NV8.x: Firewall port range not used when connecting to non netvault machines such as Filers (4046479)

Date - 01/2009
Affected Product & Version - NetVault: Backup v8.x
Affected Module & Version - ALL
OS Version - ALL
Application Information - N/A


Symptoms:
- The NetVault SERVER and a FILER attached library are on one side of a firewall
- A NetVault CLIENT to backup is "Outside firewall" in DMZ with a firewall port range configured on it
- The NetVault SERVER can contact, add, browse and backup the remote client to it's own NetVault server VTL
- However, if we specify the backup target to be the filer attached device, the remote client backup will fail.

Reason:
Trace shows that the NetVault CLIENT plugin tries to establish a data channel directly to the filer device.
First, a port is opened on the client and another one needs to be determined on the FILER, however, the port opened on the FILER is outside of the range defined on the client and firewall for communication with this DMZ CLIENT.
Since there is a firewall rule allowing traffic only on a specific tcp/udp port range, any attempts from the client plugin to contact a random port on the filer will consequently fail.

One would think that by configuring a port range on the client, any communication and transfer to and from this client would be done on ports within this range.
However, in the case of a FILER attached device, we depend on the FILER to broadcast which port it decides to use in this connection attempt.
The filer doesn't have any "NetVault intelligence" or nvconfigurator where you would set a port range, instead it chooses any port randomly and communicates this to the client.
A fault has been opened about this problem as it appears not to be a problem under NV7.4.5: NVG-4732

There are currently no easy ways of telling a FILER to always choose a set of ports for a specific communication.
To work around this:
- Perform Phase1 jobs to the NetVault Server's VTL then schedule Phase 2 Duplications from the NetVautl Server's disk to the Filer device.
- a less desirable alternative would be to open all traffic coming from the DMZ client's MAC Address to the FILER.