Loading...

Firewall: Perimeter Network Using SnapProtect Proxy

Table of Contents

Overview

The SnapProtect proxy is a special proxy configuration where a dedicated iDataAgent is placed in a perimeter network, and the firewalls are configured to allow connections (from inside and outside networks) into the perimeter network. The proxy (the agent running in the perimeter network) authenticates, encrypts, and proxies the tunnel connections it accepts to connect the clients operating outside the private network to clients operating inside it.  The SnapProtect proxy supports NAT operations.

The SnapProtect proxy acts like a Private Branch Exchange (PBX) that sets up secure conferences between dial-in client calls. With this setup, firewalls can be configured to disallow straight connections between inside and outside networks.

The diagram illustrates a perimeter network setup where a client from outside communicates to the CommServe and MediaAgent operating in an internal network through the SnapProtect proxy.

  • The instructions given below use the component names and port numbers presented in the illustration. Make a note of the details in your setup and substitute them when configuring your proxy.
  • For roaming clients, the firewall configuration can be set up to use direct connections when clients are inside the network, and use the proxy when they are outside the network. Use the Basic Configuration, and select the May travel outside of CommServe network option.
  • Microsoft Internet Information Services (IIS) uses port number 443 by default. If you are running IIS on a computer, you will not be able to use port 443 as a firewall configuration on that computer. By default, the SnapProtect software uses port 8403 for firewall communication.

Important: The SnapProtect proxy only allows connections that a client (which in this context includes a CommServe host or MediaAgent) opens toward the proxy. Proxies cannot originate connections to clients, nor are two-way connections supported.

Hardware Recommendations for a SnapProtect Proxy

This table gives the minimum hardware recommended for a SnapProtect proxy computer.

Number of Clients Regular, Authenticated or Raw Encrypted
<1000 clients Single-core 1-GHz processor with 4 GB RAM Dual-core 1-GHz processor with 8GB RAM
>5000 clients Dual-core 1-GHz processor with 8 GB RAM 2 x dual-core 1-GHz processors with 8GB RAM

Determine the Firewall Configuration Method to Use

Determine which of the following configuration methods you want to use:

  • Preferred Method: Using a predefined firewall topology

    If you want to simplify the amount of firewall configuration steps, you can use the predefined firewall topology for proxy connections. This is useful if the connection is client group-to-client group.

    The firewall topology must be set before you preconfigure the SnapProtect proxy. To get started, see Setting Up Proxy Connections Using the Predefined Firewall Topology for Proxies.

  • Alternative Method: Using the basic or advanced configuration

    If the predefined firewall topology for proxies does not meet your needs, you can use the basic or advanced configuration to set up proxy connections.

    Before you perform the configurations, you must set up the SnapProtect proxy and install the client. To get started, see Setting up the SnapProtect Proxy.

Setting Up Proxy Connections Using a Predefined Firewall Topology

The SnapProtect software simplifies the firewall configuration by providing predefined firewall topology types that you can use when setting up connectivity between client groups that are separated by a firewall. The client groups use a firewall topology instance to establish connections between themselves.

If you are setting up group-to-group firewall connectivity through a proxy, consider using the firewall topology for proxy connections. During the configuration of the firewall topology instance, you will need to designate three client groups to be used for internal clients, external clients, and proxy clients.

Note: The topology for proxy connections lets you configure multiple client computers to provide a single logical proxy function. When internal and external clients have established a connection to the logical proxy, the communication becomes bi-directional.

Before You Begin

  • Make sure that the client groups that you want to use in the firewall topology instance are already defined in the CommCell Console.
  • You must have Administrative Management permissions on the client groups that you plan to use in the firewall topology instance.
  • If you have clients in your proxy client group that belong to other client groups that are not designated for proxy connections, then the proxy settings on the clients might be lost. To prevent this issue, perform the following steps:
    1. Access the network properties of the client, and on the Firewall Configuration tab, select the Configure Firewall Settings check box, click Advanced, and then click OK to the warning message.
    2. On the Options tab, select the This computer is in DMZ and will work as a proxy check box.

Procedure

  1. From the CommCell Browser, right-click Firewall Topologies > New Topology.

    The Firewall Topology dialog box is displayed.

  2. In the Topology Name box, enter a name for this instance of a proxy firewall arrangement.
  3. Optional: In the Description box, enter a description for this topology.
  4. For Topology Type, click Via Proxy.
  5. From the Trusted Client Group 1 list, select a client group that will initiate connections to the proxy group.
  6. From the Trusted Client Group 2 list, select another client group that will initiate connections to the proxy group.
  7. From the Proxy/DMZ Group list, select the client group that you want to designate as the proxy group.
  8. By default, all traffic originating from clients in the Trusted Client Group 1 are forced to use firewall routes when communicating to any other host. To allow external clients to communicate directly with other hosts, clear the Make clients from Trusted Client Group 1 use proxies for all traffic check box, or define firewall routes to the other hosts.

    If you decide to have the Make clients from Trusted Client Group 1 use proxies for all traffic check box selected, review the following considerations:

    • The CommServe host and all MediaAgent hosts (which will communicate with members of the Trusted Client Group 1) must be in the selected Trusted Client Group 2. Otherwise, you must define firewall routes to the other hosts.
    • If you make changes to the Trusted Client Group 1, you do not need to push the firewall configuration.
    • If a client communicates with MediaAgents (or CommServe) that are not part of the Trusted Client Group 2 or that have not been configured with other firewall routes, communications with the MediaAgent (or CommServe) will fail.
  9. Click OK.

You are finished setting up the proxy connectivity. Continue with Setting up the SnapProtect Proxy.

Setting Up the SnapProtect Proxy

As part of the firewall configuration for proxy connections, you must configure the computer that you want to use as the SnapProtect proxy. The proxy must be a computer in the perimeter network.

Step 1: Preconfiguring the SnapProtect Proxy

Before you install the SnapProtect software on the proxy computer, you must create and configure a placeholder client for the proxy.

To create the placeholder client, complete the following steps:

Tip: If you need to create multiple placeholders, we recommend that you run the Client Certificate Administration Workflow.

  1. From the CommCell Browser, right-click the Client Computers node, then click New Client > File System > [Windows or Unix].

  2. In the New Windows Client window, enter a Client Name and Host Name for the proxy computer. These details will also be used during your SnapProtect proxy installation.
  3. Click Next.
  4. Confirm the information shown under Summary, then click Finish.

If you chose to use predefined firewall topologies, add the placeholder client to the proxy client group that you specified in the firewall topology:

  1. From the CommCell Browser, expand Client Computer Groups, right-click the proxy_client_group, and then click Properties.
  2. In the properties dialog box, select the placeholder client (or clients) from the All clients list, click Include >, and then click OK.

    Adding the placeholder clients to the proxy group automatically configures them as proxy computers.

  3. Push the firewall configuration on the MediaAgent (if any) and then on the CommServe computer. For example:
    1. From the CommCell Browser, right-click the CommServe, and then click All Tasks > Push Firewall Configuration.
    2. When the Warning dialog box appears, click Continue.

      A notification appears indicating that the push firewall operation was successful. Click OK to close the notification.

    You are now ready to install the SnapProtect proxy. Continue with Installing the SnapProtect Proxy.

If you chose not to use predefined firewall topologies, you must configure the firewall settings on the placeholder client as follows:

  1. From the CommCell Browser, expand Client Computers, then right-click the new client_name > Properties > Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings. Click Advanced, then OK to acknowledge the warning.
  3. Configure the proxy to allow the CommServe to initiate a connection to it:
    1. Click Add.
    2. In the From list, select the CommServe name.
    3. In the State list, select RESTRICTED. (The RESTRICTED setting is described in Restricting or Blocking Connections).
    4. Click OK.
  4. If a MediaAgent is behind the firewall, configure it:
    1. Click Add.
    2. In the From list, select the MediaAgent name.
    3. In the State list, select RESTRICTED. (The RESTRICTED setting is described in Restricting or Blocking Connections).
  5. Click the Incoming Ports tab. In the Listen for tunnel connections on port box, specify the port number where the SnapProtect proxy will listen for a connection request from the CommServe host. Write down the port number you used (you will need it during the SnapProtect proxy installation).
  6. In the Options tab, select the This computer is in DMZ and will work as a proxy check box, and then click OK twice.

    The placeholder client is now configured. The rest of the steps will configure the CommServe computer.

  7. From the CommCell Browser, right-click the CommServe node and click Properties.
  8. On the Firewall Configuration tab, select the Configure Firewall Settings option. Click the Incoming Connections tab, then click Add.
  9. From the From list, select the SnapProtect proxy computer. From the State list, select BLOCKED. Click OK.
  10. Click the Outgoing Routes tab, then click Add.
  11. Select the SnapProtect proxy from the Remote Group/Client list.
  12. For Route Type, select Direct, and for Tunnel Connection Protocol, select Regular.
  13. Click OK repeatedly until all dialog boxes are closed.
  14. From the CommCell Browser, right-click the CommServe node and click All Tasks > Push Firewall Configuration.
  15. Click Continue to acknowledge the warning and proceed.
  16. Click OK to close the firewall push notification.
  17. Check the Event Viewer window to confirm that your firewall configuration was pushed successfully.

    You are now ready to install the SnapProtect proxy.

Step 2: Installing the SnapProtect Proxy

Install the SnapProtect software (such as the File System Agent) on the proxy computer. If firewall is enabled on the proxy, ensure there are open connections to the CommServe and client computers.

Since the perimeter network always receives connections from outside, the SnapProtect proxy must communicate with the CommServe computer through tunnel connections initiated by the CommServe.

During the installation, you need to specify a local HTTP or HTTPS port number that can be used by the CommServe computer to open tunnel connections towards the proxy. For firewall instructions during the installation, see Setting Up Direct Connections from the CommServe Computer to the Client.

Installing the Client

During the client installation, configure the client to connect to the CommServe computer through a proxy. The installation wizard needs the following information:

  • The client name of the SnapProtect proxy.
  • The HTTP or HTTPS tunnel port number on which the proxy allows connections.

    Note: If the CommServe computer is behind a port-forwarding gateway, you will need the port number of the gateway instead.

  • The host name or IP address of the proxy.

    Note: If the CommServe computer is behind a port-forwarding gateway, you will need the host name or IP address of the gateway instead.

For firewall instructions during the installation, see Setting Up Connectivity to the CommServe Computer Using a Proxy. If you are using the predefined firewall topology for proxies, then during the installation, make sure to assign the client to the untrusted client group that you defined in the topology.

Setting Up Proxy Connections Using Basic or Advanced Configurations

If the predefined firewall topology for proxies does not meet your needs, choose the method that best meets your needs:

Basic Configuration

This procedure quickly sets up the client to connect to the CommServe and MediaAgent through the SnapProtect proxy. It uses fewer steps, and is recommended for new firewall users.

Note: The basic configuration applies to client and client groups. This configuration is not available for MediaAgents.

Advanced Configuration

Use this procedure when you need to manually set up details of the connection (such as incoming connection restrictions and ports, outgoing routes, and keep-alive intervals) to the CommServe and MediaAgent. This procedure includes additional configuration steps.

Basic Configuration

  1. From the CommCell Browser, right-click the client or client group, then click Properties > Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings, and confirm that the Basic option is selected.
  3. Choose an option for establishing connectivity with the CommServe through the SnapProtect proxy:
    • If the client and CommServe reside on different networks, select Always outside of CommServe network.
    • If the client does not always reside on the CommServe network, select May travel outside of CommServe network. We recommend this option for laptop computers and other mobile devices.
  4. Select the Use Galaxy proxy option, then select the SnapProtect proxy that you configured above.
  5. Click the MediaAgent Connectivity tab.

    Choose an option for establishing connectivity with the MediaAgent through the SnapProtect proxy:

    • If the client and MediaAgent reside on different networks, select Always outside of MediaAgent network.
    • If the client does not always reside on the MediaAgent network, select May travel outside of MediaAgent network. We recommend this option for laptop computers and other mobile devices.
  6. Select the Use Galaxy proxy option, then select the SnapProtect proxy that you configured above.
  7. Click the Summary tab. Confirm that you see the connection route details for the outgoing routes between the CommServe, MediaAgent and client, then click OK.

    The firewall configuration is automatically pushed to the client, CommServe and MediaAgent computers.

Stop here. Successful completion of this procedure will have established connectivity between your CommServe, MediaAgent and client.

Advanced Configuration

Quick Reference for Advanced Configuration

The table below is a quick reference to the upcoming configurations within this section:

 
Firewall Configurations
Proxy Client or Client Group CommServe and MediaAgent
(See Setting Up the SnapProtect Proxy.)

Incoming

CommServe Host:

Client:

Enable Proxy Capability

Configure a computer as a proxy by enabling This Computer is in DMZ and will work as a Proxy. The RESTRICTED option is described in Restricting or Blocking Connections.

Incoming from Proxy

Outgoing to Proxy

Set two outgoing routes from client computers as follows:

Route 1:

  • Remote Group/Client: the CommServe instance or MediaAgent
  • Route type: Via Proxy

Route 2:

  • Remote Group/Client: the proxy
  • Route type: Direct
Incoming from Proxy

Outgoing to Proxy

Set two outgoing routes from the CommServe instance and MediaAgents as follows:

Route 1:

  • Remote Group/Client: Client or Client Group
  • Route type: Via Proxy

Route 2:

  • Remote Group/Client: the proxy
  • Route type: Direct

Configuring the Client or Client Group

  1. From the CommCell Browser, right-click the client or client group, then click Properties > Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings, then the Advanced option. Click OK to acknowledge the warning and continue.
  3. On the Incoming Connections tab, click Add to open the Connections dialog box.
  4. Select the SnapProtect proxy computer in the From list.
  5. Select BLOCKED in the State list, since there are no incoming connections from the proxy to the client. Click OK.
  6. Click the Outgoing Routes tab, then click Add to create a route for the outgoing connection from the client to the SnapProtect proxy.
  7. Select the SnapProtect proxy from the Remote Group/Client list. For Route Type, select Direct, and for Tunnel Connection Protocol, select Authenticated. (The Authenticated option requires credentials to establish the connection, but does not encrypt the data during transfer.)
  8. If a port-forwarding gateway separates the client from the proxy, select Route Type of Via Gateway. Note that you will have to configure the Gateway Settings section after the next step.
  9. Select Force all data (along with control) traffic into the tunnel to force the data traffic into the tunnel.
  10. Click OK.
  11. Click Add to create a route for the outgoing connection from the client to the CommServe host, through the SnapProtect proxy.
  12. Select the name of the CommServe from the Remote Group/Client list, then for Route Type select Via Proxy.
  13. Select the SnapProtect proxy from the Remote Proxy list and click OK.
  14. Click Add to create a route for the outgoing connection from the client to the MediaAgent, through the SnapProtect proxy.
  15. Select the name of the MediaAgent from the Remote Group/Client list, then for Route Type, select Via Proxy.
  16. Select the SnapProtect proxy from the Remote Proxy list and click OK. Click OK again to close the Route Settings dialog box.
  17. Confirm that the Outgoing Routes tab shows three routes, for:

    • The client to the proxy
    • The client to the MediaAgent host
    • The client to the CommServe host

    If you used a port-forwarding gateway, the Route settings column indicates Via Gateway.

  18. From the CommCell Browser, right-click the <Client> and click All Tasks | Push Firewall Configuration.
  19. Read the warning, then click Continue to acknowledge it and proceed.
  20. Click OK to close the firewall push notification.
  21. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer does not pass the readiness check, verify your settings against the above recommendations and revise them as required. If you have verified the settings, and the client is still not ready, check items on the Troubleshooting page related to connectivity.

Configuring the CommServe

The steps from here to the end of the procedure configure routes between CommServe, the MediaAgent and the new client through the SnapProtect proxy.

  1. From the CommCell Browser, expand Client Computers.
  2. Right-click the CommServe computer, then click Properties and Network.
  3. Click the Firewall Configuration tab, then the Outgoing Routes tab.
  4. Click Add to create an outgoing connection route from the CommServe to the client through the SnapProtect proxy.
  5. Select the client from the Remote Group/Client list, then select the Via Proxy option under Route Type.
  6. Select the SnapProtect proxy from the Remote Proxy list, then click OK to close the Route Settings dialog box.
  7. Confirm that the Outgoing Routes tab shows two routes:
    • The route from CommServe to the proxy
    • The route from CommServe to the client through the proxy

    When two computers are communicating with each other through a proxy, two routes need to be configured in each computer’s Firewall preferences:

    • A route to describe the connectivity from the computer being configured to the proxy.
    • A route to describe the connectivity from the computer being configured to the remote computer via the proxy.

  8. Click OK to close the CommCell Properties dialog box.
  9. From the CommCell Browser, right-click the CommServe computer, then point to All Tasks, then click Push Firewall Configuration.
  10. Read the warning, then click Continue to acknowledge it and proceed.
  11. Click OK to close the firewall push notification. Check the Event Viewer window to confirm that your firewall configuration was pushed successfully.

    Your CommServe is now configured to receive communication from the client through the SnapProtect proxy.

  12. In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.

    If the client computer does not pass the readiness check, verify your settings against the above recommendations and revise them as required. If you have verified the settings, and the client is still not ready, check items on the Troubleshooting page related to connectivity.

Configuring the MediaAgent

  1. From the CommCell Browser, right-click the MediaAgent computer, then Properties > Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings, then on the Incoming Connections tab, click Add.
  3. In the From list, select the SnapProtect proxy computer. From the State list, select BLOCKED, then click OK.
  4. Click the Outgoing Routes tab, then click Add to create the outgoing connection route from the MediaAgent to the client through the SnapProtect proxy.
  5. Select the client from the Remote Group/Client list, then select a Route Type of Via Proxy. Select the SnapProtect proxy in Remote Proxy, then click OK.
  6. Click Add again to create another route, this time the one from the MediaAgent to the SnapProtect proxy.
  7. Select the SnapProtect proxy from the Remote Group/Client list. The Direct route type and Regular tunnel connection protocol are selected by default.
  8. Select the Force all data (along with control) traffic into the tunnel option, then click OK to add the route and close the Route settings dialog box.
  9. Confirm that the Outgoing Routes tab shows two routes:
    • The route from MediaAgent to the proxy
    • The route from MediaAgent to the client through the proxy
  10. Click OK.
  11. Your MediaAgent is now configured to receive communication from the client through the SnapProtect proxy.
  12. In the CommCell Browser, right-click the MediaAgent computer and click All Tasks > Push Firewall Configuration.
  13. Read the warning, then click Continue to acknowledge it and proceed.
  14. Click OK to close the firewall push notification. Your MediaAgent is now configured to receive communication from the client through the SnapProtect proxy. Check the Event Viewer window to confirm that your firewall configuration was pushed successfully.
  15. In the CommCell Console, right-click the MediaAgent computer name, then click All Tasks > Check Readiness. Confirm the results shown in Client Connectivity dialog box.

    If the MediaAgent computer is not ready, verify your settings against the above recommendations, then revise the settings as required.

Dual-Proxy Topology

Your SnapProtect software supports a network layout where two proxies come between components in a CommCell environment. The connectivity is depicted here:

Note that although the diagram depicts a CommServe host and a client, and the steps provided here assume those two entities, the two host machines can be any combination of CommServe host, MediaAgent and client.

Configuring the Connections

This layout requires configuring incoming and outgoing connections on the four Commvault entities shown in the diagram (CommServe host, Proxy 1 and 2, and Client). This section provides the steps for doing this.

Before You Begin

The SnapProtect proxy computers must be installed before starting to configure the connections between the CommCell components.

Configuring the CommServe Host

The steps in this section configure the firewall rules for the CommServe host to block incoming connections from Proxy 1, then force outgoing connections through the VPN tunnel to Proxy 2 via Proxy 1, and to the client via Proxy 1.

  1. Log on to the CommServe host, using an account with administrator rights.
  2. Expand Client Computers, then right-click the CommServe client > Properties, then click Network.
  3. On the Firewall Configuration tab, select Configure Firewall Settings.
  4. Block incoming connections from Proxy 1:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name of your Proxy 1 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  5. Force outgoing connections to Proxy 2 that come through Proxy 1 into the tunnel:
    1. Click the Outgoing Routes tab, then click Add.
    2. Click the Remote Group/Client list, then select the client name of your Proxy 2 server.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. In the Proxy Settings area, click the Remote Proxy list, then select the client name for your Proxy 1 server.
    5. Click OK.
  6. Force outgoing connections to the client that come through Proxy 1 into the tunnel:
    1. Click Add.
    2. Click the Remote Group/Client list, then select the client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 1 server. a. Click OK repeatedly until you have closed all dialog boxes.

Configuring Proxy 1

These steps configure the firewall rules for Proxy 1 to restrict incoming connections from both the CommServe host and Proxy 2, then force the outgoing connection to the client via Proxy 2, through the VPN tunnel.

  1. Under Client Computers, right-click the Proxy 1 client > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select Advanced, then click OK.
  4. Restrict incoming connections from the CommServe host:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name of your CommServe host.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  5. Restrict incoming connections from Proxy 2:
    1. Click Add.
    2. Click the From list, then select the client name of your Proxy 2 server.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  6. Force outgoing connections to the client through Proxy 2, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select your client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name of your Proxy 2 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Configuring Proxy 2

These steps configure the firewall rules for Proxy 2 to restrict incoming connections from Proxy 1 and the client, then force the outgoing connection to the CommServe host via Proxy 1, through the VPN tunnel.

  1. Under Client Computers, right-click Proxy 2  > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select Advanced, then click OK.
  4. Restrict incoming connections from Proxy 1:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name of your Proxy 1 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  5. Restrict incoming connections from the client:
    1. Click Add.
    2. Click the From list, then select the name of your client.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  6. Force outgoing connections to the CommServe host through Proxy 1, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select your CommServe client.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Under Proxy Settings, click the Remote Proxy list, then select the client name for your Proxy 1 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Configuring the Client

These steps configure the client’s firewall rules to block incoming connections from Proxy 2, then force outgoing connections through the VPN tunnel to Proxy 1 via Proxy 2, and to the CommServe host via Proxy 2.

  1. Under Client Computers, right-click the client > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Block incoming connections from Proxy 2:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name of your Proxy 2 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  4. Force outgoing connections to Proxy 1 through Proxy 2, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select the client name of your Proxy 1 server.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Under Proxy Settings, click the Remote Proxy list, then select the client name for your Proxy 2 server.
    5. Click OK.
  5. Force outgoing connections to the CommServe host through Proxy 2, into the tunnel:
    1. Click Add.
    2. Click the Remote Group/Client list, then select the client name of your CommServe host.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Under Proxy Settings, click the Remote Proxy list, then select the client name for your Proxy 2 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Pushing the Firewall Configurations

Finally, push the firewall configuration to each of the entities you have configured, in this order:

  1. Push to the client.
  2. Push to Proxy 2.
  3. Push to Proxy 1.
  4. Push to the CommServe host.

Cascading Dual Proxies Topology

In this configuration, you define multiple dual-proxy paths between two CommCell entities. These paths can be set up as alternate routes by which two CommCell entities can connect to each other (see Configuring Multiple Connection Routes). Here is an example of this topology:

Note that although the diagram depicts a CommServe host and a client, and the steps provided here assume those two entities, the two host machines can be any combination of CommServe host, MediaAgent and client.

Configuring the Connections

This layout requires configuring incoming and outgoing connections on the six Commvault entities shown in the diagram (CommServe host, Proxy 1, 2, 3 and 4, and Client). This section provides the steps for doing this.

Before You Begin

The SnapProtect proxy computers must be installed before starting to configure the connections between the CommCell components.

Configuring the CommServe Host

The steps in this section configure the firewall rules on the CommServe host as follows:

  • Block incoming connections from Proxy 1, then force outgoing connections through the VPN tunnel to Proxy 2 to go through Proxy 1, and to the client via Proxy 1.
  • Block incoming connections from Proxy 3, then force outgoing connections through the VPN tunnel to Proxy 4 to go through Proxy 3, and to the client via Proxy 3.

Steps

  1. Log on to the CommServe host, using an account with administrator rights.
  2. Expand Client Computers, then right-click the CommServe client > Properties, then click Network.
  3. On the Firewall Configuration tab, select Configure Firewall Settings.
  4. Block incoming connections from Proxy 1:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your Proxy 1 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  5. Force outgoing connections to Proxy 2 that come through Proxy 1 into the tunnel:
    1. Click the Outgoing Routes tab, then click Add.
    2. Click the Remote Group/Client list, then select the client name for your Proxy 2 server.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. In the Proxy Settings area, click the Remote Proxy list, then select the client name for your Proxy 1 server.
    5. Click OK.
  6. Force outgoing connections to the client that come through Proxy 1 into the tunnel:
    1. Click Add.
    2. Click the Remote Group/Client list, then select the client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 1 server. a. Click OK repeatedly until you have closed all dialog boxes.
  7. Block incoming connections from Proxy 3:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your Proxy 3 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  8. Force outgoing connections to Proxy 4 that come through Proxy 3 into the tunnel:
    1. Click the Outgoing Routes tab, then click Add.
    2. Click the Remote Group/Client list, then select the client name for your Proxy 4 server.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. In the Proxy Settings area, click the Remote Proxy list, then select the client name for your Proxy 3 server.
    5. Click OK.
  9. Force outgoing connections to the client that come through Proxy 3 into the tunnel:
    1. Click Add.
    2. Click the Remote Group/Client list, then select the client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 3 server. a. Click OK repeatedly until you have closed all dialog boxes.

Configuring Proxy 1

These steps configure the firewall rules for Proxy 1 to restrict incoming connections from both the CommServe host and from Proxy 2, then force the outgoing connection to the client via Proxy 2, through the VPN tunnel.

  1. Under Client Computers, right-click the Proxy 1 client > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select Advanced, then click OK.
  4. Restrict incoming connections from the CommServe host:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your CommServe host.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  5. Restrict incoming connections from Proxy 2:
    1. Click Add.
    2. Click the From list, then select the client name for your Proxy 2 server.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  6. Force outgoing connections to the client through Proxy 2, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select your client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 2 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Configuring Proxy 2

These steps configure the firewall rules for Proxy 2 to block incoming connections from Proxy 1, restrict connections from the client, then force the outgoing connection to the CommServe host via Proxy 1, through the VPN tunnel.

  1. Under Client Computers, right-click the Proxy 2 client > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select Advanced, then click OK.
  4. Block incoming connections from Proxy 1:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your Proxy 1 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  5. Restrict incoming connections from the client:
    1. Click Add.
    2. Click the From list, then select the name of your client.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  6. Force outgoing connections to the CommServe host through Proxy 1, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select your CommServe client.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Under Proxy Settings, click the Remote Proxy list, then select the client name for your Proxy 1 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Configuring Proxy 3

These steps configure the firewall rules for Proxy 3 to restrict incoming connections from both the CommServe host and from Proxy 4, then force the outgoing connection to the client via Proxy 4, through the VPN tunnel.

  1. Under Client Computers, right-click the Proxy 3 client > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select Advanced, then click OK.
  4. Restrict incoming connections from the CommServe host:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your CommServe host.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  5. Restrict incoming connections from Proxy 4:
    1. Click Add.
    2. Click the From list, then select the client name for your Proxy 4 server.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  6. Force outgoing connections to the client through Proxy 4, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select your client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 4 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Configuring Proxy 4

These steps configure the firewall rules for Proxy 4 to block incoming connections from Proxy 3, restrict connections from the client, then force the outgoing connection to the CommServe host via Proxy 3, through the VPN tunnel.

  1. Under Client Computers, right-click the Proxy 4 client > Properties, then click Network.
  2. On the Firewall Configuration tab, select Configure Firewall Settings.
  3. Select Advanced, then click OK.
  4. Block incoming connections from Proxy 3:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your Proxy 3 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  5. Restrict incoming connections from the client:
    1. Click Add.
    2. Click the From list, then select the name of your client.
    3. Click the State list, then select RESTRICTED.
    4. Click OK.
  6. Force outgoing connections to the CommServe host through Proxy 3, into the tunnel:
    1. Click the Outgoing Connections tab, then click Add.
    2. Click the Remote Group/Client list, then select your CommServe client.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Under Proxy Settings, click the Remote Proxy list, then select the client name for your Proxy 3 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Configuring the Client

The steps in this section configure the firewall rules on the CommServe host as follows:

  • Block incoming connections from Proxy 2, then force outgoing connections through the VPN tunnel to Proxy 1 to go through Proxy 2, and to the CommServe host via Proxy 2.
  • Block incoming connections from Proxy 4, then force outgoing connections through the VPN tunnel to Proxy 3 to go through Proxy 4, and to the CommServe host via Proxy 4.

Steps

  1. Log on to the CommServe host, using an account with administrator rights.
  2. Expand Client Computers, then right-click the client > Properties, then click Network.
  3. On the Firewall Configuration tab, select Configure Firewall Settings.
  4. Block incoming connections from Proxy 2:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your Proxy 2 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  5. Force outgoing connections to Proxy 1 that come through Proxy 2 into the tunnel:
    1. Click the Outgoing Routes tab, then click Add.
    2. Click the Remote Group/Client list, then select the client name for your Proxy 1 server.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. In the Proxy Settings area, click the Remote Proxy list, then select the client name for your Proxy 2 server.
    5. Click OK.
  6. Force outgoing connections to the CommServe client that come through Proxy 2 into the tunnel:
    1. Click Add.
    2. Click the Remote Group/Client list, then select the client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 2 server. a. Click OK repeatedly until you have closed all dialog boxes.
  7. Block incoming connections from Proxy 3:
    1. On the Incoming Connections tab, click Add.
    2. Click the From list, then select the client name for your Proxy 3 server.
    3. Click the State list, then select BLOCKED.
    4. Click OK.
  8. Force outgoing connections to Proxy 1 that come through Proxy 2 into the tunnel:
    1. Click the Outgoing Routes tab, then click Add.
    2. Click the Remote Group/Client list, then select the client name for your Proxy 1 server.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. In the Proxy Settings area, click the Remote Proxy list, then select the client name for your Proxy 2 server.
    5. Click OK.
  9. Force outgoing connections to the CommServe client that come through Proxy 4 into the tunnel:
    1. Click Add.
    2. Click the Remote Group/Client list, then select the CommServe client name.
    3. Under Route Type, select Via Proxy. Note that Force all data (along with control) traffic into the tunnel is automatically selected also.
    4. Click the Proxy Settings > Remote Proxy list, then select the client name for your Proxy 4 server.
    5. Click OK repeatedly until you have closed all dialog boxes.

Push the Firewall Configurations

Finally, push the firewall configuration to each of the entities you have configured, in this order:

  1. Push to the client.
  2. Push to Proxy 4.
  3. Push to Proxy 3.
  4. Push to Proxy 2.
  5. Push to Proxy 1.
  6. Push to the CommServe host.

Configuring the Cascading Proxies

Once you have put the firewall rules in place using the above steps, you can configure the topology by setting up multiple connection routes through the parallel proxies as described in Configuring Multiple Connection Routes.

More Information

Additional Firewall Configurations provides firewall options for fine-tuning communication between CommCell components in support of CommCell operations.

Firewall - Troubleshooting provides troubleshooting information for problems encountered during configuration.

Restricting or Blocking Connections explains port restriction as related to the Status: RESTRICTED option.