Firewall: Best Practices

Inheriting Firewall Settings from Client Computer Groups

If you have clients that will require the same firewall configuration settings, it is recommended that you create and configure a Client Group with the firewall settings instead of defining the configuration for each client computer. All existing and future clients that you include to the client group will inherit its firewall settings.

For example, if you have a new client which you want to configure with direct connections from the client to the CommServe, then add this client to a client group which you have previously configured with the mentioned firewall setup.

A client computer can be associated with more than one client group configured with firewall settings. However, the firewall routes configured on the client groups cannot conflict with each other.

For information on creating and configuring client computer groups, see Configuring Firewall on Multiple Clients Simultaneously.

Using Newer Firewall Configurations After Upgrade

SnapProtect version 9 and 10 have many upgrades to the code that establishes connections across firewalls. The following are the new key features :

  • Authentication and HTTPS encryption in the tunnels for better security
  • Support for various network topologies such as Gateway or Proxy
  • Flexibility of configuring through the CommCell Console and pushed to all the clients
  • New protocol wrappings to allow communication through HTTP and HTTP proxy
  • Network connection throttling

If a client is upgraded but still uses version 8 firewall configuration files, operations on the client will stop working. Therefore, you must use the new firewall configuration in the client as soon as possible.

After upgrading the CommServe, MediaAgent and client computers, perform these steps:

  1. Configure firewall settings for the CommServe, MediaAgent and client computers by following the procedures explained in the Firewall - Getting Started pages.

    Push Firewall configuration for the CommServe, MediaAgent and all clients.

    If you need to configure multiple client computers, see Configuring Firewall on Multiple Clients Simultaneously.

  2. After configuring the new firewall settings described above, follow the steps outlined in Optimizing Backup and Restore using Additional Ports for enhancing data throughput.
  3. If the clients had V8 firewall configurations, you must delete the V8 firewall files from the clients by using one of the following methods:
    • Preferred Method: Download and run the Delete V8 Firewall Files from Clients workflow.

      For instructions, see Delete V8 Firewall Files from Clients.

    • Alternative Method: Delete the firewall files by running specific commands.

      Follow the instructions for the operating system of your clients:

      Run the FirewallConfigDeprecated.exe tool located in the software_installation_path/Base folder on the CommServe, MediaAgent and client computers.
      Remove the client computer name from the old firewall configuration files.

      Run the config_fw_deprecated command in the opt/software_installation_path/Base/ folder.

      If you have problems running the command, delete the following files manually:

      • FwHosts.txt
      • FwPorts.txt
      • FwPeers.txt