nsr_tunnel(5)
nsr_tunnel(5)
NAME
nsr_tunnel - NetWorker resource type 'NSR tunnel'
SYNOPSIS
type: NSR tunnel
DESCRIPTION
The NSR tunnel resource enables NetWorker clients and storage nodes to
communicate with a NetWorker server over a firewall. Traffic from the
client network is routed through a single TCP connection to the Net-
Worker server residing in a "secure network".
To configure a tunnel, create a NSR tunnel resource in the NSRLA RAP
database on the NetWorker server or storage node and on a NetWorker
client that is designated as a proxy to the NetWorker server for hosts
in the client network.
To edit the NSR tunnel resource type:
nsradmin -p nsrexec -c "type:NSR tunnel"
For each enabled NSR tunnel resource, the nsrexecd process spawns a
nsrtund process which establishes and manages the tunnel between the
server and proxy hosts.
ATTRIBUTES
The following attributes are defined for resource type NSR tunnel. The
information in parentheses describes how the attribute values are
accessed. Create-only indicates that the value cannot be changed by an
administrator once the resource is created. Read/write means the value
can be set as well as read at any time. Choice indicates that the
value can only be selected from a given list. Yes/no means only a yes
or no choice is possible. Static attributes change values rarely, if
ever. Dynamic attributes have values which change rapidly. Hidden
means it is an attribute of interest only to programs or experts, and
these attributes can only be seen when the hidden option is turned on
in nsradmin(8). For example, an attribute marked (create-only, static)
has a value which is set when the attribute is created and never
changes. Several additional attributes (for example, administrator)
are common to all resources, and are described in nsr_resource(5).
name (create-only)
Name of the NSR tunnel instance.
autostart (read/write, choice)
Specifies whether the tunnel is automatically started with the
nsrexecd process. A value of Restart now instructs the nsrexecd
process to restart the nsrtund process that manages the tunnel.
Restarting the tunnel is required to activate any change in the
resource configuration.
designated proxy (read/write, yes/no)
Specifies that the host acts as the proxy host. The proxy host
resides in the insecure network and routes traffic from its net-
work to a single NetWorker server or storage node residing in
the secured network.
tunnel direction (read/write, choice)
Direction of the tunnel. Specifies which host initiates the
direct connection between proxy and server. server-to-proxy
instructs the server to initiate a connection to the proxy
whereas proxy-to-server instructs the proxy to initiate a
connection to the NetWorker server or storage node.
server tunnel address (read/write)
Address of the NetWorker server's end of the tunnel interface.
NetWorker clients in the proxy network will use this address to
communicate through the tunnel with the server in the secure
network, through the tunnel. The value of this attribute must
be a valid IPv4, unassigned address from the insecure network.
proxy tunnel address (read/write)
Address of the proxy's end of the tunnel. The value of this
attribute must be a valid IPv4, unassigned address from the
insecure network.
server address (read/write)
Address of the NetWorker server or storage node in the secure
network.
proxy address (read/write)
Address of the proxy host in the client network.
connection port (read/write)
The port number used to establish the direct connection between
the proxy and server. The value of this attribute must be the
same in both the proxy and the server's tunnel resource. Each
tunnel must have a unique port number.
gateway to proxy (read/write)
Routing gateway to use to access the proxy's client network
address. The value of this attribute must be entered when the
proxy network attribute is set. Specifying a gateway prevents
the routing of traffic through the tunnel.
proxy network (read/write)
Proxy host's network. When specified, a network route entry for
the given network address is added to the server host when the
tunnel connection is established. The traffic to the network is
routed through the tunnel network interface. The value of this
attribute must have the following format: <network
address>/<network prefix>. For example, 192.168.5.0/24 specifies
the network address 192.168.5.0 with netmask 255.255.255.0. This
is an optional server-side attribute.
proxy network interface (read/write)
Name of the network interface connected to the client network.
For example, bge0 (Solaris) or eth0 (Linux). This is an optional
proxy-side attribute. This attribute is required to route traf-
fic from the client network through the tunnel. Leaving this
attribute unset limits the NetWorker server access to the proxy.
IP forwarding on the proxy host is implicitly enabled when this
attribute is specified.
filter ICMP messages (read/write, choice, yes/no)
Specifies to filter ICMP messages. A value of Yes causes ICMP
message traffic through the tunnel to be discarded. Network
diagnostic tools such as ping(8) will no longer work with this
value set to Yes. This is a server-side attribute.
port exceptions (read/write)
List of port numbers that are allowed access through the NSR
tunnel. This is a server-side attribute.
send buffer size (read/write)
Send buffer size in bytes for the socket used to connect the
proxy and server. A value of zero causes the operating system
default value to be used. Larger buffer sizes can increase
tunnel throughput in busy environments.
receive buffer size (read/write)
Receive buffer size in bytes for the socket used to connect the
proxy and server. A value of zero causes the operating system
default value to be used. Larger buffer sizes can increase tun-
nel throughput in busy environments.
keepalive interval (read/write)
Duration in seconds between keepalive transmissions. Keepalive
messages are sent periodically from the proxy to the server to
preserve the integrity of the connection between the hosts. A
value of zero disables the keepalive feature.
logging level (read/write, choice)
Severity level of messages written to the tunnel.raw log file.
The higher the severity, the more output is logged.
tunnel interface MTU (read/write, hidden)
Tunnel device Maximum Transmission Unit.
EXAMPLES
A NetWorker server nwserv.emc.com (128.222.111.77) serves the client
network 192.168.1.0/24. A host on the client network, nwproxy.emc.com
(192.168.1.99), has been selected as the designated proxy. IP addresses
192.168.1.2 and 192.168.1.3 have been selected as the tunnel end
points.
The server-side NSR tunnel resource is configured with the following
attribute values:
type: NSR tunnel;
name: TUN0;
autostart: Enabled;
designated proxy: No;
tunnel direction: server-to-proxy;
server tunnel address: 192.168.1.2;
proxy tunnel address: 192.168.1.3;
server address: 128.222.111.77;
connection port: 7232;
proxy address: 192.168.1.99;
gateway to proxy: 128.222.111.1;
proxy network: 192.168.1.0/24;
proxy network interface: ;
filter ICMP messages: No;
port exceptions: 111;
send buffer size: 0;
receive buffer size: 0;
keepalive interval: 60;
logging level: Warning;
The proxy-side NSR tunnel resource is configured with the following
attribute values:
type: NSR tunnel;
name: TUN0;
autostart: Enabled;
designated proxy: Yes;
tunnel direction: server-to-proxy;
server tunnel address: 192.168.1.2;
proxy tunnel address: 192.168.1.3;
server address: 128.222.111.77;
connection port: 7232;
proxy address: 192.168.1.99;
gateway to proxy: ;
proxy network: ;
proxy network interface: eth0;
filter ICMP messages: No;
port exceptions: 111;
send buffer size: 0;
receive buffer size: 0;
keepalive interval: 60;
logging level: Warning;
NOTES
NetWorker clients from the client network accessing the NetWorker
server through the proxy must use the tunnel's server tunnel address to
contact the server. These clients must also have their NSR client
resource's server network interface attribute set to the NSR tunnel's
server tunnel address.
Storage nodes in the client network must have their NSR storage node
resources's hidden attribute server network interface set to the tun-
nel's server tunnel address.
LIMITATIONS
NSR tunnel resources are only supported on Linux and Solaris operating
systems.
Tunnel addresses cannot be configured using IPv6 addresses.
FILES
/nsr/res/nsrladb NetWorker client's resource database.
/nsr/logs/<name>.raw Log file for NSR tunnel instance <name>.
SEE ALSO
nsradmin(8), nsr(8), nsr_resource(5), nsr_la(5), nsrtund(8), nsrwatch(8).
NetWorker 8.0.1 Dec 02, 12 nsr_tunnel(5)