnet as the server is they have another rule like this from 224.0.0.1 to any port 497 UDP and TCP. Do you know if I need to add this broadcast rule to the restricted client behind the firewall?

 

My question is if I need to add any rules for broadcasting or multicasting?

 

---

 

Are you saying that the OS X Server in Subnet B is running firewall services of its own?

 

In that case you certainly would have to use Server Admin to configure the services you want. Happily, Apple has included a "Dantz Retrospect" preset for you (wonder if they'll correct the company name for Leopard Server...). Just check the box and you should be good.

 

Dave

[popak]

Thanks Dave for the respond, but that rule (from 224.0.0.1 to any port 497 for TCP and UDP) has been used in the loose subnet (subnet A) for another client in the same subnet (subnet A). I was wondering if I should use above rule for the machine that sitting in subnet B ( behind the hardware firewall) or it doesn't matter?

 

-Popak

[CallMeDave]

Quote:

---

that rule (from 224.0.0.1 to any port 497 for TCP and UDP) has been used in the loose subnet (subnet A) for another client in the same subnet (subnet A).

 

---

 

Again, it's just not clear what you're trying to tell us.

 

- Where was this "rule" used? On a specific machine's ipfw configuration?

 

Can you answer the question posed above:

 

- Are you saying that the OS X Server in Subnet B is running firewall services of its own?

[popak]

Where was this "rule" used?

 

in the client at subnet A in the ipfwconfig, (using operating system firewall)

 

 

Are you saying that the OS X Server in Subnet B is running firewall services of its own?

 

It is behind the HARDWARE firewall, and theoperating system firewall is not turned ON.

 

thanks

 

-Popak