Will an NDMP three-way backup work with a firewall?
NOTE: Before reading this article, Mirapoint highly recommends reading the latest version of the Mirapoint Backup and Restore Guide.
Most firewalls and smart routers can be configured to allow NDMP backups across them, but you may need to take special precautions.
In a three-way configuration, the NDMP client (DMA) connects to an NDMP Mover service (the tape host) and requests an IP address and port number that can be used by an NDMP Data service (the mailstore) to transfer data. (The DMA and the Mover service often reside on the same system, but not always.)
The DMA connects to a Data service, passes the IP address and port number obtained from the Mover service, then lets the Data service handle the rest.
While the NDMP control connection is made on port 10000 by default, the actual data connection is made on a random high port, within a range configured in the DMA, and needs to be passed by the firewall.
This is a particular problem with routers that use Network Address Translation (NAT), as the IP address encapsulated within the NDMP protocol may not be understood and translated by a NAT router.
Problems also may occur when firewall rules only allow connections to be initiated from one side and did not account for connections made from the mailstore at the request of the DMA.
Check your DMA product documentation to see what the range of high ports used is and, if desired, whether there is a way to restrict or modify that range, then configure your firewall to pass connections on the range the Mover will use.