Entering Required Firewall Settings

In an environment with firewalls, the vCenter, ESX servers, Virtual Server agent, and MediaAgent must be able to communicate with each other. To ensure that all components can communicate through the firewall, ensure that the ports for web services (default: 443) and TCP/IP (default: 902) are opened for communication on each of these machines. 

When a firewall is used, you must open ports on the firewall for all components that are used for features such as Live Browse, Live File Recovery, and Live Mount. These settings are required in addition to normal SnapProtect firewall configuration. The following components require open ports:

  • vCenter
  • ESX server used to mount the snapshot
  • MediaAgent that performs a backup (where the 3dnfs service is running)
  • Virtual Server Agent proxies
  • File Recovery Enabler for Linux

Port Requirements

The following ports must be opened:

Port Protocol Description From To
2049 (TCP) NFS The 3DFS server listens on this port for NFS remote procedure calls (RPCs). The ESX server connects to the 3DFS server on this port. ESX server
 
MediaAgent performing backup
and File Recovery Enabler
 
MediaAgent performing backup
and File Recovery Enabler
ESX server
111 (TCP+UDP) SUN RPC PortMapper This port is used by the ESX server to find the mount and NFS ports used by the MediaAgent performing the backup and the File Recovery Enabler. ESX server
 
MediaAgent performing backup
and File Recovery Enabler
 
MediaAgent performing backup
and File Recovery Enabler
ESX server
User specified port (TCP) Mount The mount server runs on this port, and the ESX server mounts an NFS share using this port.

In a firewalled environment, you must open a fixed port in the firewall.

If no port is configured, a random port is used, and a different port might be used each time the service is restarted.

ESX server
 
MediaAgent performing backup
and File Recovery Enabler
MediaAgent performing backup
and File Recovery Enabler
ESX server
902 VMware NFC The MediaAgent performing the backup and the File Recovery Enabler communicate with the ESX server through this port. MediaAgent performing backup
and File Recovery Enabler
ESX server
443 SSL The MediaAgent performing the backup and the File Recovery Enabler communicate with the ESX server and vCenter through this port. MediaAgent performing backup
and File Recovery Enabler
ESX server and vCenter

Procedure

Open all of the following ports:

  1. Open port 2049 for the TCP protocol.
  2. Open a user defined mount3 port for the TCP protocol by setting the following registry key:
    • On Windows:
      1. Define the following registry key:

        HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Instance001\3Dfs

      2. Right-click 3Dfs, point at New and click DWORD Value.

        Enter nMount3Port as the name and specify any free port number as the value.

    • On Linux:
      1. Define the following registry key:

        /etc/CommVaultRegistry/Galaxy/Instance001/3Dfs/.properties

      2. Add the following entry:

        "nMount3Port port_number"

        Where port_number is the number of any free port.

  3. To support the File Recovery Enabler for Linux, add the following registry key to force all components to use IPV4 to communicate with the File Recovery Enabler:

    /etc/CommVaultRegistry/Galaxy/Instance001/Session/.properties using the value “nPreferredIPFamily 1”

    The File Recovery Enabler only supports IPV4.

  4. Open port 111 for both the TCP and UDP protocols.
  5. For the MediaAgent and File Recovery Enabler, open the same ports that are used in the firewall configuration for the VMware Virtual Server Agent.