Firewall: Best Practices
If you have clients that will require the same firewall configuration settings, it is recommended that you create and configure a Client Group with the firewall settings instead of defining the configuration for each client computer. All existing and future clients that you include to the client group will inherit its firewall settings.
For example, if you have a new client which you want to configure with direct connections from the client to the CommServe, then add this client to a client group which you have previously configured with the mentioned firewall setup.
A client computer cannot be associated to more than one client group configured with firewall settings.
For information on creating and configuring client computer groups, see Configuring Multiple Clients Simultaneously.
Using Newer Firewall Configurations After Upgrade
SnapProtect version 9 and 10 have many upgrades to the code that establishes connections across firewalls. The following are the new key features :
- Authentication and HTTPS encryption in the tunnels for better security
- Support for various network topologies such as Gateway or Proxy
- Flexibility of configuring through the CommCell Console and pushed to all the clients
- New protocol wrappings to allow communication through HTTP and HTTP proxy
- Network connection throttling
If you have upgraded your setup from version 8 but are still using the previously configured firewall settings, you may experience a slower throughput rate.
Mixed mode setups described below can cause slower throughput:
- If MediaAgent is upgraded but still uses version 8 firewall configuration files and Optimize for Concurrent LAN backups option is turned off, then backup connections experience slowdown.
See Increasing Streams for Concurrent Backups to turn on the Optimize for Concurrent LAN backups option.
- If client is upgraded but still uses version 8 firewall configuration files, all pipeline connections will experience a slowdown.
It is therefore advised to start using the new firewall configurations within your setup as soon as possible.
After upgrading the CommServe, MediaAgent and client computers, perform the following:
- Configure firewall settings for the CommServe, MediaAgent and client computers by following the procedures explained in the Firewall - Getting Started pages.
Push Firewall configuration for the CommServe, MediaAgent and all clients.
If you need to configure multiple client computers, see Configuring Multiple Clients Simultaneously.
- After configuring the new firewall settings described above, follow the steps outlined in Optimizing Backup and Restore using Additional Ports for enhancing data throughput.
After upgrading the CommServe, MediaAgent and client computers, it is recommended to delete the references of these clients from the old firewall files or remove the old firewall files.
Delete references of the clients from old firewall files:
Run the FirewallConfigDeprecated.exe tool located in the <software installation path>/Base/ folder on the CommServe, MediaAgent and Client computers.
Remove the client computer's name from the old firewall configuration files.
Run the config_fw_deprecated command in the opt/<software installation path>/Base/ directory.
Delete the following files (only after all client computers have been upgraded with the new firewall configurations):