Firewall Configuration - UNIX

Table of Contents

Set Up Connectivity from the Client and the MediaAgent to the CommServe

Before configuring firewall options, ensure to setup connection to the CommServe as described in the Client Connects to the CommServe (One-Way Firewall) procedure.

Select the type of installation you are performing to configure the firewall scenario when the Client/MediaAgent can reach the CommServe.

Remote Install Using the CommCell Console

  • Click There is Firewall between this machine and CommServe.

    The Client machines can open connection to CommServe on tunnel port option is selected by default.

  • Enter the incoming port number through which the CommServe receives tunnel connections in the CommServe HTTP/HTTPS tunnel port number box.
  • Click Next to continue with the client installation.

Interactive Install

  1. Type 1 to select This machine can open connection to CommServe on tunnel port and press Enter.

    Selecting Firewall Type
    Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.
    1) This machine can open connection to CommServe on a tunnel port
    2) CommServe can open connections toward us
    3) CommServe is reachable only through a proxy
    Your Choice [1]

  2. Type the name of the computer where the CommServe resides and press Enter.

    The name of the CommServe client is case sensitive. Be sure to enter the client name of the CommServe in the same case as it appears in the CommCell Console.

    Setting CommServe Client Name
    Please specify client name of the CommServe below.
    CommServe Client Name:

  3. Type the fully qualified domain of the CommServe host name and press Enter.
    • Do not use space and the following characters when specifying the CommServe Host Name:

      \|`~!@#$%^&*()+=<>/?,[]{}:;'"

    Setting CommServe Host Name
    Please specify hostname of the CommServe below. Make sure the hostname is fully qualified, resolvable by the name services configured on this machine.
    CommServe Host Name: mycommserve.company.com

  4. Type the incoming port number through which the CommServe computer receives tunnel connection and press Enter.

    Setting Port to Open Tunnel to CommServe
    Please specify the port number, on which we should open tunnel connections toward the CommServe. This is same as "Tunnel HTTP/HTTPS port" configurable in the "Incoming Ports" tab of the CommServe Firewall Properties adjusted for a possible port-mapping Gateway in front of it.
    CommServe HTTP/HTTPS tunnel port number: 8403

  5. If this computer is separated from the CommServe by a HTTP Proxy, type yes and then provide the following information:
    • For HTTP Proxy hostname or IP address, type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached and press Enter.
    • For HTTP Proxy port number, type the port number of the HTTP Proxy through which the CommServe can be reached and press Enter.

    If this computer is not separated from the CommServe by a HTTP Proxy, press Enter to continue.

    Deciding If to Configure HTTP Proxy
    Please specify if there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache).
    Is there an HTTP proxy between this client and the CommServe? [no]

  6. If the CommCell requires the authentication of HTTP Certificates, type Yes to provide the path to the folder where the CommCell HTTPS certificates are available.

    See Enforcing CommCell Specific Certificates for Authentication for more information on this firewall feature and steps to export the CommCell Certification.

    Press Enter to continue with the client installation.

    Deciding If to Use CommCell Certificate
    If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate.
    This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.
    Have you enabled "Lockdown CommCell"? [no]

Set Up Connectivity from the CommServe to the Client and the MediaAgent

Before configuring firewall options, ensure to setup connection to the CommServe as described in the CommServe Connects to the Client (One-Way Firewall) procedure.

Select the type of installation you are performing to configure the firewall scenario when the CommServe can reach the Client/MediaAgent.

Remote Install Using CommCell Console

  • Click There is Firewall between this machine and CommServe.
  • Select the CommServe can open connection towards client machines option.
  • Enter the a local port number through which the client will receive communication from the CommServe in the Local HTTP/HTTPS tunnel port number box.
  • Click Next to continue with the client installation.

Interactive Install

  1. Type 2 to select CommServe can open connections toward us and press Enter.

    Selecting Firewall Type
    Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.
    1) This machine can open connection to CommServe on a tunnel port
    2) CommServe can open connections toward us
    3) CommServe is reachable only through a proxy
    Your Choice [1]

  2. Type the name of the computer where the CommServe resides and press Enter.

    The name of the CommServe client is case sensitive. Be sure to enter the client name of the CommServe in the same case as it appears in the CommCell Console.

    Setting CommServe Client Name
    Please specify client name of the CommServe below.
    CommServe Client Name:

  3. Type a local port number through which the client will receive communication from the CommServe and press Enter.

    Setting Port for CommServe to Open Tunnel to Us
    Since we cannot contact CommServe directly, we will need to configure a reverse tunnel connection from the CommServe to us.
    Please enter a local port number to listen on below, then go to CommServe and create a persistent tunnel toward this client in the [outgoing] section of FwConfigLocal.txt. When finished, return to this configuration screen, and hit ENTER to continue.
    Local HTTP/HTTPS tunnel port number: 8409

  4. If the CommCell requires the authentication of HTTP Certificates, type Yes to provide the path to the folder where the CommCell HTTPS certificates are available.

    See Enforcing CommCell Specific Certificates for Authentication for more information on this firewall feature and steps to export the CommCell Certification.

    Press Enter to continue with the client installation.

    Deciding If to Use CommCell Certificate
    If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate.
    This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.
    Have you enabled "Lockdown CommCell"? [no]

Set Up Two-Way Connectivity between the CommServe and the Client or the MediaAgent

Before configuring firewall options, ensure to setup connection to the CommServe as described in the Client and CommServe Connect to each other (Two-Way Firewall) procedure.

Select the type of installation you are performing to configure the firewall scenario when the Client/MediaAgent and CommServe can reach each other.

Remote Install Using the CommCell Console

  • Click There is Firewall between this machine and CommServe.

    The Client machines can open connection to CommServe on tunnel port option is selected by default.

  • Enter the incoming port number through which the CommServe receives tunnel connections in the CommServe HTTP/HTTPS tunnel port number box.
  • Click Next to continue with the client installation.

Interactive Install

  1. Type 1 to select This machine can open connection to CommServe on tunnel port and press Enter.

    Selecting Firewall Type
    Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.
    1) This machine can open connection to CommServe on a tunnel port
    2) CommServe can open connections toward us
    3) CommServe is reachable only through a proxy
    Your Choice [1]

  2. Type the name of the computer where the CommServe resides and press Enter.

    The name of the CommServe client is case sensitive. Be sure to enter the client name of the CommServe in the same case as it appears in the CommCell Console.

    Setting CommServe Client Name
    Please specify client name of the CommServe below.
    CommServe Client Name:

  3. Type the fully qualified domain of the CommServe host name and press Enter.
    • Do not use space and the following characters when specifying the CommServe Host Name:

      \|`~!@#$%^&*()+=<>/?,[]{}:;'"

    Setting CommServe Host Name
    Please specify hostname of the CommServe below. Make sure the hostname is fully qualified, resolvable by the name services configured on this machine.
    CommServe Host Name: mycommserve.company.com

  4. Type the incoming port number through which the CommServe computer receives tunnel connection and press Enter.

    Setting Port to Open Tunnel to CommServe
    Please specify the port number, on which we should open tunnel connections toward the CommServe. This is same as "Tunnel HTTP/HTTPS port" configurable in the "Incoming Ports" tab of the CommServe Firewall Properties adjusted for a possible port-mapping Gateway in front of it.
    CommServe HTTP/HTTPS tunnel port number: 8403

  5. If this computer is separated from the CommServe by a HTTP Proxy, type yes and then provide the following information:
    • For HTTP Proxy hostname or IP address, type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached and press Enter.
    • For HTTP Proxy port number, type the port number of the HTTP Proxy through which the CommServe can be reached and press Enter.

    If this computer is not separated from the CommServe by a HTTP Proxy, press Enter to continue.

    Deciding If to Configure HTTP Proxy
    Please specify if there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache).
    Is there an HTTP proxy between this client and the CommServe? [no]

  6. If the CommCell requires the authentication of HTTP Certificates, type Yes to provide the path to the folder where the CommCell HTTPS certificates are available.

    See Enforcing CommCell Specific Certificates for Authentication for more information on this firewall feature and steps to export the CommCell Certification.

    Press Enter to continue with the client installation.

    Deciding If to Use CommCell Certificate
    If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate.
    This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.
    Have you enabled "Lockdown CommCell"? [no]

Set Up Connectivity to the CommServe Using a Port Forwarding Gateway

Before configuring firewall options, ensure to configure the port-forwarding gateway and to setup connection to the CommServe as described in the Port-Forwarding Gateway procedure.

Select the type of installation you are performing to configure the firewall scenario when the Client/MediaAgent connects to the CommServe through a port forwarding gateway.

Remote Install Using the CommCell Console

  • Click There is Firewall between this machine and CommServe.

    The Client machines can open connection to CommServe on tunnel port option is selected by default.

  • Enter the incoming port number through which the CommServe receives tunnel connections in the CommServe HTTP/HTTPS tunnel port number box.
  • Click Next to continue with the client installation.

Interactive Install

  1. Type 1 to select This machine can open connection to CommServe on tunnel port and press Enter.

    Selecting Firewall Type
    Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.
    1) This machine can open connection to CommServe on a tunnel port
    2) CommServe can open connections toward us
    3) CommServe is reachable only through a proxy
    Your Choice [1]

  2. Type the name of the computer where the CommServe resides and press Enter.

    The name of the CommServe client is case sensitive. Be sure to enter the client name of the CommServe in the same case as it appears in the CommCell Console.

    Setting CommServe Client Name
    Please specify client name of the CommServe below.
    CommServe Client Name:

  3. Type the hostname of the port-forwarding gateway (e.g., gateway.gatewayservices.com) and press Enter.

    Setting CommServe Host Name
    Please specify hostname of the CommServe below. Make sure the hostname is fully qualified, resolvable by the name services configured on this machine.
    CommServe Host Name: mycommserve.company.com

  4. Type the incoming port number through which the CommServe computer receives tunnel connection and press Enter.

    Setting Port to Open Tunnel to CommServe
    Please specify the port number, on which we should open tunnel connections toward the CommServe. This is same as "Tunnel HTTP/HTTPS port" configurable in the "Incoming Ports" tab of the CommServe Firewall Properties adjusted for a possible port-mapping Gateway in front of it.
    CommServe HTTP/HTTPS tunnel port number: 8403

  5. If this computer is separated from the CommServe by a HTTP Proxy, type yes and then provide the following information:
    • For HTTP Proxy hostname or IP address, type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached and press Enter.
    • For HTTP Proxy port number, type the port number of the HTTP Proxy through which the CommServe can be reached and press Enter.

    If this computer is not separated from the CommServe by a HTTP Proxy, press Enter to continue.

    Deciding If to Configure HTTP Proxy
    Please specify if there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache).
    Is there an HTTP proxy between this client and the CommServe? [no]

  6. If the CommCell requires the authentication of HTTP Certificates, type Yes to provide the path to the folder where the CommCell HTTPS certificates are available.

    See Enforcing CommCell Specific Certificates for Authentication for more information on this firewall feature and steps to export the CommCell Certification.

    Press Enter to continue with the client installation.

    Deciding If to Use CommCell Certificate
    If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate.
    This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.
    Have you enabled "Lockdown CommCell"? [no]

Set Up Connectivity to the CommServe Using a Proxy

Before configuring firewall options, set up the SnapProtect proxy as described in the Perimeter Network Using Proxy procedure.

Select the type of installation you are performing to configure the firewall scenario when the client/MediaAgent connects to the CommServe through a proxy.

Remote Install Using the CommCell Console

  • Click There is Firewall between this machine and CommServe.
  • Select the CommServe is reachable only through proxy option.
  • Select the client name of the SnapProtect proxy from the Proxy client name list.
  • Click Next to continue with the client installation.

Interactive Install

  1. Type 3 to select CommServe is reachable only through a proxy and press Enter.

    Selecting Firewall Type
    Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.
    1) This machine can open connection to CommServe on a tunnel port
    2) CommServe can open connections toward us
    3) CommServe is reachable only through a proxy
    Your Choice [1]

  2. Type the name of the computer where the CommServe resides and press Enter.

    The name of the CommServe client is case sensitive. Be sure to enter the client name of the CommServe in the same case as it appears in the CommCell Console.

    Setting CommServe Client Name
    Please specify client name of the CommServe below.
    CommServe Client Name:

  3. Provide the following details of the proxy computer:
    • For Proxy hostname or IP address, type the hostname of the proxy through which the CommServe can be reached and press Enter. If the proxy is behind a port-forwarding gateway, then type the host name or the IP address of the port-forwarding gateway.
    • For Proxy short name, type the client name of the SnapProtect proxy and press Enter.
    • For Proxy HTTP/HTTPS tunnel port number, type the tunnel port on which the proxy is expecting connections to the CommServe and press Enter. If the proxy is behind a port-forwarding gateway, then type the port number of the port-forwarding gateway to reach the CommServe.

    The name of the proxy client is case sensitive. Ensure to specify the name with the correct letter case.

    Setting Proxy Connection to CommServe
    Please specify the name or IP address of the proxy that should be used to reach the CommServe along with the port number, on which the proxy is expecting connections. hostname of the CommServe below.
    Proxy hostname or IP address: myproxy.company.com
    Proxy short name: myproxy
    Proxy HTTP/HTTPS tunnel port number: [8403]

  4. If this computer is separated from the CommServe by a HTTP Proxy, type yes and then provide the following information:
    • For HTTP Proxy hostname or IP address, type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached and press Enter.
    • For HTTP Proxy port number, type the port number of the HTTP Proxy through which the CommServe can be reached and press Enter.

    If this computer is not separated from the CommServe by a HTTP Proxy, press Enter to continue.

    Deciding If to Configure HTTP Proxy
    Please specify if there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache).
    Is there an HTTP proxy between this client and the CommServe? [no]

  5. If the CommCell requires the authentication of HTTP Certificates, type Yes to provide the path to the folder where the CommCell HTTPS certificates are available.

    See Enforcing CommCell Specific Certificates for Authentication for more information on this firewall feature and steps to export the CommCell Certification.

    Press Enter to continue with the client installation.

    Deciding If to Use CommCell Certificate
    If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate.
    This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.
    Have you enabled "Lockdown CommCell"? [no]