arcserve-KB : Replicating arcserve RHA DR Scenario over a firewall and NAT connection

Last Update: 2015-09-09 15:35:19 UTC
XOSOFT Replication: 15.0, 16.0
Last Modified Date:    10/11/2011
Document ID:    TEC556115

Although all components of CA ARCserve RHA communicate over port 25000 by default, special considerations are needed in order to properly configure your firewall rules to allow the engines to replicate properly. When NAT is also being used between two or more engines additional considerations are needed.

This document is designed for DR (Disaster Recovery) scenarios only. In general, HA scenarios are not supported over NAT with the exception of customized scripting.


We recommend implementing VPN tunnel if possible between the CA ARCserve RHA components if you wish to replicate data between engines that are separated by firewalls and NAT. VPN tunnel in general is more secure and is less complex to setup, comparable to creating a scenario over a LAN/WAN since you do not need to account for all ports and public IP addresses. If VPN tunnel is not possible then we recommend following the procedures in this solution to configure replication.

The solution for NAT is intended for DR scenarios only. You may use the firewall guidelines for HA scenarios to address CA ARCserve RHA communication, but it is outside the scope of this document to cover all ports needed for application scenarios. Check with the product vendor for a list of their product's ports.

In general the rules for CA ARCserve RHA are similar to FTP, where the incoming port connection is always known (25000 by default) and the return port uses a dynamic port in the upper range (>1024) so if outbound traffic is blocked you need to allow established connections to connect back over these ports.

PART 1: Configure Static Firewall Rules

To configure a Scenario to replicate over a Firewall, identify correct server type (Stand-Alone/Clustered) for each component (Master (RHA Engine), Replica (RHA Engine), RHA Manager (RHA Control Service)) and then create the firewall rules for each component based on the appropriate section.

All rules are guidelines only and certain rules may not be necessary if some components are in the same site (i.e. Control Service is in replica site) or outbound traffic is not being blocked. Please review and create each rule only if it applies to your environment and configuration. The following assumes the default port of 25000.

For CA ARCserve RHA Components running on a Stand Alone / Non-Clustered Server:

  1. For the Control Service:

    1. Port 8088 (http) or 443 (https) inbound permitted to Control Service IP

    2. Dynamic ports (1024-65535) outbound permitted from Control Service IP

  2. For the Master Server:

    1. Port 25000 inbound permitted to Master IP

    2. Dynamic Ports (1024-65535) out bound permitted from Master IP

    3. Port 25000 outbound permitted from Master IP to Control Service IP and Replica IP

  3. For the Replica Server:

    1. Port 25000 inbound permitted to Replica IP

    2. Dynamic Ports (1024-65535) outbound permitted from Replica IP

    3. Port 25000 outbound permitted from Replica IP to Control Service IP and Master IP

For CA ARCserve RHA Components running on a Cluster Node:

Special consideration is needed for clusters. Although you still need to allow static inbound rules for the Virtual IP of the cluster your outbound rules must be set using the Physical IP of each node since all outbound cluster communication is sent using the default IP of the public NIC interface. This is by design for all MSCS clusters. The control service is not a cluster-aware application by design so it is not recommended to run this service on a cluster. Only master/replica rules are specified.

  1. For the Master:

    1. Port 25000 inbound permitted to Master Virtual IP

    2. Dynamic Ports (1024-65535) outbound permitted for each Master Node Physical IP

    3. Port 25000 outbound permitted for each Master Node Physical IP to Control IP and Replica IP

  2. For the Replica:

    1. Port 25000 inbound permitted to Replica Virtual IP

    2. Dynamic Ports (1024-65535) outbound permitted for each Replica Node Physical IP

    3. Port 25000 outbound permitted for each Replica Node Physical IP

PART 2: Create a DR Scenario to Replicate over NAT

With all firewall rules in place proceed with configuring CA ARCserve RHA over NAT. Since all the components of a CA ARCserve RHA (Control Service, Engines) share the same scenario configuration file that means that you must also use a consistent IP scheme in order for all components to be able to communicate with each other. In NAT the only IP scheme consistent across all components are the PUBLIC IP's.

  1. Ensure that local route tables exists on the control service site so it can route to the master or replica using public IP if either Master or Replica is on the same LAN

  2. Logon to the CA ARCserve RHA Manager

  3. Create a new DR Scenario

    1. Choose your scenario type (File, Exchange, SQL and so on), select 'Replication and Disaster Recovery Scenario (DR)' under product type.

    2. Type in a name for your Scenario and for Master & Replica Hostname/IP; enter the PUBLIC IP of the master/replica respectively. Click Next

    3. Proceed to create the scenario as you would do with any normal scenario.

  4. If you need to consider replicating in the reverse direction, create a reverse DR Scenario in the same way as the forward scenario using the Public IP's for Master and Replica.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request