Firewall: Perimeter Network Using SnapProtect Proxy

Table of Contents

Overview

SnapProtect proxy is a special proxy configuration where a dedicated iDataAgent is placed in a perimeter network, and the firewalls are configured to allow connections (from inside and outside networks) into the perimeter network. The proxy, which is the agent running in the perimeter network, authenticates, encrypts, and proxies accepted tunnel connections to connect the clients operating outside to clients operating inside.

The SnapProtect proxy acts like a Private Branch Exchange (PBX) that sets up secure conferences between dial-in client calls. With this setup, firewalls can be configured to disallow straight connections between inside and outside networks.

The diagram on the right illustrates a perimeter network setup where a client from outside communicates to the CommServe and MediaAgent operating in an internal network through the SnapProtect proxy.

  • The instructions given below use the component names and port numbers presented in the illustration. Make a note of the details in your setup and substitute them as required.
  • For roaming clients, the firewall configuration can be set up to use direct connections when clients are inside the network, and use the proxy when they are outside the network. See Basic Configuration, and use the May travel outside of CommServe network option.
  • Microsoft Internet Information Services (IIS) uses port number 443 by default. If you are running IIS on a computer, you will not be able to use port 443 as a firewall configuration on that computer. By default, the SnapProtect software uses port 8403 for firewall communication.

Important: The SnapProtect proxy only allows connections that a client (which in this context includes a CommServe host or MediaAgent) opens toward the proxy. Proxies cannot originate connections to clients, nor are two-way connections supported.

Quick Reference

The table below is a quick reference to the upcoming configurations within this section:

 
Firewall Configurations
Proxy Client or Client Group CommServe and MediaAgent
Incoming

CommServe Host:

Client:

Enable Proxy Capability

Configure a computer as a proxy by enabling This Computer is in DMZ and will work as a Proxy. The RESTRICTED option is described in Restricting or Blocking Connections.

Incoming from Proxy

Outgoing to Proxy

Set two outgoing routes from client computers as follows:

Route 1:

  • Remote Group/Client: the CommServe instance or MediaAgent
  • Route type: Via Proxy

Route 2:

  • Remote Group/Client: the proxy
  • Route type: Direct
Incoming from Proxy

Outgoing to Proxy

Set two outgoing routes from the CommServe instance and MediaAgents as follows:

Route 1:

  • Remote Group/Client: Client or Client Group
  • Route type: Via Proxy

Route 2:

  • Remote Group/Client: the proxy
  • Route type: Direct

Setting Up the SnapProtect Proxy

The following sections provide the steps for creating the SnapProtect proxy.

Preconfigure the SnapProtect Proxy

Follow the steps below to create and configure a placeholder for the SnapProtect proxy on your CommServe computer before installing it.

  1. In the CommCell Browser, right-click the Client Computers node, then click New Client > File System > [Windows or Unix].

  2. In the New Windows Client window, enter a Client Name and Host Name for the proxy computer. These details will also be used during your SnapProtect proxy installation. Click Next.
  3. Confirm the information shown under Summary , then click Finish.
  4. From the CommCell Browser, right-click the client you just created, and click Properties | Advanced.
  5. On the Firewall Configuration tab, select Configure Firewall Settings. Click Advanced, then OK to acknowledge the warning.
  6. Click Add. In the From list, select the CommServe name.
  7. In the State list, select RESTRICTED. (The RESTRICTED setting is described in Configuring Third-Party Connections Using the Firewall Configuration File describes ).
  8. Click OK. If you have a MediaAgent, repeat the above two steps, selecting the MediaAgent computer name this time.
  9. Click the Incoming Ports tab. In the Listen for tunnel connections on port box, specify the port number where the SnapProtect proxy will listen for a connection request from the CommServe. Write down the port number you used (you will need it during the SnapProtect proxy installation).
  10. On the Options tab, select This computer is in DMZ and will work as a proxy, then click OK twice.
  11. From the CommCell Browser, right-click the CommServe computer and click Properties.
  12. On the Firewall Configuration tab, select the Configure Firewall Settings option. Click the Incoming Connections tab, then click Add.
  13. From the From list, select the SnapProtect proxy computer. From the State list, select BLOCKED. Click OK.
  14. Click the Outgoing Routes tab, then click Add.
  15. Select the SnapProtect proxy from the Remote Group/Client list.
  16. For Route Type, select Direct, and for Tunnel Connection Protocol, select Regular.
  17. Click OK repeatedly until all dialog boxes are closed.
  18. From the CommCell Browser, right-click the CommServe computer, then click All Tasks > Push Firewall Configuration.
  19. Click Continue to acknowledge the warning and proceed.
  20. Click OK to close the firewall push notification.
  21. Check the Event Viewer window to confirm that your firewall configuration was pushed successfully.

You are now ready to use the next procedure to install the SnapProtect proxy.

Install the SnapProtect Proxy

Install a CommCell client (such as the File System iDataAgent) in the perimeter network. This will operate as the SnapProtect proxy. Since the perimeter network always receives connections from outside, the SnapProtect proxy in the perimeter network must communicate to the CommServe through tunnel connections initiated by the CommServe.

If a firewall is enabled on the computer where the SnapProtect proxy will be installed, ensure there are open connections for the CommServe and client computers.

During the installation, use one of these firewall configuration sequences:

After the installation is completed, open the CommCell Console, right-click the SnapProtect proxy computer and click All Tasks | Push Firewall Configuration.

Install the Client

To install the client across the SnapProtect proxy, you will have to specify the path to reach the CommServe computer. The install program communicates to the CommServe using this information.

See Installation for step-by-step installation procedures to install the client. During installation, use one of the following firewall configuration sequences:

Configure a Client-Initiated Connection

Choose the best method for configuring the components when the client initiates the direct connection:

Basic Configuration

This procedure quickly sets up the client to connect to the CommServe and MediaAgent through the SnapProtect proxy. It uses fewer steps, and is recommended for new firewall users.

Advanced Configuration

Use this procedure when you need to manually set up details of the connection (such as incoming connection restrictions and ports, outgoing routes, and keep-alive intervals) to the CommServe and MediaAgent. This procedure includes additional configuration steps.

Basic Configuration

  1. From the CommCell Browser, right-click the client or client group, then click Properties > Advanced
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Choose an option for establishing connectivity with the CommServe through the SnapProtect proxy:
    • If the client and CommServe reside on different networks, select Always outside of CommServe network.
    • If the client does not always reside on the CommServe network, select May travel outside of CommServe network. We recommend this option for laptop computers and other mobile devices.
  4. Select the Use Galaxy proxy option, then select the SnapProtect proxy that you configured above.
  5. Click the MediaAgent Connectivity tab.

    Choose an option for establishing connectivity with the MediaAgent through the SnapProtect proxy:

    • If the client and MediaAgent reside on different networks, select Always outside of MediaAgent network.
    • If the client does not always reside on the MediaAgent network, select May travel outside of MediaAgent network. We recommend this option for laptop computers and other mobile devices.
  6. Select the Use Galaxy proxy option, then select the SnapProtect proxy that you configured above.
  7. Click the Summary tab. Confirm that you see the connection route details for the outgoing routes between the CommServe, MediaAgent and client, then click OK.

    The firewall configuration is automatically pushed to the client, CommServe and MediaAgent computers.

Stop here. Successful completion of this procedure will have established connectivity between your CommServe, MediaAgent and client.

Advanced Configuration

  1. From the CommCell Browser, right-click the client or client group, then click Properties > Advanced.
  2. On the Firewall Configuration tab, select Configure Firewall Settings, then the Advanced option. Read the warning, then click OK to acknowledge it and continue.
  3. On the Incoming Connections tab, click Add to open the Connections dialog box.
  4. Select the SnapProtect proxy computer in the From list.
  5. Select BLOCKED in the State list, since there are no incoming connections from the proxy to the client. Click OK.
  6. Click the Outgoing Routes tab, then click Add to create a route for the outgoing connection from the client to the SnapProtect proxy.
  7. Select the SnapProtect proxy from the Remote Group/Client list. For Route Type, select Direct, and for Tunnel Connection Protocol, select Authenticated. (The Authenticated option requires credentials to establish the connection, but does not encrypt the data during transfer.)
  8. If a port-forwarding gateway separates the client from the proxy, select Route Type of Via Gateway. Note that you will have to configure the Gateway Settings section after the next step.
  9. Select Force all data (along with the control) traffic into the tunnel to force the data traffic into the tunnel.

  10. Click OK.
  11. Click Add to create a route for the outgoing connection from the client to the CommServe host, through the SnapProtect proxy.
  12. Select the name of the CommServe from the Remote Group/Client list, then for Route Type select Via Proxy.
  13. Select the SnapProtect proxy from the Remote Proxy list and click OK.
  14. Click Add to create a route for the outgoing connection from the client to the MediaAgent, through the SnapProtect proxy.
  15. Select the name of the MediaAgent from the Remote Group/Client list, then for Route Type, select Via Proxy.
  16. Select the SnapProtect proxy from the Remote Proxy list and click OK. Click OK again to close the Route Settings dialog box.
  17. Confirm that the Outgoing Routes tab shows three routes, for:

    • The client to the proxy
    • The client to the MediaAgent host
    • The client to the CommServe host

    If you used a port-forwarding gateway, the Route settings column indicates Via Gateway.

  18. From the CommCell Browser, right-click the <Client> and click All Tasks | Push Firewall Configuration.
  19. Read the warning, then click Continue to acknowledge it and proceed.
  20. Click OK to close the firewall push notification.
  21. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer is not ready, verify your settings against the above recommendations and revise them as required.

Configure the CommServe, MediaAgent and Client

The following steps explain the actions required to configure routes between CommServe, the MediaAgent and the new client through the SnapProtect proxy.

  1. To configure the CommServe computer, right-click its name, then click Properties.
  2. On the Firewall Configuration tab, click the Outgoing Routes tab. Click Add to create an outgoing connection route from the CommServe to the Client through the SnapProtect proxy.
  3. Select the client from the Remote Group/Client list, then select the Via Proxy option under Route Type.
  4. Select the SnapProtect proxy from the Remote Proxy list, then click OK to close the Route Settings dialog box.
  5. Confirm that the Outgoing Routes tab shows two routes:
    • The route from CommServe to the proxy
    • The route from CommServe to the client through the proxy

    When two computers are communicating with each other through a proxy, two routes need to be configured in each computer’s Firewall preferences:

    • A route to describe the connectivity from the computer being configured to the proxy.
    • A route to describe the connectivity from the computer being configured to the remote computer via the proxy.

  6. Click OK to close the CommCell Properties dialog box.
  7. From the CommCell Browser, right-click the CommServe computer, then point to All Tasks, then click Push Firewall Configuration.
  8. Read the warning, then click Continue to acknowledge it and proceed.
  9. Click OK to close the firewall push notification. Check the Event Viewer window to confirm that your firewall configuration was pushed successfully.

    Your CommServe is now configured to receive communication from the client through the SnapProtect proxy.

  10. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer is not ready, verify your settings against the above recommendations and revise them as required.

  11. To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Browser and click Properties.
  12. Click the Firewall Configuration tab, then select Configure Firewall Settings and click Add.
  13. In the From list, select the SnapProtect proxy computer. From the State list, select BLOCKED, then click OK.
  14. Click the Outgoing Routes tab, then click Add to create the outgoing connection route from the MediaAgent to the client through the SnapProtect proxy.
  15. Select the client from the Remote Group/Client list, then select a Route Type of Via Proxy. Select the SnapProtect proxy in Remote Proxy, then click OK.
  16. Click Add again to create another route, this time the one from the MediaAgent to the SnapProtect proxy.
  17. Select the SnapProtect proxy from the Remote Group/Client list. The Direct route type and Regular tunnel connection protocol are selected by default.
  18. Select the Force all data (along with the control) traffic into the tunnel option, then click OK to add the route and close the Route settings dialog box.
  19. Confirm that the Outgoing Routes tab shows two routes:
    • The route from MediaAgent to the proxy
    • The route from MediaAgent to the client through the proxy
  20. Click OK.
  21. Your MediaAgent is now configured to receive communication from the client through the SnapProtect proxy.
  22. In the CommCell Browser, right-click the MediaAgent computer and click All Tasks | Push Firewall Configuration.
  23. Read the warning, then click Continue to acknowledge it and proceed.
  24. Click OK to close the firewall push notification. Your MediaAgent is now configured to receive communication from the client through the SnapProtect proxy. Check the Event Viewer window to confirm that your firewall configuration was pushed successfully.
  25. In the CommCell Console, right-click the MediaAgent computer name, then click All Tasks | Check Readiness. Confirm the results shown in Client Connectivity dialog box.

    If the MediaAgent computer is not ready, verify your settings against the above recommendations, then revise the settings as required.

More Information

Firewall - Advanced provides firewall options for fine-tuning communication between CommCell components in support of CommCell operations.

Firewall - Troubleshooting provides troubleshooting information for problems encountered during configuration.

Configuring Third-Party Connections explains port restriction as related to the Status: RESTRICTED option.