Firewall: Advanced

Table of Contents

Configuring Multiple Clients Simultaneously

If you have multiple clients with the same firewall configuration settings, instead of defining the configuration for each client, you can create a Client Group with clients that have the same firewall configuration and define the configuration at the Client Group level.

Use the following steps to configure firewall settings for multiple clients simultaneously:

  1. From the CommCell Browser, create a Client Computer Group with clients that have the same firewall configuration.

    See Getting Started - Client Computer Groups for step-by-step procedure.

  2. Right-click the newly-created client group and click Properties.
  3. Click the Firewall Configuration tab and then click the Configure Firewall Settings check box to enable firewall.
  4. Depending on the firewall setup that you want to configure, select the required options described in the Firewall - Getting Started procedures. Note that the client (or MediaAgent) configuration steps specified in the Getting Started procedures will be applicable for the client group.
  5. Right-click the client group and then click All Tasks | Push Firewall Configuration. The configuration is now applicable for all the clients. You can verify the new firewall configuration on each client computer.

Inherit the Firewall Configuration from the Client Group

Use the following steps to configure a client to inherit the firewall settings from the client computer group.

  1. From the CommCell Console, right-click the <Client> and click Properties.
  2. Click Advanced.
  3. In the Advanced Client Properties dialog box, click the Firewall Configuration tab.
  4. Ensure the Configure Firewall Settings option is not selected.
  5. Click OK.

    Future firewall changes will be applicable at the client group level.

When Configure Firewall Settings is selected, the firewall configuration of both the client computer and client group are merged in the client computer. Also, note that a client computer cannot be associated to more than one client group configured with firewall settings.

Hardware Recommendations for Proxy

This hardware is recommended for a SnapProtect proxy computer:

Number of Clients Regular, Authenticated or Raw Encrypted
<1000 clients Single-core 1-GHz processor with 4 GB RAM Dual-core 1-GHz processor with 8GB RAM
>5000 clients Dual-core 1-GHz processor with 8 GB RAM 2 x dual-core 1-GHz processors with 8GB RAM

Configuring Multiple Connection Routes

You can configure multiple connections for a client computer or client computer group as described and depicted below.
  • Multiple Proxy Connections
  • Proxy/Multiple Proxy and Direct Connections

Multiple Proxy Connections

Use multiple proxy connections for faster data throughput, high availability and load balancing.

  1. Install an additional proxy. See Set up the SnapProtect Proxy.
  2. Configure the client computer or client computer group to use the additional proxy. See Quick Reference on the Perimeter Network Using Proxy page.

You can repeat steps 1 and 2 for each additional proxy.

Proxy/Multiple Proxy and Direct Connections

See Direct Connections - Client Connects to the CommServe (One-Way Firewall)

We recommend configuring proxy/multiple proxy and direct routes for a client computer or client computer group, so that:

  • The CommServe host can use the proxy connection to access the client if the client is outside the network.
  • The client can use the direct connection to access the CommServe host, when the client is inside the network.

Configuring a Clustered Environment

When configuring the firewall in a clustered environment, the cluster group client and the physical nodes must be configured to reach the CommServe host and MediaAgents across the firewall.

The cluster group client represents the virtual client in the CommCell into which the cluster's physical nodes are collected. The cluster group client may have all the physical nodes of the cluster, or only some of them. You can see which physical nodes are in a cluster group client by checking the cluster group client's Advanced Client Properties > Cluster Group Configuration > Nodes dialog box. See Cluster Configuration - Overview for more information about clustering.

Use these steps to configure the firewall settings for the cluster:

  1. From the CommCell Browser, expand Client Computers, then right-click the cluster_group_client  > Properties.
  2. Click Advanced.
  3. On the Firewall Configuration tab, select Configure Firewall Settings.
  4. Configure the firewall settings required by selecting options as described in Firewall - Getting Started.
  5. Repeat the above steps on each physical node in the cluster group client.
  6. If all the nodes (physical and cluster group client) within the cluster have the same firewall configuration, you can create a client group and add the nodes to it, then configure the firewall settings on the group, rather than on each physical node.

  7. Under Client Computers, right-click each physical node in the cluster, then click All Tasks | Push Firewall Configuration.

Configuring Windows Firewall to Allow CommCell Communication

Windows Firewall, the built-in firewall included in Windows Operating Systems, can be configured to allow CommCell communication by adding CommCell programs and services to the Windows Firewall Exception list. Once the CommCell programs are added to the Exception list, the Windows Firewall will allow external network connections to the CommCell Console.

During installation of Windows components, the installer provides an option to add CommCell programs and services to Windows Firewall List. You can use this option to configure Windows Firewall during installation.

After installation, you can later configure Windows Firewall using AddFWExclusions.bat program. The AddFWExclusions.bat program should be run through the command prompt to prevent adding system32 executables to the firewall exception list as the default system environment variable may be triggered.

To add CommCell programs and services to Windows Firewall Exception List:

  1. Open the command prompt.
  2. Navigate to the <Software_Installation_Path>/Base folder.
  3. Run the AddFWExclusions.bat file to execute the commands.
  4. All applicable CommCell communication programs and services are added to Windows Firewall Exception List. Note that this must be done on all CommCell Computers.

If the firewall configuration is reset on a computer for any reason (this can happen, for example, when the computer is moved from a workgroup to a domain), then the firewall exclusions must be added again.

Restricting or Blocking Connections

The SnapProtect firewall controls connections coming in to a client (host) from clients or client groups by restricting connections to configured ports, or blocking them entirely. To configure this, you enter the names of the clients or client groups in the Properties > Firewall Configuration > Incoming Connections dialog box, then assign to each one a state of RESTRICTED or BLOCKED.

  • RESTRICTED means that a connection can be set up, but only on restricted ports (that is, those configured on the Incoming Ports tab).
  • BLOCKED means that a connection cannot be set up.

These sets of rules are used to define the type of firewall configuration in use between the two hosts. For example, RESTRICTED-RESTRICTED yields a two-way firewall configuration, but RESTRICTED-BLOCKED yields a one-way firewall configuration.

Third-Party Port Mappings (TPPM or Network Proxy)

 All configurations of TPPM require that SnapProtect Firewall be installed. See Firewall - Getting Started - Overview for more information.

In addition to the firewall routes configured in your CommCell setup, you can also establish connectivity between CommCell computers on third-party ports using existing firewall tunnels. These ports are used by third-party applications. They are not configured using SnapProtect Firewall.

The Third-Party Port Mapping (TPPM) configuration allows you to set up a port in the destination computer, and map it to a local port in the source computer, in order to listen for incoming connections. This configuration is also referred as port forwarding.

You can perform this configuration from the CommCell Console or manually in the FWConfigLocal.txt file. The following sections describe the available configurations that you can perform:

Configuring Access to the CommCell Console

Configuring this access requires the SnapProtect proxy to be already configured. See Set up the SnapProtect Proxy to create and configure the client computer that is hosting the proxy functionality.

After setting up the proxy, configure third-party ports to connect to the CommServe computer through the proxy:

  1. In the CommCell Browser, right-click the CommServe computer and click Properties.
  2. Click the Firewall Configuration tab, and then click the Options tab.
  3. Select the Access GUI Server (EvMgrS) via following proxy option. This option automatically enables port 8401 for third-party connections.
  4. Select the client computer that is hosting the proxy function from the Remote Proxy list.
  5. In the Port Number box, specify a port to be used by the proxy to access the CommServe. This is a local port in the proxy computer which will be mapped to port 8401.
  6. Click OK.
  7. In the CommCell Browser, right-click the name of each computer that uses Third-Party Port Mapping (TPPM), then click All Tasks | Push Firewall Configuration.

    Verify that your firewall configuration was pushed successfully by looking for a firewall push event in the Event Viewer.

Install the CommCell Console Software

Once you have configured access to the CommCell Console, if you have not already done so, install the CommCell Console software onto the computer that is hosting IIS.

Connect to the CommCell Console through a Firewall

  1. Click the Start button on the Windows task bar and then click All Programs.
    • Select SnapProtect from the Programs menu and then select SnapProtect.
    • Click SnapProtect Administrative Console.
  2. Enter the User Name and Password to connect to the CommCell. 
  3. Select Connect through firewall and click Configure.
  4. Enter:
  5. Click OK.

    The CommCell Console will be displayed.

Prepopulate the Proxy Host and Port

These optional steps configure the CommCell Console log-in screen to pre-populate the proxy name and port number so you don't have to enter them every time you run the CommCell Console.

  1. Log on to the proxy computer's console, and change to the <software installation directory>/GUI folder.
  2. Edit the oem.properties file, adding these two lines at the end:
  3. consoleProxyHostName=<host name or IP address of the proxy computer>

    consoleProxyPort=<port number used by the proxy to communicate with the CommServe>

  4. Save the file.

Using an Alternate Port on the Proxy

If you want the proxy to listen to a port other than 8401, edit the Galaxy.jnlp file, changing

<argument>8401</argument>

to

<argument>port_number</argument>

where port_number is the port the proxy will listen to, and redirect to port 8401 on the CommServe computer.

This port number must match the port number set in Connect to the CommCell Console through a Firewall.

Configuring Access to the Web Server

If a firewall is placed between the Web Server and Web Console computer, you must configure third-party ports to open connections to the Web Server through the Web Console computer. This is useful when you have installed the Web Console in a perimeter network to provide global access for external users.

Before You Begin

  • Make sure the computer that will be providing Web Server services has the Web Console software installed on it.
  • Make sure the firewall is already in place and configured for this access. This scenario (the Web Server opens the connection to the Web Console) requires that the SnapProtect Firewall be configured. CommServe Initiates Connection to the Client (One-Way Firewall) gives the procedure for this.

Procedure

Perform these steps on the computer the Web Server is installed on (either CommServe computer or client).

  1. In the CommCell Browser, right-click the Web Server computer and click Properties.
  2. If you are performing this operation on a client computer, right-click the client name, then click Properties > Advanced.
  3. Click the Firewall Configuration tab, then the Options tab.
  4. Select Access Web Server via following proxy. This option automatically enables the IIS port (dynamic) on the computer hosting the web server for third-party connections.
  5. Select the Web Console computer from the Remote Proxy list.
  6. In the Port Number box, specify a port to be used by the Web Console computer to access the Web Server. This is a local port in the Web Console computer that will be mapped to access the Web Server.
  7. Click OK.
  8. In the CommCell Browser, right-click the name of each computer that uses Third-Party Port Mapping (TPPM), then click All Tasks | Push Firewall Configuration.

    Verify that your firewall configuration was pushed successfully by looking for a firewall push event in the Event Viewer.

  9. Restart SnapProtect Tomcat services on the Web Console computer.

Configuring Access to Reports

This configuration requires the SnapProtect proxy to be configured. See Set up the SnapProtect Proxy to create and configure the client computer that is hosting the proxy functionality.

After setting up the proxy, use the following steps to configure third-party ports to connect to Reports through the proxy.

  1. In the CommCell Browser, right-click the CommServe computer and click Properties.
  2. Click the Firewall Configuration tab, then the Options tab.
  3. Select Access Reports via following proxy. This option automatically enables the IIS port (dynamic) for third-party connections.
  4. Select the client computer that is hosting the proxy function from the Remote Proxy list.
  5. In the Port Number box, specify a port to be used by the proxy to access Reports. This is a local port in the proxy computer which will be mapped to access the reports.
  6. Click OK.
  7. In the CommCell Browser, right-click the name of each computer that uses Third-Party Port Mapping (TPPM), then click All Tasks | Push Firewall Configuration.

    Verify that your firewall configuration was pushed successfully by looking for a firewall push event in the Event Viewer.

Changing the Web Server Configurations

  1. On the CommCell Console's Home bar, click Control Panel.
  2. In the Monitoring section, click E-Mail & Web Server Configuration.
  3. On the Web Server tab, select the Use Alternate Web Server option.
  4. Enter the fully qualified domain name of the web console computer (the proxy) into Web Server Name.
  5. Confirm that the HTTP option is selected, and enter the port number set in the Access Reports via following proxy section in the Configuring Access to Reports.
  6. In Report folder published on the Web Server, enter the path to the reports folder as it exists on the Web Server (also the CommServe) computer.

    Example: \\commserve\C$\Program Files\NetApp\SnapProtect\Reports\

  7. Click Change from Impersonate User and confirm that the User This Account option is selected.
  8. Enter the User Name and Password used for viewing reports on the Web Server (also the CommServe) computer, then click OK.

Configuring Access to the Custom Reports Engine

If a firewall is placed between the Web Console computer and the Custom Reports Engine, you must configure third-party ports to open connections to the Custom Reports Engine. This is useful, for example, when you have installed the Web Console in a perimeter network, so that it can provide global access for external users.

Before You Begin

Confirm that the Web Console has already been installed and configured.

Procedure

Perform these steps:

  1. In the CommCell Browser, right-click the computer name where the Custom Reports Engine is installed (commonly this is the Web Server computer), then click Properties.
  2. If you are performing this operation on a client computer, click Advanced.

  3. Click the Firewall Configuration tab, then the Options tab.
  4. Select Access Custom Reports Engine via following proxy. This option automatically enables the IIS port (dynamic) for third-party connections.
  5. Select the Web Console computer from the Remote Proxy list.
  6. In Port Number, set the port through which the Web Console will access the Custom Reports Engine. This is the local port in the Web Console computer that will be mapped to access the reports.
  7. Click OK.
  8. In the CommCell Browser, right-click the name of each computer that uses Third-Party Port Mapping (TPPM), then click All Tasks | Push Firewall Configuration.

    Verify that your firewall configuration was pushed successfully by looking for a firewall push event in the Event Viewer.

Configuring Access to the Active Directory Server

An Active Directory server can provide authentication services through either a CommServe host or a Web Server. If the Active Directory server is situated behind a firewall and accessed through a TPPM proxy, you can configure the CommServe host (and Web Server if needed) to reach it through the Active Directory's proxy server according to the procedures below.

Access is through a CommServe Host

These steps configure the CommServe host to access the Active Directory server using a client computer as the proxy. To perform this configuration, that client computer should be configured to reach:

  • The CommServe using the SnapProtect firewall configuration. See Firewall - Direct Connections for the configuration steps.
  • The Active Directory server using a direct connection.

Use these steps to configure access to the Active directory server:

  1. In the CommCell Browser, expand Security > Name Servers.
  2. Right-click the domain_controller > Properties.
  3. Select Access AD server via following client.
  4. Select the client computer from the Client Name list.
  5. Click OK.
  6. In the CommCell Browser, right-click the name of each computer that uses Third-Party Port Mapping (TPPM), then click All Tasks | Push Firewall Configuration.

    Verify that your firewall configuration was pushed successfully by looking for a firewall push event in the Event Viewer.

Access is through a Web Server

In this access model, the host requests authentication services through a web server. For example, an instance of a Web Console or Compliance Search may need to authenticate a user through its configured web server. That web server then contacts the configured CommServe host.

The client being used as a proxy must be configured to reach:

  • The web server using the SnapProtect firewall configuration. See Firewall - Direct Connections for the configuration steps.
  • The Active Directory server using a direct connection.

These steps configure the Webserver host to access the Active Directory server through its proxy:

  1. If you have not already done so, configure the CommServe host as described in Access is through a CommServe Host.
  2. In the CommCell Browser, expand Client Computers, then click client  > Properties.
  3. Click Advanced.
  4. Click the Additional Settings tab, then click Add.
  5. In Name, type sEnableADRoutingViaTppm, then press TAB.
  6. Confirm that the Category (DM2WebSearchServer) and Type (String) fields have automatically populated. If not, enter those values.
  7. In Value, enter True.
  8. Verify that Enable is selected, then click OK repeatedly until all dialogs are closed.
  9. Log on to the Web Server host as an administrator, open the command prompt, and enter iisreset. Note that executing this command restarts the web server software (IIS).

Configuring Third-Party Connections Using the Firewall Configuration File

You can restrict third-party traffic to ports you list in the FWConfigLocal.txt file of the source and destination computers. Third-party connections can be configured on top of any existing connection routes, such as direct tunnel port or proxy connections.

For example, if you want the CommServe computer to open third-party ports for client connectivity, follow these steps:

Step 1: Set up Ports for Incoming Third-Party Connections on the CommServe Computer

The CommServe computer will not accept third-party requests until the FWConfigLocal.txt file is modified to explicitly allow incoming third-party traffic on ports you enter.

Use the steps below to specify the ports in your CommServe computer that will accept third-party connection requests:

  1. Navigate to the software_installation_directory/Base folder and open the FWConfigLocal.txt file.
  2. Under the incoming section head, type allowed_tppms= and specify the third-party ports, as shown in the example below.

    [incoming]
    allowed_tppms=8401,80,81

    Port 8401 allows access to CommServe functions, while ports 80 and 81 allow access to the Web Server and Reports, respectively.

Step 2: Map Local Ports with TPPM Ports on the Client

You can set up a local port on a client computer in your CommCell group and map that port to the third-party port you specified above for CommServe access. This operation is defined as "port forwarding" or "port mapping".

Use the steps below to specify a local port in your client computer:

  1. Navigate to the <Software_Installation_Directory>/Base folder and open the FWConfigLocal.txt file.
  2. Under the outgoing section, add tppm=[Local port]:[TPPM port] next to the client-CommServe firewall route as shown in the example below.

    [outgoing]
    src_client dest_client remote_guid=06EC65F8-BC13-4D91-B43B-AC80A5AB1941 type=passive tppm=9000:8401

    where src_client is the client computer and dest_client is the CommServe computer.

    The tppm property allows third-party connections to the CommServe instance from the client computer, using the client's local IP address (127.0.0.1).

Step 3: Additional Configurations

To map third-party ports to listen to all interfaces on the source client computer, modify the tppm property as follows:

tppm=any:9000:8401

Important: While this option is available, it is not recommended because it removes a measure of control over where connections can come from. When it is used, other computers can connect to the TPPM port.

Removing TPPM Configured through the CommCell Console

To remove Third-Party Port Mapping from a CommCell Console:

  1. In the CommCell browser, open n Client Computers and locate the CommServe name under it.
  2. Right-click the CommServe name, then click Properties > Advanced.
  3. Click the Firewall Configuration tab.
  4. Note the proxy name being used by this client.
  5. Clear the Configure Firewall Settings option, then click OK twice.
  6. Under Client Computers, locate and right-click the proxy name, then click All Tasks > Push Firewall Configuration.
  7. Under Client Computers, locate and right-click the CommServe name, then click All Tasks > Push Firewall Configuration.

Configuring Tunnel Connection Protocols

A CommCell environment that includes a firewall supports the tunnel connection protocol options listed below.

Protocol Option Description
Regular
  • This is the standard application protocol. It optimizes data transfer performance.
  • Data and control traffic are transferred using HTTP.
Authenticated
  • This is the default connection protocol used by CommCell components.
  • In this configuration, the HTTPS protocol is used to encrypt the initial communication between CommCell components. Once the communication is authenticated, the tunnel connection switches to HTTP, to optimize data transfer performance.
  • Data is transferred over HTTP, but the control traffic is tunneled using HTTPS protocol.
Encrypted
  • This protocol encrypts and authenticates the connections between CommCell components through Secure Socket Layer (SSL), similar to what happens when a web browser opens secure connections with https:// prefix.
  • Data and control traffic are transferred using HTTPS protocol.
Raw This setting prevents network traffic between CommCell components from being encoded into any form of HTTP. You should use Raw when you have determined that one or more network devices in the tunnel path, such as gateways or firewalls, are modifying the HTTP stream, thus preventing CommCell devices from communicating with each other.

You can configure the protocol to be used for outgoing connections, and/or force incoming connections to use HTTPS. Before proceeding with this configuration, your setup should be configured as appropriate:

  • If a firewall separates your CommCell components, review the supported firewall types described in Firewall - Getting Started, then configure the CommCell components as appropriate for your installation.
  • If the firewall does not separate your CommCell components, configure the firewall just to initiate a tunnel connection to enforce HTTPS transport. Configure the CommCell components according to the direction in which the connection is initiated:

When the above is completed, use the steps described in the next sections to configure the outgoing and/or force incoming tunnel connections to a protocol you set.

Configuring Outgoing Tunnel Connections

By default, CommCell components are configured with the Authenticated option for outgoing communication. This option specifies sending authentication credentials securely using HTTPS protocol (which encrypts the traffic), then switching to HTTP when transferring data.

You can configure outgoing routes to use any of the protocols described above.

Configure an Outgoing Route

Use this procedure to set the protocol for one outgoing route, regardless of what protocol has been assigned at the client or client group level.

The following steps are to configure a client computer. If you are configuring a client group, skip Step 2.

  1. In the CommCell Browser, expand Client Computers, then right-click the client_name and click Properties.
  2. Click Advanced. The Advanced Client Properties dialog box opens.
  3. Click the Firewall Configuration tab, then select Configure Firewall Settings.
  4. Select the Advanced option, then read the warning and click OK to acknowledge it.
  5. Click the Outgoing Routes tab.
  6. Click Add, or select the route to configure and click Edit. The Route Settings dialog box opens. By default, new routes are Direct, with a tunnel connection protocol of Authenticated.
  7. Under Tunnel Connection Protocol, select a connection protocol.
  8. Click OK to save the route settings change.
  9. Click OK twice to exit the client properties.

Configuring Incoming Tunnel Connections

By default, CommCell components accept both secure (HTTPS) and unsecure (HTTP) tunnel connection requests.

You can configure client computers and client computer groups to receive only secure connections. This forces all incoming tunnel connections to use HTTPS by authenticating and setting up HTTPS encryption.

To force connections coming to a client computer to use HTTPS, follow these steps:

  1. In the CommCell Browser, expand Client Computers.
  2. Right-click the client_name, then click Properties.
  3. Click Advanced. The Advanced Client Properties dialog box opens.
  4. Click the Firewall Configuration tab, then click the Options tab.
  5. Select Force SSL authentication in incoming tunnel connections.
  6. Click OK to close the Advanced Properties dialog.
  7. Click OK to close the Client Properties dialog.

Enforcing Authentication of Client Certificates in a Proxy Firewall Setup

In a firewall setup where client computers connect to the CommServe system through a proxy, you can protect your CommCell environment by "locking down" the client that is hosting the proxy function. This forces the authentication of client certificates when installing new clients on your CommServe.

By default, the client software installer uses a certificate that is built into the installer software to authenticate its connections with the CommServe. However, when locked-down, the CommServe only accepts and initiates HTTPS connections from clients with valid certificates. Requiring valid client certificates provides a high level of security that cannot be hacked or compromised by connections from outside the CommCell group.

To "lock down" the proxy-hosting client, perform these steps:

If you want to enforce certificate authentication at the CommServe level (and for more information on client certificates), see Network Authentication - Client Certificates.

Enforce Client Certificate Authentication on the Proxy

  1. In the CommCell Browser, expand Client Computers, then right-click the proxy_client_name and click Properties.
  2. Click Advanced. The Advanced Client Properties dialog box opens.
  3. Click the Firewall Configuration tab, then the Options tab.
  4. Select the Force per-client certificate based authentication option.
  5. Confirm that you want to lock down the proxy by clicking OK.
  6. Click OK to close the Advanced Client Properties dialog box.
  7. Click OK again to close the Client Properties dialog box.
  8. Right-click the proxy_client_name, then click All Tasks > Push Firewall Configuration.
  9. Click Continue to push the firewall configuration for the client, then click OK.

Create a Temporary Certificate for Client Installation

When you install a new client, you need to manually generate a temporary certificate to authenticate the installation. Once the temporary certificate is validated during installation, the client certificate is automatically created.

For a CommServe computer to be able to generate a temporary certificate for a client, it must first have a placeholder for that client. Use these steps to create a placeholder for a new Windows client, and then to generate the certificate to be used during installation.

  1. From the CommCell Browser, right click the Client Computers node and click New Client | File System | Windows.
  2. Provide the Client Name and Host Name of the new client computer and click Next.
  3. Review the client details and click Finish.

    The new client computer appears in the CommCell Browser, with a gray icon to indicate its placeholder status.

    If the client or the CommServe is behind a firewall, be sure to configure the firewall properties of these components and push the firewall configuration to the CommServe. See Firewall - Getting Started for the steps to configure the appropriate firewall connection.

  4. On the Home tab of the CommCell Console toolbar, click Control Panel.
  5. Click Certificate Administration.
  6. In the Certificate Administrator dialog box, click Temp Certificate.
  7. Select the name of the new client you created above from the Client Name list and click Create. The client certificate appears in the text box.
  8. Click Copy to Clipboard to copy the contents of the generated certificate into the Windows clipboard. Paste the contents into a new file, such as client1_cert.txt.

    • Store the temporary certificate file where the client can access it during software installation, such as a network share or portable drive.
    • Important: Once you close the Temporary Certificate dialog box, the certificate cannot be retrieved. Be sure to save the file containing the certificate that you copied.

  9. Click Close.
  10. In the Certificate Administration dialog box, the certificate for the new client is displayed with the "active" status in the list of client certificates. Click OK.
  11. Start the software installation process on the client computer.
    • When the installer requests the certificate to authenticate the new client identity, click Browse and locate the file containing the temporary certificate that you created.
    • Select the client name and host name that you provided during the configuration of the placeholder in Step 2.

Setting up an Application-Based Firewall

You can create a firewall within the SnapProtect application for blocking rogue sessions from other CommCell components. You can also block undesired connections from other local and remote computers.

Block Unauthorized CommCell Session Connections

When a remote client is force-deleted from the CommServe, the services for that client remain active. Such clients can still initiate session connections to other CommCell components. Communications from such unauthorized clients can adversely affect the performance of the software, especially if they grow in number. CommCell clients can be configured to blacklist and block any such connections using session blacklisting.

With session blacklisting, a CommCell validates every incoming connection, and if an unauthorized connection is identified, the IP address of the client initiating the session is added to a session blacklist. Any subsequent connection from the blacklisted client is immediately denied without verification. This list is dynamically created on each client. Optionally you can also record the list of such blacklisted clients in a log file for later reference, to be used to review the list of clients denied connection through blacklisting. The log file is stored in software_installation_path/Log Files/blacklist.log.

Two Additional Settings control the blocking of unauthorized CommCell session connections:

To enable blacklisting and blacklist logging, add their corresponding settings to the CommServe system using the steps given below.

nEnableSessionBlacklist

  1. Log on to your CommCell Console using administrative credentials.
  2. In the CommCell Browser, right-click the CommServe_name and click Properties.
  3. In the CommCell Properties dialog box, click the Additional Settings tab.
  4. Click Add. The Add Additional Settings dialog box appears.
  5. In the Name box, type nEnableSessionBlacklist. The Category and Type details automatically populate.

    If you prefer, you can click Lookup and search for the additional setting using the Find box.

  6. In the Value box, enter 1.
  7. Verify that the Enable option is selected.
  8. Click OK to save the new setting.
  9. Click OK to close the CommCell Properties dialog box, or click Add again to add the nEnableSessionBlacklistLogging Additional Setting with the values described in the next section (starting at step 5).

nEnableSessionBlacklistLogging

  1. Log on to your CommCell Console using administrative credentials.
  2. In the CommCell Browser, right-click the CommServe_name and click Properties.
  3. In the CommCell Properties dialog box, click the Additional Settings tab.
  4. Click Add. The Add Additional Settings dialog box appears.
  5. In the Name box, type nEnableSessionBlacklistLogging. The Category and Type details automatically populate.

    If you prefer, you can click Lookup and search for the additional setting using the Find box.

  6. In the Value box, enter 1.
  7. Verify that the Enable option is selected.
  8. Click OK to save the new setting.
  9. Click OK to close the CommCell Properties dialog box.

You can disable either session blacklisting or blacklist logging by setting their corresponding Additional Setting to 0 (zero).

Block External Interface Connections

You can protect your computer from undesired remote connections. For each client, create the file InterfaceBlacklist.txt under <Software_Installation_Path>/Base folder and specify the IP addresses of external interface connections that must be blacklisted. When a new connection is initiated, the software consults the Interface Blacklist and drops the connection if it is initiated from a blacklisted external address.

This file can be modified at any time; you must recycle the services for the changes to take effect. The feature is not enabled if this file is not present, or empty.

To block external interface connections:

  1. Stop all services on the computer.
  2. In the <Software_Installation_Path>/Base folder, create a text file InterfaceBlacklist.txt.
  3. Add the IP addresses of the external computers from which you wish to block connections, one IP address per line. Note that wild characters are not supported. For example, an entry like 172.19.*.* cannot be resolved.

    To allow connections from a computer, remove the corresponding IP address from InterfaceBlacklist.txt.

  4. Connections from IP addresses listed in the InterfaceBlacklist.txt file are blocked.

Block Local Interface Connections

You can also protect your computer from undesired connections to local interfaces. For each client, create the file LocalInterfaceBlacklist.txt under <Software_Installation_Path>/Base folder and specify the list IP addresses or hostnames of local interfaces to which connections must be blocked. When there is a new incoming connection, the local interface to which the connection arrived is checked against this list and if found, the connection is dropped immediately without any further processing.

This file can be modified at any time; you must recycle the services for the changes to take effect. The feature is not enabled if this file is not present, or empty.

To block a local interface connection:

  1. Stop all services on the computer.
  2. In the <Software_Installation_Path>/Base folder, create a text file LocalInterfaceBlacklist.txt.
  3. Add the IP addresses (or host names) to which connections must be blocked, one IP address (or hostname) per line. Note that wild characters are not supported. For example, an entry like 172.19.*.* cannot be resolved.

    To allow connections from a computer, remove the corresponding IP address from LocalInterfaceBlacklist.txt.

  4. Connections from IP addresses listed in the LocalInterfaceBlacklist.txt file are blocked.

Override Hostname While Configuring Firewall

This procedure can be used when a client needs to reach the CommServe with a different hostname. Use the steps below to override the CommServe host name:

  1. From the CommCell Browser, right-click the firewall client computer group and then click Properties.
  2. In the properties dialog box, click Advanced.
  3. Click the Firewall Configuration tab and select Configure Firewall Settings.
  4. Select Advanced and click the Outgoing Routes tab, then click Add.
  5. In the Route Settings dialog box:
    1. Select the CommServe name from the Remote Group/Client list
    2. Select Via Gateway as the Route Type
    3. Enter the IP address of the NIC that is reachable from the client into Gateway Hostname
    4. Enter the tunnel port on the CommServe into Gateway Tunnel Port
    5. Click OK.
  6. Click OK.

Binding Services to Open Ports

When TCP/IP filtering is enabled on Windows computers, even same-machine connections can be restricted unless they are made on specifically open ports (see Configuring Third-Party Connections Using the Firewall Configuration File). In situations like this, you can force SnapProtect to bind all of its services to ports from the list of incoming ports configurable for the client.

To bind all services of a client to open ports:

  1. From the CommCell Browser, right-click the client/MediaAgent and then click Properties.
  2. In the properties dialog box, click Advanced.
  3. Click the Firewall Configuration tab.
  4. In the Options tab, click Bind all Services to open ports only.
  5. Click OK to save the changes.

Optimizing Backup and Restore Using Additional Ports

You can increase data transfer speed during backup and restore operations by opening additional firewall ports, which sends data through multiple parallel direct pipeline connections.

Considerations

  • Connections made through additional ports, because they are not patched through the firewall tunnel, are not tunnel-encrypted. See Data Encryption - Overview for details on encrypting pipeline connections to maintain security.
  • When opening additional ports in a firewall setup, it is necessary to also specify those additional ports on both the computer receiving the incoming connection, and the third-party firewall device.
  • When proxies are used, the computers do not communicate directly with each other, so additional ports provide no benefit (and are not needed).

Recommendations

These are the recommendations for both MediaAgent and client computers.

MediaAgent Client

Backup and Restore Operations

For MediaAgents with the Optimize for concurrent LAN backups option enabled, opening the incoming port of the NetApp Communications (CVD) service improves backup performance.

  • The default port for CVD is port 8400.
  • Opening a port to CVD sets up a direct pipeline for moving backup data, bypassing the firewall tunnel.
  • This optimization technique should not be used if the Bind all Services to open ports only option is selected.

For multi-stream restores, when the Optimize for concurrent LAN backups option is disabled, opening additional ports increases the restore performance on the MediaAgent.

  • On Windows MediaAgents, only the first additional port is used to establish multiple connections.
  • On UNIX MediaAgents, the number of open ports should correspond to the number of simultaneously running restore streams.

SnapProtect Operations

For MediaAgents performing SnapProtect operations with the Data Replicator storage array, opening additional ports increases the backup performance.

Backup Operations

For clients that back up data to MediaAgents with the Optimize for concurrent LAN backups option disabled, opening additional incoming ports improves the backup performance.

  • On Windows clients, only the first additional port is used to establish multiple connections.
  • On UNIX clients, the number of open ports should correspond to the number of simultaneously running restore streams.

Replication performance

It is recommended to open additional incoming ports on ContinuousDataReplicator and Workstation Backup computers to improve the replication performance.

Adding Additional Ports

Set these ports on the client and MediaAgent computers as follows:

  • For one-way firewall connections from the client to the MediaAgent, set the additional ports on the MediaAgent.
  • For one-way firewall connections from the MediaAgent to the client, set the additional ports on the client.
  • For two-way firewall connections, set the additional ports on both the client and MediaAgent computers.

Follow these steps:

  1. In the CommCell Browser, right-click the client or MediaAgent, then click Properties.
  2. In the properties dialog box, click Advanced.
  3. Click the Firewall Configuration tab, then click its Incoming Ports tab.
  4. In the Additional open ports area, specify the range of ports using the From and To fields. The ports may be within the range of 1024 - 65000. Ensure that the ports you specify here are not used by other applications.
  5. Click Add, then click OK.

Removing Firewall Configuration

Use the following steps to remove the firewall settings of a client computer:

  1. From the CommCell Browser, right-click the <Client> and then click Properties.
  2. In the Client Computer Properties dialog box, click Advanced.
  3. Click the Firewall Configuration tab.
  4. Clear the Configure Firewall Settings option and click OK.
  5. Again, access the Firewall Configuration tab of the client, and then click the Summary tab.

    Verify whether the client computer has any connections from other clients. If it does, write down the names of those clients.

    Also, check whether the firewall properties are inherited from any client group by looking at the Configure Firewall Settings check box. If firewall is inherited, then there will be a note indicating this next to the check box.

  6. If connections were found in Step 5, locate each client and do this:
    1. Right-click the <Client> and click Properties.
    2. In the properties dialog box, click Advanced.
    3. Click the Firewall Configuration tab.
    4. Select the client whose firewall settings were removed and click Delete. Click Yes from the Delete dialog box.
    5. Click OK.

    If the client whose firewall settings you removed was inheriting the firewall from a client group, remove the client from that client group this way:

    1. Right-click the <Client Group> and click Properties.
    2. Click the Firewall Configuration tab.
    3. Select the client whose firewall settings were removed and click Delete. Click Yes from the Delete dialog box.
    4. Click OK.
  7. Right-click the <Client> and then click All Tasks | Push Firewall Configuration.
  8. From the <Software Install Directory>/Base folder, remove the fwconfiginstall.txt file, if it exists.
  9. From the same folder, remove all configurations defined in the fwconfiglocal.txt file, if any.

Pushing Firewall Configuration from the Command Line

Push the firewall configuration to a computer using these steps:

  1. Download this file:  firewall_config_push.xml and save it to the <Software_Installation_Directory>/Base folder on the computer where you will be running the command.
  2. Open a command window on that computer and change to the <Software_Installation_Directory>/Base folder.
  3. Run this command, replacing <clientname> with the name of the client computer to which you are pushing the firewall configuration:

    qoperation execute -af firewall_config_push.xml -clientName <clientname>