HP Data Protector: Backup of DMZ servers

Sometimes it’s necessary to backup system, that are behind a firewall. A good example for this are servers in a DMZ. When using HP Data Protector there are some things to know and consider, before you can backup systems behind a firewall. Lets start with some basics.

The components

Cell Manager: The Cell Manager (CM) is the backup server itself. It controls the whole enviroments, stores the licenses, clients, media, devices, backup specifications etc.

Backup specification: A backup specification describes WHAT has to be backuped and WHERE it should be written..

Backup Session Manager: The Backup Session Manager (BSM) starts MA and DA, controls the session and stores meta data to the DB.

Disk Agent: The Disk Agent (DA) is the backup client itself. It’s used to read or write data from or to the server, and send the data to the Media Agent (MA).

Media Agent: The Media Agent (MA) reads or writes data from or to a backup device. The data is sent or received by a DA. The MA can be installed on every server, that has a backup device (tape or disk) attached.

HP Data Protector Session Flow

The different components of HP Data Protector act with each other. The BSM is started on the HP Data Protector Cell Manager and it reads the backup specification. Then the BSM starts the DA and MA. The control data is exchanged between DA, MA and BSM. The actual backup data travels from the DA to the MA, and in case of a restore from the MA to the DA.

Patrick Terlisten/ vcloudnine.de/ Creative Commons CC0

Patrick Terlisten/ vcloudnine.de/ Creative Commons CC0

Typically the MA is running in the same hosts as the BSM (which is started on the Cell Manager). But you can also use different servers for the CM/ BSM and the MA. Think about a virtualized HP Data Protector Cell Manager and a physical host, that has a tape library connected. If your BSM and MA are behind a firewall (from the DA perspective), you have to get the control data and the data flow through the firewall. For this, ports must be opened on the firewall.

Patrick Terlisten/ vcloudnine.de/ Creative Commons CC0

Patrick Terlisten/ vcloudnine.de/ Creative Commons CC0

The requirements

One of the most important things in a HP Data Protector enviroment is DNS! Most errors I see are DNS related. This leads to the requirement, that there has to be a functional name resolution between Cell Manager, MA and DA. Before you proceed further, please check the name resolution. Please note that ping isn’t a qualified tool to test the name resolution! You should use nslookup or dig for this. The next step is to define port ranges that are used for the communication between BSM, MA and DA. Because HP Data Protector is a top notch backup product, you have to change the omnirc file with your favorite editor. Yes, even if you have a windows based Cell Manager. The omnirc file is located in:

Operating System Path
Windows < 2008 C:\Program Files\Omniback\omnirc
Windows > 2008 C:\ProgramData\Omniback\omnirc
Linux/ UNIX /opt/omni/.omnirc

You have to add the OB2PORTRANGESPEC parameter, which limits the amount of ports that are used for communication between the different components. Then you have to open this port ranges in you firewall. The ports will picked randomly from the range. The complete parameter looks like this:

OB2PORTRANGESPEC=xSM:20000-20250;CRS:18000-18005;xMA-NET:19000-19010

xSM is used to define the ports that are used by Backup Session Manager (BSM), Restore Session Manager (RSM) and Database Session Manager (DBSM). For each session manager one port is used. You can define specific ranges for each session manager by replacing the x with B, R or DB. For example:

OB2PORTRANGESPEC=BSM:20000-20005;RSM:20006-20010;DBSM=20011-20020;CRS:18000-18050;xMA-NET:19000-19010

If the option “Reconnect broken connections” is enabled, each DA needs a connection to a xSM. DA to BSM when taking a backup, DA to RSM when doing a restore and DA to DBSM for IDB backup. So the xSM parameter limits the amount of concurrent sessions of your Cell Manager. Choose this wisely… Because the data flows directly from the DA to the MA, each DA needs a connection to a MA. With the above specified port range, you could have 11 concurrent connections from a DA to a MA. If the server you want to backup, runs an application like Oracle, Exchange or MS SQL, then you need additional connections to the Cell Manager, to be precise, the Cell Request Server (CRS). The port range for this connections are defined with the CRS part of the OB2PORTRANGESPEC parameter. If the MA runs in a different host then the Cell Manager, you have to add the xMA part of the OB2PORTRANGESPEC in the omnirc file on the server with the MA. After you changed the omnirc file you have to restart the HP Data Protector services.

The used port ranges in a clear table:

Source Target Location TCP Source Port Range TCP Destination Port Range
Cell Manager DA DMZ 1024 - 65536 5555
DA MA LAN 1024 - 65536 19000-19010
DA xSM LAN 1024 - 65536 20000-20250
DA CRS LAN 1024 - 65536 18000-18005

I hope this article has helped to understand the functioning of HP Data Protector.