Loading...

Firewall: Options

The following sections provide context-sensitive help information related to this feature.

Firewall Configuration

Use this dialog box to configure firewall settings for the selected CommCell entity, which can be a CommServe, MediaAgent, client computer or client group.

Configure Firewall Settings

Select this option to configure firewall settings on the client or client group that you selected.

If you configure firewall on a client group, all the clients that are associated with the client group will inherit the firewall configurations that you set on the group. The clients that are part of the client group will display a note indicating that firewall is inherited from the client group.

Remember: If a client is inheriting the firewall settings from a client group, you do not need to select the Configure Firewall Settings check box. However, you can select the option if you want to configure additional (or different) firewall settings on the client.

Use the following options to establish connectivity to and from CommCell entities separated by a firewall.

By default, the firewall properties at the CommCell level only display the Advanced options.

Basic

Select this option to quickly configure direct tunnel connection or proxy connection between the selected CommCell component and the CommServe or MediaAgent.

Use the following tabs to specify the type of firewall configuration:

Advanced

Select this option to configure any type of connection route between the CommCell components (entities) to establish connectivity across the firewall.

Use the following tabs to provide the firewall configuration details:

CommServe Connectivity

Visible when Firewall Configuration is set to Basic. Use this tab to select the type of firewall configuration between the selected CommCell component and the CommServe.

This Computer is

Specifies whether this computer is in the same network as the CommServe.

  • Always in the same network as CommServe

    Click to specify that this computer connects directly to the CommServe (no firewall between them). CommCell services of this computer and the CommServe can directly communicate.

  • Always outside of CommServe network

    Click to specify that this computer will always connect to the CommServe from a remote site. This option allows you to configure direct tunnel connections and proxy connections.

  • May travel outside of CommServe network

    Click to specify that this computer will occasionally connect to the CommServe from a remote site. This option is recommended for laptops and other mobile devices that routinely move in and out of the network.

    When connecting to the CommServe, this option will first attempt to establish a direct connection (same CommServe network scenario). If it fails, the direct tunnel connection or proxy will be used.

When connecting from outside

Available when This Computer is is set to Always outside of CommServe network or May travel outside of CommServe network. Sets the type of firewall configuration that this computer will use to connect to the CommServe.

  • Open tunnel directly to CommServe

    Click to enable this computer to connect to the CommServe through a direct tunnel connection. By default, the CommServe will use port 8403 to receive connections from the computer.

  • Use remote proxy

    Click to enable this computer to connect to the CommServe using a proxy.

MediaAgent Connectivity

Visible when Firewall Configuration is set to Basic. Use this tab to select the type of firewall configuration between the selected CommCell component and its associated MediaAgent.

This Computer is

Indicates whether this computer is in the same network as the MediaAgent.

  • Always in the same network as MediaAgent

    Click to specify that this computer connects directly to the MediaAgent (no firewall between them). CommCell services of this computer and the MediaAgent can directly communicate.

  • Always outside of MediaAgent network

    Click to specify that this computer will always connect to the MediaAgent from a remote site. This option allows you to configure direct tunnel connections and proxy connections.

  • May travel outside of MediaAgent network

    Click to specify that this computer can connect to the MediaAgent from a remote site. This option is recommended for laptops and other mobile devices that routinely move in and out of the network.

    When connecting to the MediaAgent, this option will first attempt to establish a direct connection (same CommServe network scenario). If it fails, the direct tunnel connection or proxy will be used.

When connecting from outside

Available when This Computer is is set to Always outside of MediaAgent network or May travel outside of MediaAgent network. Indicates the type of firewall configuration that this computer will use to connect to the MediaAgent.

  • Open tunnel directly to MediaAgent

    Click to enable this computer to connect to the MediaAgent through a direct tunnel connection.

  • Use remote proxy

    Click to enable this computer to connect to the MediaAgent using a proxy.

Incoming Connections

Visible when Firewall Configuration is set to Advanced. Use this tab to add or modify the connection status of remote clients or client groups that cannot open direct connections to this CommCell component.

Entity

Displays the list of clients or client groups (entities) that cannot open direct connections or can open connections only on restricted ports to this CommCell component (see Restricting or Blocking Connections).

State

Indicates the type of connection from the client or client group.

Actions

  • Add

    Click Add to add a client or client group. This opens the Connections to dialog box.

  • Edit

    Select a client or client group, then click Edit to change the details.

  • Delete

    Select a client or client group, then click Delete to remove it from the list.

Incoming Ports

Visible when Firewall Configuration is set to Advanced. Use this tab to specify the port numbers for incoming communication. Network TCP Port Requirements provides a list of incoming ports.

Tunnel HTTP/HTTPS Port

  • Listen for tunnel connections on port

    Specifies the port on which the incoming tunnel connections are received.

Additional Open Ports

Specify additional ports or range of ports that are open for incoming connections to facilitate faster data transport.

From

The starting number in the range of ports that are open.

To

The ending number in the range of ports that are open.

  • Add

    Click Add to include the additional ports.

  • Delete

    Select a port or range of ports, then click this button to remove them from the list.

Outgoing Routes

Visible when Firewall Configuration is set to Advanced. Use this tab to define the connectivity type and port numbers that are open for outgoing communication from this CommCell component.

Remote Entity

Displays the list of remote clients or client groups that are only reachable through a firewall.

Route Settings

Displays the outgoing route to reach the remote client or client group.

  • Add

    Click Add to add outgoing route to reach a remote client or client group. Provide the details in the Route Settings dialog box.

  • Edit

    Select a remote client or client group and click Edit to change the route settings.

  • Delete

    Select a remote client or client group and click Delete to remove it from the list.

Options

Visible when Firewall Configuration is set to Advanced. Use this tab to configure additional firewall configuration options.

Keep-alive Interval, seconds

The interval for sending keep-alive packets, to maintain the session if backup traffic has an extended pause.

Tunnel Init Interval, seconds

The interval at which tunnel initialization must be attempted.

Default Outgoing Tunnel Protocol

This option sets the outgoing tunnel protocol for any route that uses a proxy to communicate with a locked-down CommServe host, when installing a software components onto a client for which there is no applicable entry on the Outgoing Routes tab to specify a protocol.

Force SSL authentication in incoming tunnel connections

Select this option to force all incoming tunnel connections to use HTTPS protocol. Communication between other CommCell components will be authenticated through Secure Socket Layer (SSL).

Bind all services to open ports only

Select this option to bind all services to the list of incoming ports configured for the client using TCP/IP filtering.

This computer is in DMZ and will work as a proxy

Select this option to designate this computer as a proxy computer for CommCell communications through firewall.

Force per-client certificate based authentication

Visible only when This computer is in DMZ and will work as a proxy is selected. Selecting this option prevents clients that do not have certificates from communicating with a locked-down CommServe host through this computer when it is acting as a proxy. If this option is selected, you will have to generate a temporary authentication certificate to install new clients through the proxy. For more information, see Enforcing Authentication of Client Certificates during Installations, and Renew a Revoked Certificate in a Locked Down CommCell.

Roaming client

Select this option to designate a client computer as roaming client. The roaming feature intelligently determines the best route for the client to communicate with the CommServe computer. This is useful for clients that constantly change their geographical location, such as laptop clients.

When the option is selected, the client will try to reach the CommServe computer directly, without the use of firewall routes (outgoing routes are bypassed). If the CommServe computer cannot be reached, the client will continue to use the configured firewall routes.

Network Proxy Settings

These settings are visible when configuring a CommCell. They allow you to configure third-party port mappings.

  • Access GUI Server (EvMgrS) via following proxy

    Select this option to enable port 8401 on the CommServe computer.

    • Remote Proxy lists the proxy computers that you can use to access the CommServe.
    • Port Number specifies a local port used by the proxy computer which will be mapped to port 8401.
  • Access Web Server via following proxy

    Select this option to enable port 81 on the computer where the Web Server is installed.

    • Remote Proxy lists the proxy computers that you can use to access the Web Server.
    • Port Number specifies a local port used by the proxy computer which will be mapped to a dynamic IIS port.
  • Access Reports via following proxy

    Select this option to enable port 80 on the CommServe computer.

    • Remote Proxy lists the proxy computers that you can use to access the Report database.
    • Port Number specifies a local port used by the proxy computer, which will be mapped to a dynamic IIS port.
  • Access Custom Reports Engine via following proxy

    Select this option to specify the proxy through which this Web Console instance communicates with the Custom Reports Engine.

    • Remote Proxy lists the proxy computers that provide access to the Custom Reports Engine service.
    • Port Number specifies the port the Web Console will use to access the Custom Reports Engine (commonly running on the Web Server). This is a local port on the computer hosting the Web Console that is mapped to the Web Server.

Summary

This tab displays a summary of the firewall configuration created using the other tabs. This tab is not available at the client group level.

Firewall Topology

Use this dialog to create or change an instance of a predefined firewall topology that connects client groups, either directly or through a proxy.

Topology Name

The name for this instance of the topology. Must be a unique name within your CommCell environment.

Description

(Optional) A free-form textual description of the topology.

Topology Type

The type of topology for this instance.

  • Via Proxy

    Select this option to configure connections between clients from inside and outside the firewall through the proxy client group.

  • One-Way

    Select this option to configure clients from outside the firewall to initiate connections with clients (inside the firewall) on restricted ports.

  • Two-way

    Select this option to allow clients from inside and outside the firewall to initiate connections between each other on restricted ports.

Trusted Client Group 1

In a proxy topology, clients in this group are outside the firewall and are designated to initiate direct connections with clients in the Trusted Client Group 2.

Trusted Client Group 2

In a proxy topology, clients in this group are inside the firewall and are designated to receive connection requests from clients in the Trusted Client Group 1. The clients in this group cannot initiate connections with clients in the Trusted Client Group 1.

Proxy/DMZ Group

The client group that is designated as the proxy group for connections using the Via Proxy topology type.

Infrastructure Client Group

In a one-way topology, clients in this group are outside the firewall and are designated to initiate direct connections with clients in the DMZ Client Group.

DMZ Client Group

In a one-way topology, clients in this group are inside the firewall and are designated to receive connection requests from clients in the Infrastructure Client Group.

Client Group 1

In a two-way topology, clients in this group can initiate direct connections to clients that are members of Client Group 2.

Client Group 2

In a two-way topology, clients in this group can initiate direct connections to clients that are members of Client Group 1.

Make clients from Trusted Client Group 1 use proxies for all traffic

This option forces clients in the Trusted Client Group 1 to use the chosen Proxy/DMZ Group to communicate with all hosts, including CommServe and MediaAgent hosts. This option is selected by default.

Connections to client or client_group

Use this dialog box for adding or modifying incoming connections from remote clients or client groups to this CommCell component.

From

Select a client or client group that has firewall restrictions to communicate to this CommCell component.

State

Select one of the following connection status:

  • Select BLOCKED if this CommCell component should not have open connections with the client or client group you selected in the From list.
  • Select RESTRICTED if this CommCell component can have connections with the client or client group you selected in the From list, but only on restricted ports (see Configuring Third-Party Connections).

Route Settings

Use this dialog to specify outgoing route to reach the remote client/client group from this CommCell entity.

Remote Group/Client

Select the remote client/client group for which you wish to specify the outgoing route.

Route Type

  • Direct

    Select this option if a direct connection can be made to the remote client/client group.

  • Via Gateway

    Select this option and specify the Gateway Settings if the connection is routed through a Gateway.

  • Via Proxy

    Select this option and specify the Proxy Settings if the connection is routed through a proxy.

Tunnel Connection Protocol

  • Regular

    Select this option to use HTTP protocol for outgoing communication.

  • Authenticated

    Select this option to encrypt the initial authentication and communication between clients using the HTTPS protocol. Once authenticated, the tunnel connection optimizes data transfer by switching to HTTP protocol.

  • Encrypted

    Select this option to use HTTPS protocol for outgoing communication.

  • Raw

    This option forces outgoing communication to not use any form of HTTP. Use it when network equipment modifies the packet stream, thereby preventing communication. See Configuring Tunnel Connection Protocols for details.

Force all data (along with control) traffic into the tunnel

Select this option to force backup and restore data traffic through the tunnel connection. Optional for Direct and Via Gateway routes; required (and automatically selected) for Via Proxy routes.

Selecting this option encrypts data traffic, which may slow operations.

Gateway Settings

The following options define the firewall gateway settings.

  • Gateway Hostname

    Specifies the hostname of the port-forwarding gateway computer.

  • Gateway Tunnel Port

    Specifies the port on which the tunnel connections are received on the gateway computer.

Additional destination port mapping

These options are available when configuring clients (but not client groups), when the Route Type is set to Via Gateway.

  • GW Port

    Specify the additional gateway port that can receive incoming connections. Click Add to add the port to the list of gateway ports.

  • Destination Port

    Specify the destination port on the remote client/client group that is mapped to the GW Port.

Add

Click to add the port combination shown in GW Port and Destination Port.

Delete

Select a port from the GW Port list and click Delete to remove the port combination. Hold down CTRL to select more than one.

Proxy Settings

  • Remote Proxy

    Select the proxy computer through which communication to the remote client/client group must be routed.

Add Proxy

Use this dialog to create a placeholder for the proxy on your CommServe computer before installing it.

Client Name

The client name of the proxy computer.

Host Name

The host name of the proxy computer. The host name of the proxy computer must be resolvable from outside of the perimeter network and inside the local network.