Firewall: Direct Connections

Direct connection with port restrictions is a setup where at least one computer in a pair of communicating computers can establish a one-to-one connection towards the other, on specific ports. Note that a direct connection route is one that does not include a proxy or an intermediate port-forwarding gateway.

Select the type of direct connection you want to configure between the client and CommServe:

Client Initiates Connection to the CommServe (One-Way Firewall)

The diagram above illustrates a direct connection setup, in which the client opens a tunnel connection toward the CommServe and MediaAgent.

Before You Begin

Make a note of the port configurations on your firewall, so you can supply this information in the steps that follow.

Microsoft Internet Information Services (IIS) uses port number 443 by default. If you are running IIS on a computer, you will not be able to use port 443 as a firewall configuration on that computer. By default, the SnapProtect software uses port 8403 for firewall communication.

Quick Reference

The table below is a quick reference to the upcoming configurations within this section:

Basic Firewall Advanced Firewall
CommServe/MediaAgent Client CommServe or MediaAgent: Incoming Connections from these computers are Restricted (see Configuring Tunnel Connection Protocols). Client: Incoming Connections from this computer are Blocked.
Enable the Configure Firewall Settings check box.

Enable firewall for these computers as follows:

  1. From the CommCell Browser, right-click the CommServe/MediaAgent computer and then click Properties.
  2. Click the Firewall Configuration tab. Then, click the Configure Firewall Settings check box and click OK.
Basic Configuration

Additional open ports can also be configured.

 

Configuring a Client-Initiated Connection

Choose the best method for configuring the components when the client initiates the direct connection:

Method 1: Basic Configuration

Use this procedure when establishing connectivity to the CommServe host and MediaAgent requires only basic configuration. Recommended for new firewall users.

Method 2: Advanced Configuration

Use this procedure when you need to manually set up details of the connection (such as incoming connection restrictions and ports, and keep-alive intervals) between the computers participating in this type of direct connection. This procedure includes additional configuration steps, and is recommended for more experienced firewall users.

Basic Configuration

The steps in this section enable client computers to initiate direct connections through the firewall. Basic options are provided that specify how often the client is on the network where the CommServe and MediaAgent are located.

Set up Incoming Ports on the CommServe and MediaAgent

Before installing the client, follow these steps to set up an incoming port number on which the CommServe and MediaAgent computers will receive tunnel connections from the client:

  1. From the CommCell Browser, right-click the CommServe computer and click Properties.
  2. Click the Firewall Configuration tab, then select Configure Firewall Settings.
  3. Click the Incoming Ports tab.
  4. In the Listen for tunnel connections on port box, enter the port number for incoming tunnel connections (port 8403 is the default), then click OK.
  5. In the CommCell Browser, right-click the CommServe computer, then click All Tasks > Push Firewall Configuration.
  6. Read the warning and click Continue, then click OK.
  7. Verify that your firewall configuration was pushed successfully by checking the Event Viewer window.
  8. From the CommCell Browser, right-click the MediaAgent computer and click Properties.
  9. Repeat steps 2 through 7 of this procedure for the MediaAgent.

Install the Client

In this configuration, the client initiates a connection to the CommServe using one or more ports. To install the client across a firewall in this setup, you must specify the path to reach the CommServe computer.

Important: If you will be performing a Remote Install Using the CommCell Console, first perform the Remote Installation Configuration steps, then continue with Configure the Basic Firewall on a Client or Client Group. When you have finished those two steps, then you can perform the remote install.

When installing the client, use one of these firewall configuration sequences:

Configure the Basic Firewall on a Client or Client Group

  1. From the CommCell Browser, right-click the client or client group, then click Properties > Advanced
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select an option for establishing connectivity from the client computer to the CommServe computer:
    • If the client resides permanently on different network from the CommServe, select Always outside of CommServe network.
    • If the client does not always reside on the network where the CommServe resides, select May travel outside of CommServe network, . We recommend this option for laptop and other mobile devices that routinely move into and out of that network.

    Note that selecting either of these options automatically selects Open tunnel directly to CommServe.

  4. Click the MediaAgent Connectivity tab.

    Select an option for establishing connectivity with the MediaAgent using a direct port tunnel:

    • If the client resides permanently on a different network from the MediaAgent, select Always outside of MediaAgent network.
    • If the client does not always reside on the MediaAgent network, select May travel outside of MediaAgent network. This option is recommended for laptop and other mobile devices that routinely move into and out of the network.

    Note that selecting either of these options also selects Open tunnel directly to MediaAgent.

  5. Click the Summary tab. The [outgoing] section shows the connection route details between the CommServe, MediaAgent and client.
  6. Click OK. This
  7. automatically pushes the firewall configuration to the client, CommServe and MediaAgent computers.

Note: Outgoing routes are automatically created for direct connections. However, you might want to set up outgoing routes to enable HTTPS encryption for data traffic, or to encrypt data connections by forcing connections into the tunnel. To set up outgoing routes from any host, see Configuring Outgoing Tunnel Connections.

Stop here. Successful completion of this procedure will have established connectivity between your CommServe, MediaAgent and client.

Advanced Configuration

The steps in this section enable client computers to initiate direct connections through the firewall. Use this procedure when the options provided in the Basic procedure do not provide a sufficient level of control, as described in the decision table that brought you to this Advanced Configuration procedure.

Set up Incoming Ports on the CommServe and MediaAgent

Before installing the client, follow these steps to set up an incoming port number on which the CommServe and MediaAgent computers will receive tunnel connections from the client:

  1. From the CommCell Browser, right-click the CommServe computer and click Properties.
  2. Click the Firewall Configuration tab, then select Configure Firewall Settings.
  3. Click the Incoming Ports tab.
  4. In the Listen for tunnel connections on port box, enter the port number for incoming tunnel connections (port 8403 is the default), then click OK.
  5. In the CommCell Browser, right-click the CommServe computer, then click All Tasks > Push Firewall Configuration.
  6. Read the warning and click Continue, then click OK.
  7. Verify that your firewall configuration was pushed successfully by checking the Event Viewer window.
  8. From the CommCell Browser, right-click the MediaAgent computer and click Properties.
  9. Repeat steps 2 through 7 of this procedure for the MediaAgent.

Install the Client

In this configuration, the client initiates a connection to the CommServe using one or more ports. To install the client across a firewall in this setup, you must specify the path to reach the CommServe computer.

Important: If you will be installing the software onto a remote client by pushing it from the CommServe host, first perform the Remote Installation Configuration steps, then continue with Configure the CommServe, MediaAgent and Client. When you have finished those two steps, then you can install the client software.

When installing the client, use one of these firewall configuration sequences:

Configure the CommServe, MediaAgent and Client

Use these steps to establish incoming connectivity details between the CommServe, MediaAgent, and client computer.

  1. Configure the CommServe using these steps:
    1. Right-click the CommServe_name in the CommCell Browser, then click Properties.
    2. Click the Firewall Configuration tab, then the Incoming Connections tab.
    3. Click Add. The Connection to dialog box opens.
    4. In the From list, select the name of the client you just installed.
    5. Select the State of the connection from the client. In the case you are configuring, the client initiates the connection to the CommServe. If the firewall restricts incoming connections to only specific ports, select RESTRICTED. Configuring Third-Party Connections using the Firewall Configuration File describes port restriction.
    6. Click OK, then click OK again to close the CommCell Properties dialog box.
    7. From the CommCell Browser, right-click the CommServe computer and click All Tasks > Push Firewall Configuration.
    8. Read the warning, then click Continue.
    9. Click OK.

    You have now configured the CommServe system to receive communication from the client. You can verify that your firewall configuration was pushed successfully by checking the Event Viewer window.

  2. Configure the MediaAgent using these steps:
    1. Right-click the MediaAgent_name from the CommCell Browser and click Properties.
    2. Click Advanced.
    3. Click the Firewall Configuration tab, then select Configure Firewall Settings and click Add.
    4. In the From list, select the name of the client you just installed.
    5. Select the State of the connection from the client. In the case you are configuring, the client initiates the connection to the MediaAgent. If the firewall restricts connections to only specific ports, select RESTRICTED.
    6.   Configuring Third-Party Connections using the Firewall Configuration File describes port restriction. Click OK.
    7. Click the Incoming Ports tab, then set the port number on which the incoming tunnel connection is received in the Listen for tunnel connections on port box.

      Additional Open Ports: You can speed up data transfer for components that handle it (such as MediaAgent or File System iDataAgent), by opening additional ports on the firewall, and configuring them as open in this dialog. Specify the range of ports in the Additional open ports area, in the From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications.

      For more information on additional open ports, see Optimizing Backup and Restore using Additional Ports.

      Click OK.

    8. From the CommCell Browser, right-click the MediaAgent computer and click All Tasks > Push Firewall Configuration.
    9. Read the warning, then click Continue.
    10. Click OK.

    You have now configured the MediaAgent to receive communication from the client. You can verify that your firewall configuration was pushed successfully by checking the Event Viewer window.

  1. Right-click the client from the CommCell Browser and then click Properties.
  2. In the Client Computer Properties dialog box, click Advanced.
  3. On the Firewall Configuration tab, select Configure Firewall Settings, then the Advanced option. Read the warning, then click OK to acknowledge it and continue.
  4. Click Add.
  5. From the From list, select the name of the CommServe computer.

    From the State list, select BLOCKED since the CommServe computer cannot open connections to the Client.

    Click OK.

  6. Click Add to specify the MediaAgent connection details.

    From the From list, select the name of the MediaAgent computer.

    From the State list, select BLOCKED since the MediaAgent cannot open connections to the Client.

    Click OK.

  7. On the Outgoing Routes tab, click Add. The Route Settings dialog box appears.

    Select the CommServe name from the Remote Group/Client list.

    Under the Tunnel Connection Protocol area, select Encrypted to enable authentication and encryption for tunnel connections.

    Note: You do not need to select the Force all data (along with control) traffic into the tunnel check box because this route is not towards the MediaAgent.

    Click OK.

  8. From the CommCell Browser, right-click the client and click All Tasks > Push Firewall Configuration.
  9. Click Continue.
  10. Click OK. The client is configured to communicate with the CommServe and MediaAgent.
  11. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer is not ready, verify your settings against the above recommendations and revise them as required.

Note: Outgoing routes are automatically created for direct connections. However, you might want to set up outgoing routes to enable HTTPS encryption for data traffic, or to encrypt data connections by forcing connections into the tunnel. To set up outgoing routes from any host, see Configuring Outgoing Tunnel Connections.

CommServe Initiates Connection to the Client (One-Way Firewall)

The diagram above illustrates a direct connection setup where the CommServe opens tunnel connection towards the client.

Before You Begin

Make a note of the port configurations on your firewall, so you can supply this information in the steps that follow.

Microsoft Internet Information Services (IIS) uses port number 443 by default. If you are running IIS on a computer, you will not be able to use port 443 as a firewall configuration on that computer. By default, the SnapProtect software uses port 8403 for firewall communication.

Quick Reference

The table below is a quick reference to the upcoming configurations within this section:

Firewall Configurations
CommServe/MediaAgent: Incoming connections from these computers are Blocked. Client: Incoming connections from this computer are Restricted (see Configuring Tunnel Connection Protocols).

Additional open ports can also be configured.

The following sections explain the configuration required on the CommServe, MediaAgent, and the client, to operate in this scenario. These are the high-level steps:

  1. Set up Connection to the CommServe
  2. Install the Client
  3. Configure the CommServe, MediaAgent and Client

Set up Connection to the CommServe

In this configuration, CommServe establishes tunnel connection with the client. Since the client is not yet available in the CommCell, follow the steps below to create a placeholder client and configure the firewall settings before installing the client.

  1. In the CommCell Browser, right-click the Client Computers node, then click New Client > File System > [Windows or Unix].

  2. Provide the Client Name and Host Name of the client computer to be installed.

    The Client Name must be the same client name that you will provide during installation, which is the name the client will be identified by in the CommCell Browser after installation. The Host Name must be either the fully qualified domain name of the client, or the IP address that the CommServe should use to open tunnel connections to the client.

    Examples:

    • Client Name: my Proxy
    • Host Name:   myProxy.domain.mycompany.com

  3. Click Finish.
  4. From the CommCell Browser, right-click the client you just created, and click Properties | Advanced.
  5. On the Firewall Configuration tab, select Configure Firewall Settings. Click Advanced, then OK to acknowledge the warning.
  6. Click the Incoming Ports tab.

    In the Listen for tunnel connections on port box, set the incoming port number on which the firewall will allow connections from the CommServe.

    Write down the port number. It will be needed during the client installation.

    Click OK.

  7. From the CommCell Browser, right-click the CommServe computer and click Properties.
  8. On the Firewall Configuration tab, select the Configure Firewall Settings option. Click the Incoming Connections tab, then click Add.
  9. From the From list, select the name of the placeholder client you just added.

    From the State list, select BLOCKED since the client does not open a tunnel connection to the client.

    Click OK.

  10. Select the name of the placeholder client from the Remote Group/Client list.

    The Direct route type and Regular tunnel connection protocol are selected by default.

    Leave the Force all data (along with control) traffic into the tunnel option unselected. It is not required, since this route is not toward the MediaAgent computer.

    Click OK.

  11. From the CommCell Browser, right-click the CommServe computer name, then click All Tasks | Push Firewall Configuration.
  12. Click Continue to dismiss the warning.
  13. Click OK to dismiss the confirmation.

    Your CommServe instance is now configured to open tunnel connections with the client.

    Verify that your firewall configuration was pushed successfully by checking the Event Viewer window.

Install the Client

See Installation for step-by-step installation procedures to install the client.

During installation of the client, use one of the following firewall configuration sequences:

Configure the CommServe, MediaAgent and Client

Use the following steps to establish incoming connectivity details between the CommServe, MediaAgent, and the client computer.

The configuration required for the CommServe to connect to the client was done prior to installing the client. No additional configuration is required.

  1. To configure the MediaAgent, in the CommCell Browser, open Storage Resources | MediaAgents, right-click the MediaAgent computer, then click Properties.
  2. Click the Firewall Configuration tab, then select Configure Firewall Settings and click Add.
  3. From the From list, select the name of the client you just installed.

    From the State list, select BLOCKED, since the client does not open a tunnel connection to the client.

    Note that if the firewall does not restrict connections from the client to the MediaAgent, this entry is not required.

    Click OK repeatedly until you have closed the MediaAgent Properties dialog box.

  4. To configure the client, open Client Computers, right-click the client computer name in the CommCell Browser, then click Properties.

    In the client properties dialog box, click Advanced.

  5. Click the Firewall Configuration tab, then click Add.
  6. In the From list, select the name of the CommServe computer.

    In the State list, select RESTRICTED, since the CommServe will connect to the Client through a port.  (Configuring Tunnel Connection Protocols explains the RESTRICTED setting.)

    Click OK.

  7. Click Add again to specify the MediaAgent connection details.

    In the From list, select the name of the MediaAgent computer.

    In the State list, select RESTRICTED, since the MediaAgent will connect to the Client through a port.

    Click OK.

  8. Click the Incoming Ports tab.

    In the Listen for tunnel connections on port box, set the incoming port number on which the firewall will allow connections from the CommServe and the MediaAgent.

    Click OK.

  9. In the CommCell Browser, under Client Computers, right-click the client name, then click All Tasks | Push Firewall Configuration.
  10. Click Continue to dismiss the warning.
  11. Click OK to close the confirmation. The client is now configured to communicate with the CommServe and MediaAgent.
  12. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer is not ready, verify your settings against the above recommendations and revise them as required.

Note: Outgoing routes are automatically created for direct connections. However, you might want to set up outgoing routes to enable HTTPS encryption for data traffic, or to encrypt data connections by forcing connections into the tunnel. To set up outgoing routes from any host, see Configuring Outgoing Tunnel Connections.

Both Client and CommServe Can Initiate a Connection (Two-Way Firewall)

The diagram above illustrates a direct connection setup where the client, CommServe and MediaAgent open tunnel connection between them.

Before You Begin

Make a note of the port configurations on your firewall, so you can supply this information in the steps that follow.

Microsoft Internet Information Services (IIS) uses port number 443 by default. If you are running IIS on a computer, you will not be able to use port 443 as a firewall configuration on that computer. By default, the SnapProtect software uses port 8403 for firewall communication.

Quick Reference

The table below is a quick reference to the upcoming configurations within this section:

Firewall Configurations
CommServe/MediaAgent: Incoming Connections from these computers are Restricted. Client: Incoming Connections from this computer is Restricted (see Configuring Tunnel Connection Protocols).

Additional open ports can also be configured.

Additional open ports can also be configured.

The following sections explain the configuration required on the CommServe, MediaAgent, and the client to operate in this scenario:

  1. Set up Connection to the CommServe
  2. Install the Client
  3. Configure the CommServe, MediaAgent and Client

Set Up Connection to the CommServe

Before installing the client, you will have to provide an incoming port number on which the CommServe will receive tunnel connections from the client. The following steps explain the configurations required for this purpose.

  1. In the CommCell Browser, right-click the CommServe computer name and click Properties.
  2. Click the Firewall Configuration tab.

    Select the Configure Firewall Settings option.

  3. Click the Incoming Ports tab.

    Set the port number that incoming tunnel connections are received on in the Listen for tunnel connections on port box. The default is port 8403.

    Click OK.

  4. From the CommCell Browser, right-click the CommServe computer name and click All Tasks | Push Firewall Configuration.
  5. Click Continue to dismiss the warning.
  6. Click OK to close the confirmation.

    Verify that your firewall configuration was pushed successfully by checking the Event Viewer window.

Install the Client

In this configuration the client and the CommServe establish connection between themselves using one or more ports. To install the client across a firewall in this setup, you have to specify the path to the CommServe computer. During installation of the client, use one of these firewall configuration sequences:

Configure the CommServe, MediaAgent and Client

Use these steps to establish incoming connectivity details between the CommServe, MediaAgent, and client computers.

  1. Configure the CommServe computer:
    1. At the top of the CommCell Browser tree, right-click the CommServe computer name, then click Properties. The CommCell Properties dialog box opens.
    2. Click the Firewall Configuration tab, then on the Incoming Connections tab, click Add.
    3. In the From list, select the name of the client you just installed.
    4. In the State list, select RESTRICTED since the client can reach the CommServe. (Configuring Tunnel Connection Protocols describes this setting.)
    5. Click OK to close the Connections to dialog box, then click OK again to close the CommCell Properties dialog box.
    6. In the CommCell Browser, right-click the CommServe computer, then click All Tasks | Push Firewall Configuration.
    7. Click Continue to acknowledge the warning, then click OK to close the confirmation.

    Your CommServe is now configured to receive communication from the client. You can verify that your firewall configuration was pushed successfully by clicking Event Viewer on the toolbar and looking for the entry for the push event.

  2. Configure the MediaAgent computer:
    1. In the CommCell Browser, expand Client Computers, then right-click the media_agent and click Properties.
    2. In the Client Computer Properties dialog box, click Advanced.
    3. Click the Firewall Configuration tab, then select Configure Firewall Settings and click Add.
    4. In the From list, select the name of the client you just installed.
    5. In the State list, select RESTRICTED since the client can reach the MediaAgent. (Configuring Tunnel Connection Protocols explains the RESTRICTED setting.)
    6.  Click OK.
    7. Click the Incoming Ports tab, then in Listen for tunnel connections on port, set the port number on which the incoming tunnel connection is received.
    8. (optional)  Set additional incoming ports:
      1. In the From box, enter a starting number in a port range.
      2. In the To box, enter an ending number in a port range.
      3. Click Add.
    9. See Optimizing Backup and Restore using Additional Ports for a description of this option.

    10. Right-click the MediaAgent computer, then point to All Tasks and click Push Firewall Configuration.
    11. Click Continue to acknowledge the warning, then click OK to close the confirmation.
    12. Your MediaAgent is now configured to receive communication from the client. You can verify that your firewall configuration was pushed successfully by clicking Event Viewer on the toolbar and looking for the entry for the push event.

  3. Configure the Client:
    1. Right-click the client_name in the CommCell Browser, then click Properties.
    2. In the Client Properties dialog box, click Advanced.
    3. On the Firewall Configuration tab, select Configure Firewall Settings, then the Advanced option. Read the warning, then click OK to acknowledge it and continue.
    4. Click Add to enter the CommServe connection details. The Connections to dialog box appears.
      1. In the From list, select the name of the CommServe computer.
      2. In the State list, select RESTRICTED since the Client can connect to the CommServe. (Configuring Tunnel Connection Protocols explains the RESTRICTED setting.)
      3. Click OK to close the Connections to dialog.
    5. Click Add to enter the MediaAgent connection details.
      1. In the From list, select the name of the MediaAgent computer.
      2. In the State list, select RESTRICTED since the Client can connect to the CommServe.
      3. Click OK to close the Connections dialog.
    6. Click the Incoming Ports tab. In the Listen for tunnel connections on port box, set the incoming port number on which the firewall will allow connections from the CommServe and the MediaAgent.
    7. (optional)  Set additional incoming ports:
      1. In the From box, enter a starting number in a port range.
      2. In the To box, enter an ending number in a port range.
      3. Click Add.
    8. See Optimizing Backup and Restore using Additional Ports for a description of this option.

      Consider that:

      • For backups to MediaAgents with Optimize for concurrent LAN backups option unchecked, opening additional incoming ports improves the backup performance. The number of open ports should correspond to the number of simultaneously running backup streams.
      • For ContinuousDataReplicator computers, opening additional incoming ports improves the replication performance.

Note: Outgoing routes are automatically created for direct connections. However, you might want to set up outgoing routes to enable HTTPS encryption for data traffic, or to encrypt data connections by forcing connections into the tunnel. To set up outgoing routes from any host, see Configuring Outgoing Tunnel Connections.

More Information

Firewall - Advanced provides firewall options for fine-tuning communication between CommCell components in support of CommCell operations.

Firewall - Troubleshooting provides troubleshooting information for problems encountered during configuration.

Configuring Third-Party Connections explains port restriction as related to the Status: RESTRICTED option.