Firewall Configuration - Unix

Table of Contents

Select one of the following options for firewall configuration:

Client/MediaAgent can reach the CommServe

CommServe can reach the Client/MediaAgent

Client/MediaAgent and CommServe can reach each other

CommServe can be Reached through a Port Forwarding Gateway

CommServe can be Reached through a Proxy

Client/MediaAgent can reach the CommServe

Before configuring firewall options, ensure to setup connection to the CommServe as described in the Client Connects to the CommServe (One-Way Firewall) procedure.

Use the following procedure when the Client/MediaAgent can reach the CommServe.

1. Type 1 to select This machine can open connection to CommServe on tunnel port and press Enter to continue. Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.

1) This machine can open connection to CommServe on a tunnel port

2) CommServe can open connections toward us

3) CommServe is reachable only through a proxy

Your choice: [1]
2. Enter the name of the CommServe computer.

Press Enter to continue.
  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.

Please specify client name of the CommServe below.

CommServe Client Name:
3. Enter the fully qualified name or the IP address of the CommServe in the CommServe Host Name. This should be TCP/IP network name. e.g., computer.company.com.

Press Enter to continue.

 
  • Ensure that the CommServe is accessible before typing the name; otherwise the installation will fail.
  • If you enter a short name which resolves to the same IP address as the fully qualified CommServe name, you will be asked if you would prefer to use the fully qualified name.

 

 

 Please specify hostname of the CommServe below. Make sure the hostname is fully qualified, resolvable by the name services configured on this machine. If there is a port-forwarding Gateway in front of the CommServe, enter hostname or IP address of the Gateway here.

CommServe Host Name:
4. Type the incoming port number through which the CommServe computer receives tunnel connection.

Press Enter to continue.

 Please specify the port number, on which we should open tunnel connections toward the CommServe. This is same as "Tunnel HTTP/HTTPS port" configurable in the "Incoming Ports" tab of the CommServe Firewall Properties adjusted for a possible port-mapping Gateway in front of it.

CommServe HTTP/HTTPS tunnel port number: 8500
5.
  • If this computer is separated from the CommServe by a HTTP Proxy, type Yes and enter the following information:

    HTTP Proxy hostname or IP address: Type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Type the port number of the HTTP Proxy through which the CommServe can be reached.

    Press Enter to continue.

  • If this computer is not separated from the CommServe by a HTTP Proxy, type No and press Enter to continue.

 

 If there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache), please provide HTTP Proxy configuration below.

Is there an HTTP proxy between this client and the CommServe? [no]
6. If the CommCell is in the Lockdown mode, enter Yes and provide the path to the folder in the which the CommCell HTTPS certificate are available.
  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

Press Enter to continue installation.

 If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate below.

This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.

Have you enabled "Lockdown CommCell"? [no]

CommServe can reach the Client/MediaAgent

Before configuring firewall options, ensure to setup connection to the CommServe as described in the CommServe Connects to the Client (One-Way Firewall) procedure.

Use the following procedure when the CommServe can reach the Client/MediaAgent.

1. Type 2 to select CommServe can open connection toward us option and press Enter to continue. Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.

1) This machine can open connection to CommServe on a tunnel port

2) CommServe can open connections toward us

3) CommServe is reachable only through a proxy

Your choice: [1]
2. Enter the name of the CommServe computer.

Press Enter to continue.
  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.

Please specify client name of the CommServe below.

CommServe Client Name:
3. Specify a local port number through which the Client/MediaAgent will receive communication from the CommServe.

Press Enter to continue.

 Since we cannot contact CommServe directly, we will need to configure a reverse tunnel connection from the CommServe to us. Please enter a local port number to listen on below, then go to CommServe and create a persistent tunnel toward this client in the [outgoing] section of  FwConfigLocal.txt. When finished, return to this configuration screen, and hit Enter to continue.

Local HTTP/HTTPS tunnel port number: 8550
4. If the CommCell is in the Lockdown mode, enter Yes and provide the path to the folder in the which the CommCell HTTPS certificate are available.
  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

Press Enter to continue installation.

 If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate below.

This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.

Have you enabled "Lockdown CommCell"? [no]

Client/MediaAgent and CommServe can reach each other

Before configuring firewall options, ensure to setup connection to the CommServe as described in the Client and CommServe Connect to each other (Two-Way Firewall) procedure.

Use the following procedure when the Client/MediaAgent and CommServe can reach each other.

1. Type 1 to select This machine can open connection to CommServe on tunnel port and press Enter to continue. Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.

1) This machine can open connection to CommServe on a tunnel port

2) CommServe can open connections toward us

3) CommServe is reachable only through a proxy

Your choice: [1]
2. Enter the name of the CommServe computer.

Press Enter to continue.
  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.

Please specify client name of the CommServe below.

CommServe Client Name:
3. Enter the fully qualified name or the IP address of the CommServe in the CommServe Host Name. This should be TCP/IP network name. e.g., computer.company.com.

Press Enter to continue.

 
  • Ensure that the CommServe is accessible before typing the name; otherwise the installation will fail.
  • If you enter a short name which resolves to the same IP address as the fully qualified CommServe name, you will be asked if you would prefer to use the fully qualified name.

 

 

 Please specify hostname of the CommServe below. Make sure the hostname is fully qualified, resolvable by the name services configured on this machine. If there is a port-forwarding Gateway in front of the CommServe, enter hostname or IP address of the Gateway here.

CommServe Host Name:
4. Type the incoming port number through which the CommServe computer receives tunnel connection.

Press Enter to continue.

 Please specify the port number, on which we should open tunnel connections toward the CommServe. This is same as "Tunnel HTTP/HTTPS port" configurable in the "Incoming Ports" tab of the CommServe Firewall Properties adjusted for a possible port-mapping Gateway in front of it.

CommServe HTTP/HTTPS tunnel port number: 8500
5.
  • If this computer is separated from the CommServe by a HTTP Proxy, type Yes and enter the following information:

    HTTP Proxy hostname or IP address: Type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Type the port number of the HTTP Proxy through which the CommServe can be reached.

    Press Enter to continue.

  • If this computer is not separated from the CommServe by a HTTP Proxy, type No and press Enter to continue.

 

 If there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache), please provide HTTP Proxy configuration below.

Is there an HTTP proxy between this client and the CommServe? [no]
6. If the CommCell is in the Lockdown mode, enter Yes and provide the path to the folder in the which the CommCell HTTPS certificate are available.
  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

Press Enter to continue installation.

 If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate below.

This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.

Have you enabled "Lockdown CommCell"? [no]

CommServe can be Reached through a Port Forwarding Gateway

Before configuring firewall options, ensure to configure the port-forwarding gateway and to setup connection to the CommServe as described in the Operating Through a Port-Forwarding Gateway procedure.

Use the following procedure when the Client/MediaAgent connects to the CommServe through a port forwarding gateway.

1. Type 1 to select This machine can open connection to CommServe on tunnel port and press Enter to continue. Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.

1) This machine can open connection to CommServe on a tunnel port

2) CommServe can open connections toward us

3) CommServe is reachable only through a proxy

Your choice: [1]
2. Enter the name of the CommServe computer.

Press Enter to continue.
  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.

Please specify client name of the CommServe below.

CommServe Client Name:
3. If the CommServe is located in behind a port-forwarding gateway, provide the hostname of the port-forwarding gateway e.g., gateway.gatewayservices.com.

Press Enter to continue.

 
  • Ensure that the CommServe is accessible before typing the name; otherwise the installation will fail.
  • If you enter a short name which resolves to the same IP address as the fully qualified CommServe name, you will be asked if you would prefer to use the fully qualified name.
Please specify hostname of the CommServe below. Make sure the hostname is fully qualified, resolvable by the name services configured on this machine. If there is a port-forwarding Gateway in front of the CommServe, enter hostname or IP address of the Gateway here.
4. Type the incoming port number on the port-forwarding gateway through which the CommServe computer can be reached.

Press Enter to continue.

 Please specify the port number, on which we should open tunnel connections toward the CommServe. This is same as "Tunnel HTTP/HTTPS port" configurable in the "Incoming Ports" tab of the CommServe Firewall Properties adjusted for a possible port-mapping Gateway in front of it.

CommServe HTTP/HTTPS tunnel port number: 8500
5.
  • If this computer is separated from the CommServe by a HTTP Proxy, type Yes and enter the following information:

    HTTP Proxy hostname or IP address: Type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Type the port number of the HTTP Proxy through which the CommServe can be reached.

    Press Enter to continue.

  • If this computer is not separated from the CommServe by a HTTP Proxy, type No and press Enter to continue.

 

 If there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache), please provide HTTP Proxy configuration below.

Is there an HTTP proxy between this client and the CommServe? [no]
6. If the CommCell is in the Lockdown mode, enter Yes and provide the path to the folder in the which the CommCell HTTPS certificate are available.

NOTES:

Press Enter to continue installation.

 If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate below.

This certificate can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -> Export Firewall Certificate popup menu item.

Have you enabled "Lockdown CommCell"? [no]

CommServe can be Reached through a Proxy

Before configuring firewall options, ensure to setup the Calypso proxy as described in the Operating Through a DMZ Using Calypso Proxy procedure.

Use the following procedure when the client/MediaAgent connects to the CommServe through a proxy.

1. Type 3 to select CommServe is reachable only through a proxy and press Enter to continue. Please specify now how your firewall is limiting network traffic. Whether it's possible to open connection from here to a CommServe's tunnel port, whether all connections toward CommServe are blocked, and we should instead expect CommServe to connect back to us, or whether there is a proxy in between.

1) This machine can open connection to CommServe on a tunnel port

2) CommServe can open connections toward us

3) CommServe is reachable only through a proxy

Your choice: [1]
2. Enter the name of the CommServe computer.

Press Enter to continue.
  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.

Please specify client name of the CommServe below.

CommServe Client Name:
3. Provide the following information:
  • In the Proxy HTTP/HTTPS tunnel port number enter the tunnel port on which the proxy is expecting connections to the CommServe. If the proxy is behind a port-forwarding gateway, then provide the port number of the port-forwarding gateway to reach the CommServe.
  • In the Proxy hostname or IP address specify the hostname of the proxy through which the CommServe can be reached. If the proxy is behind a port-forwarding gateway, then provide the host name or the IP address of the port-forwarding gateway.
  • In the Proxy short name field, specify the short name of Calypso proxy.
      The name of the proxy client is case sensitive. Ensure to specify the name with the correct letter case.

Press Enter to continue.

 Please specify the name of IP address of the proxy that should be used to reach the CommServe along with the port number, on which the proxy is expecting connections.

Proxy hostname or IP address:

Proxy host name:

Proxy HTTP/HTTPS tunnel port number:
4.
  • If this computer is separated from the CommServe by a HTTP Proxy, type Yes and enter the following information:

    HTTP Proxy hostname or IP address: Type the hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Type the port number of the HTTP Proxy through which the CommServe can be reached.

    Press Enter to continue installation.

  • If this computer is not separated from the CommServe by a HTTP Proxy, type No and press Enter to continue.

Press Enter to continue.

 If there is an HTTP proxy between this client and the CommServe (e.g. Squid or Apache), please provide HTTP proxy configuration below.

Is there an HTTP proxy between this client and the CommServe? [no]
5. If the CommCell is in the Lockdown mode, enter Yes and provide the path to the folder in the which the CommCell HTTPS certificate are available.
  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

Press Enter to continue installation.

 If you have checked "Lockdown CommCell" in firewall properties of the CommServe or Proxy, you need to provide path to the directory with CommCell HTTPS certificate below.

This certificate

 can be obtained by right-clicking CommServe name in the Java GUI, and selecting All Tasks -? Export Firewall Certificate popup menu item.

Have you enabled "Lockdown CommCell"? [no]