Firewall: Online Help

The following sections provide context-sensitive help information related to this feature.

Firewall Configuration

Use this dialog box to configure firewall settings for the CommCell component (the "entity") you selected, which can be a CommServe, MediaAgent, client computer or client group.

Configure Firewall Settings

Select this option to enable the firewall settings for the CommCell component. If a client computer belongs to a client group with this option enabled, the firewall configuration of the client is affected by the group's firewall settings.

At the client or client group level, use the options described below to establish connectivity to and from CommCell components (entities) separated by a firewall.

These first two options are not available at the CommCell level. The tabs specified under the Advanced option are displayed by default.

Basic

Select this option to quickly configure direct tunnel connection or proxy connection between the selected CommCell component and the CommServe or MediaAgent.

Use the following tabs to specify the type of firewall configuration:

Advanced

Select this option to configure any type of connection route between the CommCell components (entities) to establish connectivity across the firewall.

Use the following tabs to provide the firewall configuration details:

CommServe Connectivity

Use this tab to select the type of firewall configuration between the selected CommCell component and the CommServe.

This Computer is

Specifies whether this computer is in the same network as the CommServe.

  • Always in the same network as CommServe

    Click to specify that this computer connects directly to the CommServe (no firewall between them). CommCell services of this computer and the CommServe can directly communicate.

  • Always outside of CommServe network

    Click to specify that this computer will always connect to the CommServe from a remote site. This option allows you to configure direct tunnel connections and proxy connections.

  • May travel outside of CommServe network

    Click to specify that this computer will occasionally connect to the CommServe from a remote site. This option is recommended for laptops and other mobile devices that routinely move in and out of the network.

    When connecting to the CommServe, this option will first attempt to establish a direct connection (same CommServe network scenario). If it fails, the direct tunnel connection or proxy will be used.

When connecting from outside

Indicates the type of firewall configuration that this computer will use to connect to the CommServe.

  • Open tunnel directly to CommServe

    Click to enable this computer to connect to the CommServe through a direct tunnel connection. By default, the CommServe will use port 8403 to receive connections from the computer.

  • Use Galaxy proxy

    Click to enable this computer to connect to the CommServe using a proxy.

MediaAgent Connectivity

Use this tab to select the type of firewall configuration between the selected CommCell component and the MediaAgent.

This Computer is

Indicates whether this computer is in the same network as the MediaAgent.

  • Always in the same network as MediaAgent

    Click to specify that this computer connects directly to the MediaAgent (no firewall between them). CommCell services of this computer and the MediaAgent can directly communicate.

  • Always outside of MediaAgent network

    Click to specify that this computer will always connect to the MediaAgent from a remote site. This option allows you to configure direct tunnel connections and proxy connections.

  • May travel outside of MediaAgent network

    Click to specify that this computer can connect to the MediaAgent from a remote site. This option is recommended for laptops and other mobile devices that routinely move in and out of the network.

    When connecting to the MediaAgent, this option will first attempt to establish a direct connection (same CommServe network scenario). If it fails, the direct tunnel connection or proxy will be used.

When connecting from outside

Indicates the type of firewall configuration that this computer will use to connect to the MediaAgent.

  • Open tunnel directly to MediaAgent

    Click to enable this computer to connect to the MediaAgent through a direct tunnel connection.

  • Use Galaxy proxy

    Click to enable this computer to connect to the MediaAgent using a proxy.

Summary (Basic)

This tab displays a summary of the firewall configuration provided in the previous tabs. This tab is not available at the client group level.

Incoming Connections

Use this tab to add or modify the connection status of remote clients or client groups that cannot open direct connections to this CommCell component.

Entity

Displays the list of clients or client groups (entities) that cannot open direct connections or can open connections only on restricted ports to this CommCell component (see Configuring Third-Party Connections).

State

Indicates the type of connection from the client or client group.

Actions

  • Add

    Click Add to add a client or client group. This opens the Connections to dialog box.

  • Edit

    Select a client or client group, then click Edit to change the details.

  • Delete

    Select a client or client group, then click Delete to remove it from the list.

Incoming Ports

Use this tab to specify the port numbers for incoming communication.

Tunnel HTTP/HTTPS Port

  • Listen for tunnel connections on port

    The port on which the incoming tunnel connections are received.

Additional Open Ports

Specify additional ports or range of ports that are open for incoming connections to facilitate faster data transport.

From

The starting number in a range of ports that are open.

To

The ending number in a range of ports that are open.

  • Add

    Click Add to include the additional ports.

  • Delete

    Select a port or range of ports, then click this to remove from the list.

Outgoing Routes

Use this tab to define the connectivity type and port numbers that are open for outgoing communication from this CommCell component.

Remote Entity

Displays the list of remote clients or client groups that are only reachable through a firewall.

Route Settings

Displays the outgoing route to reach the remote client or client group.

  • Add

    Click Add to add outgoing route to reach a remote client or client group. Provide the details in the Route Settings dialog box.

  • Delete

    Select a remote client or client group and click Delete to remove it from the list.

  • Edit

    Select a remote client or client group and click Edit to change the route settings.

Options

Use this tab to configure additional firewall configuration options.

Keep-alive Interval, seconds

Specifies the interval in which the Keep Alive packets must be sent to keep the network alive, if the network becomes idle.

Tunnel Init Interval, seconds

Specifies the interval in which the tunnel initialization must be attempted.

Force SSL authentication in incoming tunnel connections

Select this option to force all incoming tunnel connections to use HTTPS protocol. Communication between other CommCell components will be authenticated through Secure Socket Layer (SSL).

Bind all services to open ports only

Select this option to bind all services to the list of incoming ports configured for the client using TCP/IP filtering.

Roaming client

Select this option to designate a laptop as roaming client as it will be considered to be within the same network when connectivity is established.

This computer is in DMZ and will work as a proxy

Select this option to designate this computer as a proxy computer for CommCell communications through firewall.

Network Proxy Settings

These options allow you to configure third-party port mappings. All of these settings are available only at the CommServe host level.

  • Access GUI Server (EvMgrS) via following proxy

    Select this option to enable port 8401 on the CommServe computer.

    • Remote Proxy lists the proxy computers that you can use to access the CommServe.
    • Port Number specifies a local port used by the proxy computer which will be mapped to port 8401.
  • Access Web Server via following proxy

    Select this option to enable port 81 on the computer where the Web Server is installed.

    • Remote Proxy lists the proxy computers that you can use to access the Web Server.
    • Port Number specifies a local port used by the proxy computer which will be mapped to a dynamic IIS port.
  • Access Report via following proxy

    Select this option to enable port 80 on the CommServe computer.

    • Remote Proxy lists the proxy computers that you can use to access the Report database.
    • Port Number specifies a local port used by the proxy computer, which will be mapped to a dynamic IIS port.
  • Access Custom Reports Engine via following proxy

    Select this option to specify the proxy through which this Web Console instance communicates with the Custom Reports Engine.

    • Remote Proxy lists the proxy computers that provide access to the Custom Reports Engine service.
    • Port Number specifies the port the Web Console will use to access the Custom Reports Engine (commonly running on the Web Server). This is a local port on the computer hosting the Web Console that is mapped to the Web Server.

Summary (Advanced)

This tab displays a summary of the firewall configuration set in the previous tabs. This tab is not available at the client group level.

Connections to client or client_group

Use this dialog box to add, modify, or delete incoming connections from remote clients or client groups to this CommCell component.

From

Select a client or client group that has firewall restrictions to communicate to this CommCell component.

State

Select one of the following connection status:

  • Select BLOCKED if this CommCell componentshould not have open connections with the client or client group you selected in the From list.
  • Select RESTRICTED if this CommCell componentcan have connections with the client or client group you selected in the From list, but only on restricted ports (see Configuring Third-Party Connections).

Route Settings

Use this dialog to specify outgoing route to reach the remote client/client group from this CommCell entity.

Remote Group/Client

Select the remote client/client group for which you wish to specify the outgoing route.

Route Type

  • Direct

    Select this option if a direct connection can be made to the remote client/client group.

  • Via Gateway

    Select this option and specify the Gateway Settings if the connection is routed through a Gateway.

  • Via Proxy

    Select this option and specify the Proxy Settings if the connection is routed through a proxy.

Tunnel Connection Protocol

  • Regular

    Select this option to use HTTP protocol for outgoing communication.

  • Authenticated

    Select this option to encrypt the initial authentication and communication between clients using the HTTPS protocol. Once authenticated, the tunnel connection optimizes data transfer by switching to HTTP protocol.

  • Encrypted

    Select this option to use HTTPS protocol for outgoing communication.

  • Raw

    This option forces outgoing communication to not use any form of HTTP. Use it when network equipment modifies the packet stream, thereby preventing communication. See Configuring Tunnel Connection Protocols for details.

Force all data (along with control) traffic into the tunnel

Select this option to force backup and restore data traffic through the tunnel connection. Optional for Direct and Via Gateway routes; required (and automatically selected) for Via Proxy routes.

Selecting this option encrypts data traffic, which may slow operations.

Gateway Settings

The following options define the firewall gateway settings.

  • Gateway Hostname

    Specifies the hostname of the port-forwarding gateway computer.

  • Gateway Tunnel Port

    Specifies the port on which the tunnel connections are received on the gateway computer.

Additional destination port mapping

  • GW Port

    Specify the additional gateway port that can receive incoming connections. Click Add to add the port to the list of gateway ports.

  • Destination Port

    Specify the destination port on the remote client/client group that is mapped to the GW Port.

Add

Click to add the port shown in the GW Port and Destination Port boxes.

Delete

Select a port from the GW Port or Destination Port lists and click Delete to remove the port. Hold down the Control key to select more than one.

Proxy Settings

  • Remote Proxy

    Select the proxy computer through which communication to the remote client/client group must be routed.

Add Proxy

Use this dialog to create a placeholder for the proxy on your CommServe computer before installing it.

Client Name

The client name of the proxy computer.

Host Name

The host name of the proxy computer. The host name of the proxy computer must be resolvable from outside of the perimeter network and inside the local network.