Firewall: Best Practices

Inheriting Firewall Settings from Client Computer Groups

If you have clients that will require the same firewall configuration settings, it is recommended that you create and configure a Client Group with the firewall settings instead of defining the configuration for each client computer. All existing and future clients that you include to the client group will inherit its firewall settings.

For example, if you have a new client which you want to configure with direct connections from the client to the CommServe, then add this client to a client group which you have previously configured with the mentioned firewall setup.

A client computer cannot be associated to more than one client group configured with firewall settings.

For information on creating and configuring client computer groups, see Configuring Multiple Clients Simultaneously.

Using Newer Firewall Configurations After Upgrade

SnapProtect version 9 and 10 have many upgrades to the code that establishes connections across firewalls. The following are the new key features :

  • Authentication and HTTPS encryption in the tunnels for better security
  • Support for various network topologies such as Gateway or Proxy
  • Flexibility of configuring through the CommCell Console and pushed to all the clients
  • New protocol wrappings to allow communication through HTTP and HTTP proxy
  • Network connection throttling

If you have upgraded your setup from version 8 but are still using the previously configured firewall settings, you may experience a slower throughput rate.

Mixed mode setups described below can cause slower throughput:

  • If MediaAgent is upgraded but still uses version 8 firewall configuration files and Optimize for Concurrent LAN backups option is turned off, then backup connections experience slowdown.

    See Increasing Streams for Concurrent Backups to turn on the Optimize for Concurrent LAN backups option.

  • If client is upgraded but still uses version 8 firewall configuration files, all pipeline connections will experience a slowdown.

It is therefore advised to start using the new firewall configurations within your setup as soon as possible.

After upgrading the CommServe, MediaAgent and client computers, perform the following:

  1. Configure firewall settings for the CommServe, MediaAgent and client computers by following the procedures explained in the Firewall - Getting Started pages.

    Push Firewall configuration for the CommServe, MediaAgent and all clients.

    If you need to configure multiple client computers, see Configuring Multiple Clients Simultaneously.

  2. After configuring the new firewall settings described above, follow the steps outlined in Optimizing Backup and Restore using Additional Ports for enhancing data throughput.