To provide full functionality, NetBackup must be able to reliably connect to the same remote host using the same configured hostname at all times, and also be able to reliably distinguish the host from which an inbound connection originated based on the source IP address.
Accordingly, Veritas does not support any NetBackup configuration which involves a NetBackup server or client host separated from other NetBackup hosts by a network device performing Network Address Translation (NAT) or Port Address Translation (PAT).
Veritas does not support and recommends against the use of Network Address Translation (NAT) or Port Address Translation (PAT) with NetBackup as follows.
The use of dynamic NAT or Port Address Translation (PAT) introduces data security risks and other failures due to the inability to uniquely and consistently identify a remote host by IP address.
The use of static NAT, where there is a predetermined one-to-one mapping of IP addresses, may allow scheduled backups that only use legacy connections to function normally, but is not supported because other operations will fail. Further, attempts to resolve outside hostnames to inside global IPs may expose those sensitive IP addresses and hostnames to unintended observers.
If it is necessary to restore data to a target client on the other side of a NAT gateway, restore the files to a staging client where NAT is not involved and then transfer the files to the target host using FTP or other means.
Some NetBackup operations may appear to function correctly when using NAT or PAT. But functionality is limited, the authenticity of a remote host and therefore data security is not guaranteed, and attempts to work-around NAT may expose critical host information. Therefore, support is not extended to these environments.
Applies To NetBackup 3.2, 3.4, 4.5, 5.0, 5.1, 6.0, 6.5, 7.0, 7.5, 7.6