Firewall: Operating Through a Port-Forwarding Gateway

There are cases where direct connectivity setups do not work. Consider the case of the CommServe and MediaAgent being located inside a company’s internal network, with the entire network being exposed to the outside world through a single IP address. Typically, this IP address belongs to a firewall or gateway that works as a NAT device for connections from the internal network to the outside.

In scenarios like this, you can establish port forwarding at the gateway to forward connections coming in to specific ports to machines on the internal network that are mapped to those ports. You can then configure the client to open a direct connection to the port-forwarder’s IP address on a specific port in order to reach a particular internal server. This creates a custom route from the client towards the internal servers.

The diagram above illustrates a client connecting to the CommServe and MediaAgent computer through a port-forwarding gateway setup.

Review the following considerations before you begin.

  • Make a note of the port configurations in your setup and substitute them in the following instructions.
  • Microsoft Internet Information Services (IIS) uses port number 443 by default. If you are running IIS on a computer, you will not be able to use port 443 as a firewall configuration on that computer. By default, the SnapProtect software uses port 8403 for firewall communication.

  • Any additional destination port specified in the outgoing connection routes of the client must also be defined in the incoming port list of the remote client (CommServe or MediaAgent).

Quick Reference

The table below is a quick reference to the upcoming configurations within this section:

Firewall Configurations
CommServe/MediaAgent: Incoming Connections from these computers are Restricted (see Configuring Third-Party Connections). Client: Incoming Connections from this computer is Blocked.

Outgoing Routes: via Gateway

The following sections describe the configuration required to operate the software in this firewall scenario. These are the high-level steps:

  1. Configure the Port-Forwarding Gateway
  2. Set up Connection to the CommServe
  3. Install the Client
  4. Configure the CommServe, MediaAgent and Client

Configure the Port-Forwarding Gateway

A port-forwarding gateway sends incoming connections to specific machines on the internal network based on the incoming connection’s destination port number. As explained in the above diagram, the following port-forwarding must be configured on the gateway.

  • Connections to gateway.company.com on port 443 must be forwarded to the internally running commserve.company.com on port 440.
  • Connections to gateway.company.com on port 444 must be forwarded to the internally running mediaagent.company.com on port 440.

Note that there is no restriction on the internal port numbers. They need not be the same as shown in the illustration. Also, for machines in the internal network, neither the IP addresses nor the names have to be reachable or resolvable from outside.

Set up Connection to the CommServe

This procedure assumes that the CommServe is installed and available behind the gateway. The following steps explain the configurations required to connect to the CommServe before installing the client.

  1. In the CommCell Browser, right-click the CommServe computer, then click Properties.
  2. Click the Firewall Configuration tab, then select Configure Firewall Settings.
  3. Click the Incoming Ports tab. In Listen for tunnel connections on port, enter 440 (the CommServe port number). The gateway will forward connections to commserve.company.com:440 when the gateway receives them from outside on port 443.

    Click OK.

  4. in the CommCell Browser, right-click the CommServe computer, then point to All Tasks and click Push Firewall Configuration.
  5. Read the warning, then click Continue to acknowledge it and continue.
  6. Read the confirmation and click OK to dismiss it.
  7. Verify that your firewall configuration pushed successfully by checking the Event Viewer window.

Install the Client

See Installation for step-by-step installation procedures to install the client.

During installation, provide the gateway information through which the CommServe computer can be reached. The install program communicates to the CommServe using this information. Use one of the following firewall configuration sequences.

Configure the CommServe, MediaAgent and Client

The previous configurations provided a path to reach the CommServe host for installation purposes. To enable backup and restore operations between the computers, you establish the communication path between them using these steps.

CommServe Host

  1. Right-click the CommServe computer from the CommCell Browser, then click Properties.
  2. Click the Firewall Configuration tab, then the Incoming Connections tab. Click Add.
  3. In From, select the client you just installed outside the gateway.
  4. In State, select RESTRICTED, since the connection is restricted to coming through a gateway (see Configuring Third-Party Connections).
  5. Click OK, then click OK again.
  6. From the CommCell Browser, right-click the CommServe computer and click All Tasks > Push Firewall Configuration.
  7. Read the warning, then click Continue to acknowledge it and continue.
  8. Read the confirmation and click OK to dismiss it.
  9. Verify that your firewall configuration pushed successfully by checking the Event Viewer window.

MediaAgent

  1. Right-click the MediaAgent computer in the CommCell Browser, then click Properties.
  2. Click the Firewall Configuration tab, then select Configure Firewall Settings and click Add.
  3. In From, select the client you just installed outside the gateway.
  4. In State, select Restricted, since the connection is restricted to coming through a gateway (see Configuring Third-Party Connections). Click OK.
  5. Click the Incoming Ports tab.
  6. In the Listen for tunnel connections on port box, enter port number 440. The gateway will forward connections to mediaagent.company.com:440 when the gateway receives them from outside on port 444.
  7. Additional Open Ports: You can speed up data transfer for components that handle it (such as MediaAgent or File System iDataAgent), by opening additional ports on the firewall, and configuring them as open in this dialog. Specify the range of ports in the Additional open ports area, in the From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications.

    For more information on additional open ports, see Optimizing Backup and Restore using Additional Ports.

  8. Click OK.
  9. From the CommCell Browser, right-click the MediaAgent computer, then click All Tasks > Push Firewall Configuration.
  10. Read the warning, then click Continue to acknowledge it and continue.
  11. Read the confirmation and click OK to dismiss it.
  12. Verify that your firewall configuration pushed successfully by checking the Event Viewer window.

Client

  1. In the CommCell Browser, right-click the client name, then click Properties. In the client properties dialog box, click Advanced.
  2. On the Firewall Configuration tab, select Configure Firewall Settings, then the Advanced option. Read the warning, then click OK to acknowledge it and continue.
  3. Click Add to enter the CommServe computer connection details.
    1. In From, select the name of the CommServe computer that is behind the gateway.
    2. In State, select BLOCKED, since the CommServe does not open connections toward the client. Click OK.
  4. Click Add again to specify the MediaAgent connection details.
    1. In From, select the name of the MediaAgent computer behind the gateway.
    2. In State, select BLOCKED, since the MediaAgent does not open connections towards the client. Click OK.
  5. Click the Outgoing Routes tab, then click Add to specify the outgoing connection route from this client towards the CommServe computer.
  6. Select the CommServe computer from the Remote Group/Client list, then select Via Gateway under Route Type.
  7. In the Gateway Hostname and Gateway Tunnel Port boxes, specify the gateway hostname and port through which you can reach the CommServe. For example, in the diagram displayed above, hostname gateway.company.com and port number 443 are used.
  8. If you want to configure additional destination ports, make sure that these ports are also defined on the CommServe. Then you can establish mappings between those ports on the CommServe and the ports on the gateway that the client will connect to. Under Additional destination port mapping, enter the incoming gateway port in the GW Port box and the mapping destination port in the Destination Port box. Click Add to add the port mapping. See Optimizing Backup and Restore using Additional Ports for details.

    The ports must be within the range of 1024 - 65000. Make sure the ports you specify are not used by other applications.

  9. Click OK.
  10. Click Add again to specify the outgoing connection route from this client towards the MediaAgent.
    1. Select the MediaAgent computer from the Remote Group/Client list.
    2. Select Via Gateway under Route Type.
    3. Select Force all data (along with the control) traffic into the tunnel to force the data traffic into the tunnel.
  11. Provide these gateway settings:
    1. In the Gateway Hostname box, enter the gateway hostname through which you can reach the CommServe. In the example shown above, it is gateway.company.com.
    2. In the Gateway Tunnel Port box, specify the port through which the MediaAgent can be reached. In the example shown above, the port number is 444.
    3. If you want to configure additional destination ports, make sure that these ports are also defined on the MediaAgent, then you can establish mappings between those ports on the MediaAgent and the ports on the gateway which the client will connect to. Under Additional destination port mapping, specify the incoming gateway port in the GW Port box and the mapping destination port in the Destination Port box. Click Add to add the port mapping.

      The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications.

    4. Click OK.
  12. In the CommCell Browser, right-click the client name and click All Tasks > Push Firewall Configuration.
  13. Read the warning, then click Continue to acknowledge it and continue.
  14. Read the confirmation and click OK to dismiss it.
  15. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer is not ready, verify your settings against the above recommendations and revise them as required.

Security Considerations

Since both MediaAgent and CommServe computers are in a way exposed to the outside world through port-forwarded connections, you might want to enable encryption and authentication for the tunnel connections. This can be done either of these ways:

  • From the Firewall Configuration tab of the client properties, select Encrypted for Tunnel Connection Protocol in the Outgoing Routes tab on all outgoing routes.
  • From the Firewall Configuration tab of the CommServe and MediaAgent properties, select Allow only HTTPS from the Incoming Tunnel Protocol drop-down list in the Options tab.

    Once HTTPS has been enabled, the client and CommServe/MediaAgent will authenticate each other and set up tunnel encryption in accordance with the HTTPS standard.

More Information

Firewall - Advanced provides firewall options for fine-tuning communication between CommCell components in support of CommCell operations.

Firewall - Troubleshooting provides troubleshooting information for problems encountered during configuration.

Configuring Third-Party Connections explains port restriction as related to the Status: RESTRICTED option.