This procedures assumes you have a machine with a tape drive (known as "tapehost") on a 
trusted network trying to backup a host on a remote network (known as "dumphost") across 
a firewall. It also assumes you cannot login to the tapehost from a dumphost.
This procedure also assumes you are using OpenSSH on *both* hosts.

First you need to exchange public keys with both hosts. Refer to this FAQ on
how to do that:

http://www.cs.umd.edu/~arun/misc/ssh.html

Also look at my pushkeys script

http://www.kevininscoe.com/pub/scripts/pushkeys.txt

The next step after copying the keys is to login as root to the dump host and issue
the command:

# ssh -R 6000:127.0.0.1:22 dumphost 

Once logged into dumphost issue:

# ssh -p 6000 127.0.0.1

You should see the message:

The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 3d:1a:46:2f:12:4b:c9:ca:37:d8:f1:82:d8:cc:6e:73.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.

Otherwise if you do not perform this step first the ssh inbound over the
tunnel will fail when you are prompted for this.

Now that we have the public key for each host in the others .ssh/authorized_keys2
file we are ready to begin.

To perform a ufsdump from the dumphost to the tapehost across the firewall:

# ssh -R 6000:127.0.0.1:22 dumphost "ufsdump ul0f - / | ssh -T -l root -c blowfish -p 6000 127.0.0.1 dd obs=64b  of=/dev/rmt/1mn"

To restore from tapehost:

# ufsrestore ivfs - 1 /dev/rmt/1mn | ssh dumphost "dd obs=64b of=/dev/dsk/c0t0d0s0"

If you are performing multiple dumps to the same tape be sure and use the
command:

# mt -f /dev/rmt/0mn eom 

and

# mt -f /dev/rmt/1mn fsf 1

on the local system the tape drive is attached to after each dump.

Notes:

In the sshd_config, you must have:

PermitRootLogin yes

and AllowedAuthentication must be pubkey OR passwd. There must be no
RequiredAuthentication option.