|
|
| |
| 1. Using Online Backup Service with an Internet Firewall |
| |
Connections are initiated from the backup clients inside the firewall. Connections are NEVER initiated from the
outside.
The program can work with all types of firewalls, including packet-filtering, circuit-filtering,
SOCKS-compliant Proxy or Mapped Proxy firewalls. For most firewalls, some configuration of the firewall by the firewall
administrator is needed. If your network requires explicit connection to the firewall to initiate outgoing connections, the backup
software must be configured for your firewall.
The requirements for running Online Backup service are consistent
with security best-practices. They do not create an opening for incoming connections, and outgoing connections can be limited to
specific ports at specific known IP addresses. As an added security measure, all data is DES-encrypted before leaving the user's PC.
It remains encrypted through transmission, and is stored encrypted at secure data center.
The following additional information
is useful to a firewall administrator for configuring a firewall to permit outgoing connections to the backup servers. |
| |
| 2. Protocols |
| |
| TCP/IP is used. There is no use of UDP or ICMP. |
| |
| 3. Server Subnets |
| |
| Each user's agent connects to a primary and an alternate server in order to provide high availability. Currently, all
servers reside in the subnet 204.164.111.0-63 (also expressed as 204.164.111.0/26) and in the subnet 140.239.229.0-63 (also expressed as
140.239.229.0/26). The client must have access to both of these subnets. Should these addresses change in the future, notice will be given
to allow firewall changes and the client software can be automatically updated with the new addresses. |
| |
| 4. Port Numbers |
| |
| All servers listen for client requests on a well known port number: 16384.
An agent always establishes a TCP/IP session with port 16384 on the server. |
| |
| 5. DNS |
| |
| The client connects to a server using the server's IP address, not its name.
Therefore, name resolution and access to a name server are not required. |
| |
| 6. Registrations vs. subsequent connections |
| |
| The agent is configured to connect to one of a pair of registration server addresses (primary and alternate) when it is
used for the first time. The registration process assigns a server address pair (primary and alternate) for all subsequent uses. |
| |
| 7. SOCKS - Compliant Proxy Servers |
| |
The agent software can be configured to connect out through a SOCKS proxy server. The IP address (or the DNS) of the proxy
server and the port number on which it listens for connections must be known in order to configure the backup software. SOCKS is designed
to allow outgoing connections and responses back to those connections, but to prevent other incoming packets. If your SOCKS proxy server has
been set up with additional restrictions on outgoing connections, it is necessary to include subnets in the permitted destinations.
When prompted by the setup program to select a Firewall option, select the "Use SOCKS proxy firewall" radio button and enter your
proxy server information. (Note: The default setting for SOCKS TCP Port is 1080). |
| |
| 8. Other Proxy Firewalls |
| |
In order for the agent software to be used with an application-based proxy firewall server, the firewall must be set to permit
outbound TCP connections for a generic application. Mapped firewalls require a separate port on the firewall for each different destination address.
The IP addresses that must be mapped will appear when you attempt to run the client software, or can be seen by selecting Options/Connection.../Firewall
in the client software. The destination port number is always 16384. The firewall administrator may choose any available port numbers on the firewall.
Finally, the agent must be configured with the IP address or the DNS of the firewall and the firewall port numbers that were chosen.
When prompted by the agent to select a Firewall option, select the "Use proxy firewall server(s)" radio button. Then enter the firewall
mapping that was configured on your firewall:
| 1. |
Enter the IP Address or DNS of your firewall into the "Firewall IP address" field for both Secure Data Centers. |
| 2. |
Enter the port numbers chosen by the firewall administrator. |
|
| |
| 9. Packet filtering firewalls |
| |
The following is a summary of "rules" that must be applied to the firewall software or hardware in order
to enable the client-server protocol. (All the rules are described from the "firewall's point of view").
| 1. |
Permit TCP/IP outbound to port 16384 to subnets 204.164.111.0-63
(204.164.111.0/26) and 140.239.229.0-63 (140.239.229.0/26). |
| 2. |
If your firewall requires you to explicitly permit the response packets to come back, do so by permitting
TCP/IP inbound to ports 1024-5000 from the subnets listed above, for an already-established connection. It is NOT necessary
to permit a connection originating from outside the firewall. |
| 3. |
We do not utilize UDP or ICMP. |
|
| |
| 10. Configuring Online Backup agent software |
| |
| When the client software is installed, it permits the user to specify the firewall address and ports to be used.
A corporate IT department can use our corporate deployment kit to pre-configure the software, so the user does not need to do this.
See the instructions above for the type of firewall you are using. The firewall settings in the software can be changed at any time
by selecting the Options/Connection... menu choice. |
| |
| Get Started | Support |
FAQs | Email Support |
