Firewall

When CommCell components are separated by a firewall, the components must be configured with the connection route to reach each other across the firewall. Once configured, the components seamlessly communicate across the firewall for all data management operations such as backup, browse, restore, etc.

CommCell components can be configured to operate across the following:

Port-forwarding gateways
HTTP proxies
DMZ
NAT configurations
Combinations of the above firewall scenarios.

In addition, you can also create your own Calypso proxy by designating a CommCell component as the proxy and defining the connections rules on the component. Components can communicate using HTTP or HTTPS protocol.

The following sections explain in detail the configuration required to install and operate CommCell components across different types of firewalls.

Key Features

The software offers the following key features in communication across firewall:

Centralized configuration from the CommCell Console. Firewall settings can be configured at the individual client or client group levels.
Lesser port requirements. Having port number 8400 is no longer a requirement to operate across firewalls. Backup and restore operations can be performed through a single open port. However, it is recommended that you open additional ports to enable faster data traffic.
Support for port-forwarding routers. Multiple CommCell components on the internal network can be exposed to the outside world via a single gateway IP address with necessary port forwarding configured on the gateway. Roaming clients can reach specific internal machines by opening tunnel or data connections to specific ports on the port-forwarding gateway.
Support for Calypso proxy configurations. For maximum security, the software now supports a special proxy configuration where you can place a Calypso agent in a DMZ, and configure the firewall to allow connections from inside and outside networks into the DMZ only.
HTTPS encryption in the tunnels. The software now uses HTTPS encapsulation in all tunnel connections. This provides SSL/TLS encryption protecting all data in transit and allows for better compatibility with traffic filtering firewalls.
Tunnel authentication using CommCell-specific certificate. Due to the use of HTTPS, all tunnel connections are not only encrypted, but also authenticated. For high levels of security, CommCells can be locked down to use CommCell-specific certificates for SSL/TSL authentication which is unique for every CommCell deployment.

Operating Using Direct Connections

Direct connection with port restrictions is a setup where at least one of any two communicating computers can establish a one-to-one connection towards the other on specific ports. The connection could also be routed if the routing does not include a proxy or an intermediate port-forwarding gateway. This configuration was supported as One-Way Firewall and Two-Way Firewall in previous releases.

Client Connects to the CommServe (One-Way Firewall)

Consider the diagram that illustrates a direct connection setup where the client opens tunnel connection towards the CommServe and the MediaAgent.

The following sections explain the configuration required on the CommServe, MediaAgent, and the client to operate in this scenario.

Review the following considerations before you begin.

Make a note of the port configurations on your firewall and substitute them appropriately in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a computer, then you will not be able to use port 443 for firewall configuration on that computer.

SETUP CONNECTION TO THE COMMSERVE

Before installing the client, you will have to provide an incoming port number on which the CommServe will receive tunnel connections from the client. The following steps explain the configurations required for this purpose.

1.	From the CommCell Console, right-click the CommServe computer and click Properties.
2.	Click the Firewall Configuration tab.
3.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and specify the port number on which the incoming tunnel connection is received. Click OK.
4.	From the CommCell Console, right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
5.	Click Continue. The specified configuration is saved. Verify if your firewall configuration was pushed successfully in the Event Viewer window.

Install the Client

In this configuration the client establishes connection with the CommServe using one or more ports. To install the client across a firewall in this setup, you will have to specify the path to reach the CommServe computer. During installation of the client, use one of the following firewall configuration sequence.

Client/MediaAgent can reach the CommServe (Windows clients)
Client/MediaAgent can reach the CommServe (Unix clients)

Configure the CommServe, MediaAgent and Client

Use the following steps to establish incoming and outgoing connectivity details between the CommServe, MediaAgent, and the client computer.

1.	To configure the CommServe, right-click the CommServe computer from the CommCell Console and click Properties.
2.	Click the Firewall Configuration tab.
3.	From the Incoming Connections tab, click Add.
4.	In the From field, select the name of the client you just installed. In the State field, specify the status of the connection from the client. Since in this case the client can reach the CommServe, assuming that the firewall is restricting connections to a specific port, select Restricted. Note that if the firewall allowed any connection from the client to the CommServe, then this entry is not required. Click OK.
5.	Click the Incoming Ports tab. You will see the tunnel port already specified on the CommServe. Additional Open Ports: For components that handle data transfer (for example, MediaAgent, File System iDataAgent, etc.), you can speed up the data transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations. For MediaAgents involving multi-stream restores, opening additional ports increases the restore performance. The number of open ports should correspond to the number of simultaneously running restore streams. For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso Communications Service improves the backup performance. For MediaAgents performing SnapProtect operations with Data Replicator snap engine, opening additional ports increases the backup performance. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK.
6.	From the CommCell Console, right-click the CommServe computer and click All Tasks \| Push Firewall Configuration. This updates the firewall configuration on the CommServe and client computer.
7.	Click Continue. The CommServe is configured to receive communication from the client. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
8.	To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Console and click Properties.
9.	Click the Firewall Configuration tab.
10.	From the Incoming Connections tab, click Add.
11.	In the From field, select the name of the client you just installed. In the State field, specify the status of the connection from the client. Since in this case the client can reach the MediaAgent, assuming that the firewall is restricting connections to a specific port, select Restricted. Note that if the firewall allowed any connection from the client to the MediaAgent, then this entry is not required. Click OK.
12.	Click the Incoming Ports tab. Select the Listen for tunnel connections on port option and specify the tunnel port through which connections from the client are received on the MediaAgent computer. Additional Open Ports: For components that handle data transfer (for example, MediaAgent, File System iDataAgent, etc.), you can speed up the data transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations. For MediaAgents involving multi-stream restores, opening additional ports increases the restore performance. The number of open ports should correspond to the number of simultaneously running restore streams. For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso Communications Service improves the backup performance. For MediaAgents performing SnapProtect operations with Data Replicator snap engine, opening additional ports increases the backup performance. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK. The MediaAgent is now configured to receive communication from the client.
13.	To configure the Client, right-click the client computer from the CommCell Console and click Properties.
14.	Click the Firewall Configuration tab.
15.	From the Incoming Connections tab, click Add.
16.	In the From field, specify the name of the CommServe computer. In the State field, select Blocked, since the CommServe cannot open connections to the Client. Click OK.
17.	Click Add again to specify the MediaAgent connection details. In the From field, specify the name of the MediaAgent computer. In the State field, select Blocked, since the MediaAgent cannot open connections to the Client. Click OK.
18.	Click the Outgoing Routes tab. Click Add. Outgoing routes are automatically created in the direct connectivity setup � manual entry is not required. However, you might want to create an entry if you wish to achieve one of the following. Enable HTTPS encryption for the tunnel or data traffic. Encrypt the data connections by forcing the connections into the tunnel. However, consider the following before using this option. Direct connections always work faster. Forcing data connections into the tunnel might degrade performance of data protection operations. If you wish to encrypt your backup data, you must rather configure encryption at the client level which offers more control and stores the data in encrypted form on the backup media as well.
19.	Select the CommServe name in Remote Group/Client. Select Direct. Select HTTPS protocol. This will enable authentication and encryption for tunnel connections. Force all data (along with control) traffic into the tunnel option is not required as this route is not toward MediaAgent. Click OK.
20.	From the CommCell Console, right-click the client computer and click All Tasks \| Push Firewall Configuration. This updates the firewall configuration files on the client computer.
21.	Click Continue. The client is configured to communicate with the CommServe and MediaAgent. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
22.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.

Connectivity between CommServe, MediaAgent, and the client is now established.

CommServe Connects to the Client (One-Way Firewall)

Consider the diagram that illustrates a direct connection setup where the CommServe opens tunnel connection towards the client.

The following sections explain the configuration required on the CommServe, MediaAgent, and the client to operate in this scenario.

Review the following considerations before you begin.

Make a note of the port configurations on your firewall and substitute them appropriately in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a computer, then you will not be able to use port 443 for firewall configuration on that computer.

SETUP CONNECTION TO THE COMMSERVE

In this configuration, CommServe establishes tunnel connection with the client. Since the client is not yet available in the CommCell, follow the steps below to create a placeholder client and configure the firewall settings before installing the client.

1.	From the CommCell Console, right-click on the client computer node, and click New Client.
2.	Select Windows or Unix as applicable.
3.	Provide the Client Name and the Host Name of the client computer to be installed. The Client Name must be the same client name that you will provide during the client installation � the name by which the client will be identified in the CommCell Browser after installation. Ensure to provide the correct client name as the firewall program uses it to establish communication. The Host Name must be either the fully qualified domain name of the client or the IP address that the CommServe should use to open tunnel connection to the client. If there is a NAT router between the client and the CommServe, provide the NAT IP address. Click OK. A placeholder client is created for firewall configuration use.
4.	From the CommCell Console, right-click the CommServe computer and click Properties.
5.	Click the Firewall Configuration tab.
6.	Click the Incoming Connections tab. Click Add.
7.	In the From field, select the name of the placeholder client you just added. In the State field, select Blocked, since the CommServe does not open tunnel connection to the client. Click OK.
8.	Click the Incoming Ports tab. As the CommServe does not receive connections from the client, not need to select Listen for tunnel connections on port.
9.	Click the Outgoing Routes tab. Click Add to specify the outgoing route toward the proxy. Outgoing routes are automatically created in the direct connectivity setup � manual entry is not required. However, you might want to create an entry if you wish to achieve one of the following. Enable HTTPS encryption for the tunnel or data traffic. Encrypt the data connections by forcing the connections into the tunnel. However, consider the following before using this option. Direct connections always work faster. Forcing data connections into the tunnel might degrade performance of data protection operations. If you wish to encrypt your backup data, you must rather configure encryption at the client level which offers more control and stores the data in encrypted form on the backup media as well.
10.	Select the name of the placeholder client in Remote Group/Client. Select Direct. Select HTTP. Force all data (along with control) traffic into the tunnel option is not required as this route is not toward MediaAgent. Click OK.
11.	From the CommCell Console right-click the CommServe computer, click All Tasks, and click Push Firewall Configuration.
12.	Click Continue. The CommServe is configured to open tunnel connections with the client. Verify if your firewall configuration was pushed successfully in the Event Viewer window.

Install the Client

See Installation for step-by-step installation procedures to install the client.

During installation of the client, use one of the following firewall configuration sequence.

CommServe can reach the Client/MediaAgent (Windows clients)
CommServe can reach the Client/MediaAgent (Unix clients)

Configure the CommServe, MediaAgent and Client

Use the following steps to establish incoming and outgoing connectivity details between the CommServe, MediaAgent, and the client computer.

The configuration required for the CommServe to connect to the client was done prior to installing the client. No additional configuration is required.

1.	To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Console and click Properties.
2.	Click the Firewall Configuration tab.
3.	From the Incoming Connections tab, click Add.
4.	In the From field, select the name of the client you just installed. In the State field, select Blocked, since the MediaAgent does not open tunnel connection to the client. Note that if the firewall allowed any connection from the client to the MediaAgent, then this entry is not required. Click OK to continue.
5.	Click the Incoming Ports tab. Assuming that the MediaAgent opens tunnel connection to the client, there is no need to select Listen for tunnel connections on port. Click OK.
6.	Click the Outgoing Routes tab. Click Add to specify the outgoing route toward the proxy. Outgoing routes are automatically created in the direct connectivity setup � manual entry is not required. However, you might want to create an entry if you wish to achieve one of the following. Enable HTTPS encryption for the tunnel or data traffic. Encrypt the data connections by forcing the connections into the tunnel. However, consider the following before using this option. Direct connections always work faster. Forcing data connections into the tunnel might degrade performance of data protection operations. If you wish to encrypt your backup data, you must rather configure encryption at the client level which offers more control and stores the data in encrypted form on the backup media as well.
7.	Select the client name in the Remote Group/Client field. Select Direct. Select HTTP. Select Force all data (along with the control) traffic into the tunnel to force the data traffic into the control tunnel. This automatically encrypts the data connection. Click OK.
8.	From the Outgoing Routes tab, click OK. The MediaAgent is now configured to communicate with the client.
9.	To configure the Client, right-click the client computer from the CommCell Console and click Properties.
10.	Click the Firewall Configuration tab.
11.	From the Incoming Connections tab, click Add.
12.	In the From field, select the name of the CommServe computer. In the State field, select Restricted, since the CommServe will connect to the Client through a port. Click OK.
13.	Click Add again to specify the MediaAgent connection details. In the From field, select the name of the MediaAgent computer. In the State field, select Restricted, since the MediaAgent will connect to the Client through a port. Click OK.
14.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and specify the incoming port number on which the firewall will allow connections from the CommServe and the MediaAgent. Additional Open Ports: You can speed up the data transfer by opening additional ports towards the client on the firewall and recording them as open in this screen. Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations. For backups to MediaAgents with Optimize for concurrent LAN backups option unchecked, opening additional incoming ports improves the backup performance. The number of open ports should correspond to the number of simultaneously running backup streams. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK.
15.	From the CommCell Console, right-click the client computer and click All Tasks \| Push Firewall Configuration. This updates the firewall configuration files on the client computer.
16.	Click Continue. The client is configured to communicate with the CommServe and MediaAgent. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
17.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.

Connectivity between CommServe, MediaAgent, and the client is now established.

Client and CommServe Connect to each other (Two-Way Firewall)

Consider the diagram that illustrates a direct connection setup where the client, CommServe and MediaAgent open tunnel connection between them.

The following sections explain the configuration required on the CommServe, MediaAgent, and the client to operate in this scenario.

Review the following considerations before you begin.

Make a note of the port configurations on your firewall and substitute them appropriately in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a computer, then you will not be able to use port 443 for firewall configuration on that computer.

SETUP CONNECTION TO THE COMMSERVE

1.	From the CommCell Console, right-click the CommServe computer and click Properties.
2.	Click the Firewall Configuration tab.
3.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and specify the port number on which the incoming tunnel connection is received. Click OK.
4.	From the CommCell Console, right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
5.	Click Continue. The specified configuration is saved. Verify if your firewall configuration was pushed successfully in the Event Viewer window.

Install the Client

In this configuration the client and the CommServe establish connection between them using one or more ports. To install the client across a firewall in this setup, you will have to specify the path to reach the CommServe computer. During installation of the client, use one of the following firewall configuration sequence.

Client/MediaAgent and CommServe can reach each other (Windows clients)
Client/MediaAgent and CommServe can reach each other (Unix clients)

Configure the CommServe, MediaAgent and Client

Use the following steps to establish incoming and outgoing connectivity details between the CommServe, MediaAgent, and the client computer.

1.	To configure the CommServe, right-click the CommServe computer from the CommCell Console and click Properties.
2.	Click the Firewall Configuration tab.
3.	From the Incoming Connections tab, click Add.
4.	In the From field, select the name of the client you just installed. In the State field, select Restricted, since the client can reach the CommServe. Click OK.
5.	Click the Incoming Ports tab. You will see the tunnel port already specified on the CommServe. Additional Open Ports: For components that handle data transfer (for example, MediaAgent, File System iDataAgent, etc.), you can speed up the data transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations. For MediaAgents involving multi-stream restores, opening additional ports increases the restore performance. The number of open ports should correspond to the number of simultaneously running restore streams. For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso Communications Service improves the backup performance. For MediaAgents performing SnapProtect operations with Data Replicator snap engine, opening additional ports increases the backup performance. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK.
6.	From the CommCell Console, right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
7.	Click Continue. The CommServe is configured to receive communication from the client. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
8.	To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Console and click Properties.
9.	Click the Firewall Configuration tab.
10.	From the Incoming Connections tab, click Add.
11.	In the From field, specify the name of the client you just installed. In the State field, select Restricted, since the client can reach the MediaAgent. Click OK.
12.	Click the Incoming Ports tab. Select the Listen for tunnel connections on port option and specify the tunnel port through which connections from the client are received on the MediaAgent computer. Additional Open Ports: For components that handle data transfer (for example, MediaAgent, File System iDataAgent, etc.), you can speed up the data transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations. For MediaAgents involving multi-stream restores, opening additional ports increases the restore performance. The number of open ports should correspond to the number of simultaneously running restore streams. For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso Communications Service improves the backup performance. For MediaAgents performing SnapProtect operations with Data Replicator snap engine, opening additional ports increases the backup performance. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK. The MediaAgent is now configured to receive communication from the client.
13.	To configure the Client, right-click the client computer from the CommCell Console and click Properties.
14.	Click the Firewall Configuration tab.
15.	From the Incoming Connections tab, click Add.
16.	In the From field, specify the name of the CommServe computer. In the State field, select Restricted, since the Client can connect to the CommServe. Click OK.
17.	Click Add again to specify the MediaAgent connection details. In the From field, specify the name of the MediaAgent computer. In the State field, select Restricted, since the Client can connect to the MediaAgent. Click OK.
18.	Click the Incoming Ports tab. Select the Listen for tunnel connections on port option and specify the incoming port number on which the firewall will allow connections from the CommServe and the MediaAgent. The client will listen for incoming tunnel connections on this port. Additional Open Ports: You can speed up the data transfer by opening additional ports towards the client on the firewall and recording them as open in this screen. Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations. For backups to MediaAgents with Optimize for concurrent LAN backups option unchecked, opening additional incoming ports improves the backup performance. The number of open ports should correspond to the number of simultaneously running backup streams. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK.
19.	Click the Outgoing Routes tab. Click Add. Outgoing routes are automatically created in the direct connectivity setup � manual entry is not required. However, you might want to create an entry if you wish to achieve one of the following. Enable HTTPS encryption for the tunnel or data traffic. Encrypt the data connections by forcing the connections into the tunnel. However, consider the following before using this option. Direct connections always work faster. Forcing data connections into the tunnel might degrade performance of data protection operations. If you wish to encrypt your backup data, you must rather configure encryption at the client level which offers more control and stores the data in encrypted form on the backup media as well.
20.	Select the CommServe name in Remote Group/Client. Select Direct. Select HTTPS protocol. This will enable authentication and encryption for tunnel connections. Force all data (along with control) traffic into the tunnel option is not required as this route is not toward MediaAgent. Click OK.
21.	From the CommCell Console, right-click the client computer and click All Tasks \| Push Firewall Configuration. This updates the firewall configuration files on the client computer.
22.	Click Continue. The client is configured to communicate with the CommServe and MediaAgent. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
23.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.

Connectivity between CommServe, MediaAgent, and the client is now established.

Operating Through a Port-Forwarding Gateway

There are cases where direct connectivity setups do not work. Imagine a situation where the CommServe and MediaAgent are located inside a company�s internal network, and the entire network is exposed to the outside world through a single IP address. Typically this IP address belongs to a firewall/gateway that works as a NAT device for connections from the internal network to the outside.

In scenarios like this, you can establish a port-forwarding at the gateway to forward incoming connections on specific ports to certain machines on the internal network (on specific ports). You can then configure the client to open a direct connection to the port-forwarder�s IP on a specific port to reach a particular internal server. This creates a custom route from client towards the internally running server(s).

Consider the diagram on the right that illustrates the setup. The following sections explain how to configure the software to operate in this setup.

Review the following considerations before you begin.

Make a note of the port configurations in your setup and substitute them in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a computer, then you will not be able to use port 443 for firewall configuration on that computer.
Any additional destination port specified in the outgoing connection routes of the client must also be defined in the incoming port list of the remote client (CommServe or MediaAgent).

Configure the Port-Forwarding Gateway

A port-forwarding gateway sends incoming connections to specific machines on the internal network based on the incoming connection�s destination port number. With reference to our illustration above, the following port-forwarding must be configured on the gateway.

Connections to gateway.company.com on port 443 must be forwarded to the internally running commserve.company.com on port 440.
Connections to gateway.company.com on port 444 must be forwarded to the internally running mediaagent.company.com on port 440.

Note that there is no restriction on the internal port numbers. They need not be the same as shown in the illustration. Also, for machines in the internal network, neither the IP addresses nor the names have to be reachable or resolvable from outside.

SETUP CONNECTION TO THE COMMSERVE

This procedure assumes that the CommServe is installed and available behind the gateway. The following steps explain the configurations required to connect to the CommServe before installing the client.

1.	From the CommCell Console, right-click the CommServe computer and click Properties.
2.	Click the Firewall Configuration tab.
3.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and enter 440 as the port number. The gateway will forward connections to commserve.company.com:440 when the gateway receives them from outside on port 443. Click OK.
4.	From the CommCell Console, right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
5.	Click Continue. The specified configuration is saved. Verify if your firewall configuration was pushed successfully in the Event Viewer window.

Install the Client

See Installation for step-by-step installation procedures to install the client.

During installation, provide the gateway information through which the CommServe computer can be reached. The install program communicates to the CommServe using this information. Use one of the following firewall configuration sequence.

CommServe can be Reached through a Port Forwarding Gateway (Windows clients)
CommServe can be Reached through a Port Forwarding Gateway (Unix clients)

Configure the CommServe, MediaAgent and Client

The previous configurations provided a path to reach the CommServe for installation purposes. To enable data protection operations between the two computers, you will have to establish the communication path between them. Perform the following steps to establish the communication route.

1.	To configure the CommServe, right-click the CommServe computer from the CommCell Console and click Properties.
2.	Click the Firewall Configuration tab.
3.	Click the Incoming Connections tab. Click Add.
4.	In the From field, specify the name of the client outside the gateway you just installed. In the State field, specify the status of the connection from the client. Since the connection is restricted through a gateway, select Restricted. Click OK.
5.	Click the Incoming Ports tab. You will see the tunnel port already specified on the CommServe with port number 440. Click OK.
6.	From the CommCell Console right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
7.	Click Continue. The CommServe is configured to receive communication from the client. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
8.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.
9.	To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Console and click Properties.
10.	Click the Firewall Configuration tab.
11.	From the Incoming Connections tab, click Add.
12.	In the From field, specify the name of the client outside the gateway you just installed. In the State field, specify the status of the connection from the client. Since the connection is restricted through a gateway, select Restricted. Click OK.
13.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and enter 440 as the port number. The gateway will forward connections to mediaagent.company.com:440 when the gateway receives them from outside on port 444. Additional Open Ports: For components that handle data transfer (for example, MediaAgent, File System iDataAgent, etc.), you can open and port-forward additional ports on the gateway to speed up the data transport. Note that the additional ports may be be the same on the MediaAgent and on the gateway since the gateway has the ability to of translating externally visible port numbers to the actual port numbers on the MediaAgent. In this screen you need to configure the range of ports used for listening to additional incoming connections from the clients. The mapping on how these ports are exported by the gateway must be defined in the outgoing route from the client towards the MediaAgent. (See Step 21) Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations: For MediaAgents involving multi-stream restores, opening additional ports increases the restore performance. The number of open ports should correspond to the number of simultaneously running restore streams. For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso Communications Service improves the backup performance. For MediaAgents performing SnapProtect operations with Data Replicator snap engine, opening additional ports increases the backup performance. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK. The MediaAgent is now configured to receive communication from the client.
14.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.
15.	To configure the Client, right-click the client computer from the CommCell Console and click Properties.
16.	Click the Firewall Configuration tab.
17.	From the Incoming Connections tab, click Add.
18.	In the From field, specify the name of the CommServe computer behind the gateway. In the State field, specify the status of the connection from the CommServe. Since CommServe does not open connections towards the client, select Blocked. Click OK.
19.	Click Add again to specify the MediaAgent connection details. In the From field, specify the name of the MediaAgent computer behind the gateway. In the State field, specify the status of the connection from the CommServe. Since MediaAgent does not open connections towards the client, select Blocked. Click OK.
20.	Click the Incoming Ports tab. As the client does not receive incoming connections from the CommServe or MediaAgent, there is no need to select Listen for tunnel connections on port. Click OK.
21.	Click the Outgoing Routes tab. Click Add to specify the outgoing connection route from this client towards the CommServe.
22.	Select the CommServe name in Remote Group/Client. Select Via Gateway. Force all data (along with control) traffic into the tunnel option is not required as this route is not toward MediaAgent. Enter the Gateway Hostname through which you can reach the CommServe. Referring to our diagram, it is gateway.company.com. Enter the Gateway Tunnel Port through which the CommServe can be reached. Referring to the diagram above, this is port number 443. Additional destination port mapping: If you want to configure additional destination ports, make sure that these ports are also defined on the CommServe, then you can establish mappings between those ports on the CommServe and the ports on the gateway which the client will connect to. To add destination port mapping, specify the incoming gateway port in GW Port and the mapping destination port in Destination Port. Click Add to add the port mapping. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Click OK.
23.	Click Add again to specify the outgoing connection route from this client towards the MediaAgent. Select the MediaAgent in Remote Group/Client. Select Via Gateway. Select Force all data (along with the control) traffic into the tunnel to force the data traffic into the control tunnel. This automatically encrypts the data connection. Enter the Gateway Hostname through which you can reach the CommServe. Referring to our diagram, it is gateway.company.com. Enter the Gateway Tunnel Port through which the MediaAgent can be reached. Referring to the diagram above, this is port number 444. Additional destination port mapping: If you want to configure additional destination ports, make sure that these ports are also defined on the MediaAgent (see Step 13), then you can establish mappings between those ports on the MediaAgent and the ports on the gateway which the client will connect to. To add destination port mapping, specify the incoming gateway port in GW Port and the mapping destination port in Destination Port. Click Add to add the port mapping. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Click OK.
24.	From the CommCell Console, right-click the client computer and click All Tasks \| Push Firewall Configuration.
25.	Click Continue. The client is configured to communicate with the CommServe and MediaAgent computers behind the gateway. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
26.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.

Connectivity between CommServe, MediaAgent, and the client is now established.

Security Considerations

Since both MediaAgent and CommServe computers are in a way exposed to the outside world through port-forwarded connections, you might want to enable encryption and authentication for the tunnel connections. This can be done in one of the following ways.

Select HTTPS for the Tunnel Connection Protocol in the Outgoing Routes tab on all outgoing routes.
Select Allow only HTTPS for the Incoming Tunnel Protocol in the Options tab of the CommServe and MediaAgent. Once HTTPS has been enabled, the client and CommServe/MediaAgent will authenticate each other and set up tunnel encryption in accordance with the HTTPS standard.

Operating Through a DMZ Using Calypso Proxy

Calypso proxy is a special proxy configuration where a dedicated iDataAgent is placed in a Demilitarized Zone (DMZ) and the firewall(s) is configured to allow connections (from inside and outside networks) into the DMZ. The proxy, which is the agent running in the DMZ, authenticates, encrypts, and proxies accepted tunnel connections to connect the clients operating outside to clients operating inside. In effect, the Calypso proxy acts like a Private Branch Exchange (PBX) that sets up secure conferences between dial-in client calls. With this setup, firewalls can be configured to disallow straight connections between inside and outside networks.

The diagram on right illustrates this setup where a client from outside communicates to the CommServe and MediaAgent operating in an internal network through the Calypso proxy.

The following sections describe the configuration required to operate the software in this setup.

Review the following considerations before you begin.

The instructions given below are tailored to the component names and port numbers presented in the illustration. Make a note of the details in your setup and substitute them appropriately.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a computer, then you will not be able to use port 443 for firewall configuration on that computer.

Set up the Calypso Proxy

The following sections explain the steps involved in creating the Calypso proxy.

Preconfigure the Calypso Proxy

Follow the steps below to create and configure a placeholder for the Calypso proxy on your CommServe computer before installing it.

1.	From the CommCell Console, right-click on the client computer node, and click New Client.
2.	Select Windows or Unix as applicable.
3.	Provide the Client Name and the Host Name you will use during your Calypso proxy installation. Click OK.
4.	From the CommCell Console, right-click the client you just created, and click Properties.
5.	Click the Firewall Configuration tab. Click Add.
6.	In the From field, select the CommServe name. In the State field, select Restricted. Click OK. If you have a MediaAgent, repeat this step providing the MediaAgent computer name.
7.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and enter port number on which the Calypso proxy will listen from the CommServe. Write down the port number used as it will be needed during the Calypso proxy installation.
8.	Click the Options tab. Select This computer is in DMZ and will work as a proxy. Click OK.
9.	From the CommCell Console, right-click the CommServe computer and click Properties.
10.	Click the Firewall Configuration tab. From the Incoming Connections tab, click Add.
11.	In the From field, select the Calypso proxy computer. In the State field, select Blocked. Click OK.
12.	Click the Outgoing Routes tab. Click Add.
13.	Select the Calypso proxy in Remote Group/Client. Select Direct. Click OK.
14.	Click OK.
15.	From the CommCell Console right-click the CommServe computer, click All Tasks, and click Push Firewall Configuration.
16.	Click Continue.
17.	Click OK. You are now ready to install the Calypso proxy. Verify if your firewall configuration was pushed successfully in the Event Viewer window.

Install the Calypso Proxy

Install a CommCell client (e.g., File System iDataAgent) in the DMZ. This will operate as the Calypso proxy. Since DMZ always receives connections from outside, the Calypso proxy in DMZ must communicate to the CommServe through tunnel connections initiated by the CommServe.

If firewall is enabled on the computer where the Calypso proxy will be installed, ensure there are open connections for the CommServe and client computers.

During the installation, use one of the following firewall configuration sequences:

CommServe can reach the Client/MediaAgent (Windows clients)
CommServe can reach the Client/MediaAgent (Unix clients)

After the installation is completed, open the CommCell Console, right-click the Calypso proxy computer and click All Tasks | Push Firewall Configuration.

Install the Client

To install the client across the Calypso proxy, you will have to specify the path to reach the CommServe computer. The install program communicates to the CommServe using this information.

See Installation for step-by-step installation procedures to install the client. During installation, use one of the following firewall configuration sequences:

CommServe can be Reached through a Proxy (Windows clients)
CommServe can be Reached through a Proxy (Unix clients)

Configure the CommServe, MediaAgent and Client

The following steps explain the actions required to configure routes between CommServe, MediaAgent and the new client through the Calypso proxy.

1.	To configure the CommServe, right-click the CommServe computer from the CommCell Console and click Properties.
2.	Click the Firewall Configuration tab. Click the Outgoing Routes tab. Click Add to specify the outgoing connection route from the CommServe to the Client through the Calypso proxy.
3.	Select the client computer in Remote Group/Client. Select Via Proxy. Select the Calypso proxy in Remote Proxy. Click OK.
4.	Click OK. The Outgoing Routes tab should display two routes � the route from CommServe to the proxy and the route from CommServe to the client through the proxy. Note that when two computers are communicating with each other through a proxy, two routes need to be configured in each computer�s Firewall preferences: one route to describe the connectivity of the computer with the proxy, and another route to describe the connectivity of the computer with the remote computer via proxy.
5.	From the CommCell Console, right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
6.	Click Continue.
7.	Click OK. The CommServe is configured to receive communication from the client through the Calypso proxy. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
8.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.
9.	To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Console and click Properties.
10.	Click the Firewall Configuration tab. From the Incoming Connections tab, click Add.
11.	In the From field, select the Calypso proxy computer. In the State field, select Blocked. Click OK.
12.	Click the Outgoing Routes tab. Click Add to specify the outgoing connection route from the MediaAgent to the Client through the Calypso proxy.
13.	Select the client computer in Remote Group/Client. Select Via Proxy. Select the Calypso proxy in Remote Proxy. Click OK.
14.	Click Add again to specify the route from MediaAgent to the Calypso proxy. Select the name of the CommServe in Remote Group/Client. Select Force all data (along with the control) traffic into the tunnel. Click OK.
15.	Click OK. The Outgoing Routes tab must display two routes: the route from MediaAgent to the proxy and the route from MediaAgent to the client through the proxy. The MediaAgent is configured to receive communication from the client through the Calypso proxy.
16.	From the CommCell Console, right-click the MediaAgent computer and click All Tasks \| Push Firewall Configuration.
17.	Click Continue.
18.	Click OK. The MediaAgent is configured to receive communication from the client through the Calypso proxy. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
19.	From the CommCell Console, right-click the MediaAgent computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the MediaAgent computer is not ready, verify your settings with the above recommendations and revise the settings if required.
20.	To configure the Client, right-click the client computer from the CommCell Console and click Properties.
21.	Click the Firewall Configuration tab. From the Incoming Connections tab, click Add.
22.	In the From field, select the Calypso proxy computer. In the State field, select Blocked. Since there are no incoming connections from the proxy to the client, the connection status is Blocked. Click OK.
23.	Click the Outgoing Routes tab. Click Add to specify the route for outgoing connection from the client to the Calypso proxy.
24.	Select the Calypso proxy in Remote Group/Client. Select Direct for Route Type. In case there is a port-forwarding gateway between the client and the Proxy, you will have to select Via Gateway and configure Gateway Settings. Select Force all data (along with the control) traffic into the tunnel to force the data traffic into the control tunnel. This automatically encrypts the data connection. Click OK.
25.	Click Add again to specify the route for outgoing connection from the client to the CommServe through the Calypso proxy. Select the name of the CommServe in Remote Group/Client. Select Via Proxy. Select the Calypso proxy in Remote Proxy. Click OK.
26.	Click Add again to specify the route for outgoing connection from the client to the MediaAgent through the Calypso proxy. Select the name of the MediaAgent in Remote Group/Client. Select Via Proxy. Select the Calypso proxy in Remote Proxy. Click OK.
27.	Click OK. The Outgoing Routes tab should display three routes: the routes from the client to the proxy, client to to the MediaAgent, and client to the CommServe. Please note that the image to the right assumes the route between the client and the proxy was configured using a Direct route. If you used a port-forwarding gateway, you will see Via Gateway as the route setting.
28.	From the CommCell Console, right-click the client computer and click All Tasks \| Push Firewall Configuration.
29.	Click Continue.
30.	Click OK. The specified configurations are saved. Verify if your firewall configuration was pushed successfully in the Event Viewer window.
31.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.

Connectivity between the CommServe, MediaAgent, and the client through the Calypso proxy is established.

Operating using Public WiFi Connections

Consider the scenario where you are in a public location like a coffee shop, airport, hotel, or other such remote locations where internet access is using public WiFi through a HTTP proxy. If you are a roaming user who travels frequently, you might operate the software in this scenario. The following sections describe the configuration required to operate the software through HTTP proxy.

Install the Client

We assume that your computer contains client components only. In most cases, the client software is already installed and ready for backup and recovery operations. You can however, install the software from behind a HTTP proxy. The following sections present the possible firewall scenarios that might protect the CommServe and the installer sequence to reach the CommServe in each scenario. Select the scenario that matches your deployment setup and follow the steps in sequence.

Configure the Client to Operate across HTTP Proxy

To configure the client to operate across HTTP Proxy:

Locate the firewall configuration file FWConfigLocal.txt under <software_installation>/Base folder. This file contains the firewall configuration options provided during installation. Do not modify the FWConfig.txt file.

This file might not be available if the client software was installed within the internal network with no firewall separating the computer and the CommServe. In such case, contact your system administrator for details to create this file.

Locate the [http-proxy] section at the end of the file and remove the comment tag (#) from the section and its body. The section and its contents will appear as follows.
# [http-proxy]
# host= <host name of the proxy server>
# port= <HTTP proxy port number>

Provide the correct values for the host name and port number of the HTTP server. The software does not support HTTP proxies that require authentication.

If you are a roaming user frequently operating using public WiFi, you will have entries from your previous access. In such case, update the entries with the host and port information applicable to the current setup.

The following are sample entries for an outgoing route through HTTP Proxy.

Configuring Windows Firewall to Allow CommCell Communication

Windows Firewall, the built-in firewall included in Windows Operating Systems, can be configured to allow CommCell communication by adding CommCell programs and services to the Windows Firewall Exception list. Once the CommCell programs are added to the Exception list, the Windows Firewall will allow external network connections to the CommCell Console.

During installation of Windows components, the installer provides an option to add CommCell programs and services to Windows Firewall List. You can use this option to configure Windows Firewall during installation.

After installation, you can later configure Windows Firewall using AddFWExclusions.bat program. The AddFWExclusions.bat program should be run through the command prompt to prevent adding system32 executables to the firewall exception list as the default system environment variable may be triggered.

To add CommCell programs and services to Windows Firewall Exception List:

Open the command prompt.
Navigate to the <Software_Installation_Path>/Base folder.
Run the AddFWExclusions.bat file to execute the commands.
All applicable CommCell communication programs and services are added to Windows Firewall Exception List. Note that this must be done on all CommCell Computers.

If the firewall configuration is reset on a computer for any reason (this can happen, for example, when the computer is moved from a workgroup to a domain), then the firewall exclusions must be added again.