When CommCell components are separated by a firewall, the components must be
configured with the connection route to reach each other across the firewall. Once
configured, the components seamlessly communicate across the firewall for all data
management operations such as backup, browse, restore, etc.
CommCell components can be configured to operate across the following:
Port-forwarding gateways
HTTP proxies
DMZ
NAT configurations
Combinations of the above firewall scenarios.
In addition, you can also create your own Calypso proxy by designating a CommCell
component as the proxy and defining the connections rules on the component. Components
can communicate using HTTP or HTTPS protocol.
The following sections explain in detail the configuration required to install and operate CommCell
components across different types of firewalls.
Key Features
The software offers the following key features in communication across
firewall:
Centralized configuration from the CommCell Console. Firewall settings
can be configured at the individual client or client group levels.
Lesser port requirements. Having port number 8400 is no longer a requirement
to operate across firewalls. Backup and restore operations can be performed
through a single open port. However, it is recommended that you open additional ports
to enable faster data traffic.
Support for port-forwarding routers. Multiple CommCell components on the
internal network can be
exposed to the outside world via a single gateway IP address with necessary port forwarding
configured on the gateway. Roaming clients can reach specific internal machines
by opening tunnel
or data connections to specific ports on the port-forwarding gateway.
Support for Calypso proxy configurations. For maximum security,
the software now supports a special proxy configuration where you can place a Calypso
agent in a DMZ, and configure the firewall to allow connections from inside
and outside networks into the DMZ only.
HTTPS encryption in the tunnels. The software now uses HTTPS encapsulation in all tunnel connections. This
provides SSL/TLS encryption protecting all data in transit and allows for better
compatibility with traffic filtering firewalls.
Tunnel authentication using CommCell-specific certificate. Due to the use of HTTPS, all tunnel connections are not only encrypted, but also authenticated. For
high levels of security, CommCells
can be locked down to use CommCell-specific certificates for SSL/TSL
authentication which is unique for every CommCell deployment.
Operating Using Direct Connections
Direct connection with port restrictions is a setup where at least one of any two communicating computers can
establish a one-to-one connection towards the other on specific ports. The connection could also be routed if the routing
does not include a proxy or an intermediate port-forwarding gateway. This
configuration was supported as One-Way Firewall and Two-Way Firewall in previous
releases.
Client Connects to the CommServe (One-Way Firewall)
Consider the diagram that illustrates a direct connection setup where the client
opens tunnel connection towards the CommServe and the MediaAgent.
The following sections explain the configuration required on the CommServe,
MediaAgent, and the client to operate in this scenario.
Review the following considerations before you begin.
Make a note of the port configurations on your firewall and substitute them
appropriately in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a
computer, then you will not be able to use port 443 for firewall configuration
on that computer.
Before installing the client, you will have to provide an incoming port
number on which the CommServe will receive tunnel connections from the client.
The following steps explain the configurations required for this purpose.
1.
From the CommCell Console, right-click the CommServe computer and click
Properties.
2.
Click the
Firewall Configuration tab.
3.
Click the Incoming Ports tab.
Select Listen for tunnel connections on port and specify
the port number on which the incoming tunnel connection is received.
Click OK.
4.
From the CommCell Console, right-click the CommServe computer and click
All Tasks | Push Firewall Configuration.
5.
Click Continue.
The specified configuration is saved.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
In this
configuration the client establishes connection with the CommServe using one or
more ports. To install the client across a firewall in this setup, you will have
to specify the path to reach the CommServe computer. During installation of the
client, use one of the following firewall configuration sequence.
Use the following steps to establish incoming and outgoing connectivity
details between the CommServe, MediaAgent, and the client computer.
1.
To configure the CommServe, right-click the CommServe computer from the
CommCell Console and click
Properties.
2.
Click the Firewall Configuration tab.
3.
From the Incoming Connections tab, click Add.
4.
In the From
field, select the name of the client you just installed.
In the State field, specify the status of the connection
from the client. Since in this case the client can reach the CommServe, assuming that the firewall is restricting connections to
a specific port, select Restricted.
Note that if the firewall allowed any connection from the client
to the CommServe, then this entry is not required.
Click OK.
5.
Click the Incoming Ports tab. You will see the tunnel
port already specified on the CommServe.
Additional Open Ports: For components that handle data transfer (for
example, MediaAgent, File System iDataAgent, etc.), you can speed up the data
transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the
Additional open ports area, From and To fields. Click
Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are not used by other applications.
Review the following recommendations.
For MediaAgents involving multi-stream restores, opening additional ports
increases the restore performance. The number of open
ports should correspond to the number of simultaneously running restore
streams.
For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso
Communications Service improves the backup performance.
For MediaAgents performing SnapProtect operations with Data Replicator snap engine,
opening additional
ports increases the backup performance.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
6.
From the CommCell Console, right-click the CommServe computer and click
All Tasks
|
Push Firewall Configuration. This updates the firewall configuration
on the CommServe and client computer.
7.
Click Continue.
The CommServe is configured to receive
communication from the client.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
8.
To configure the MediaAgent, right-click the MediaAgent computer from
the CommCell Console and click Properties.
9.
Click the Firewall Configuration tab.
10.
From the Incoming Connections tab, click Add.
11.
In the From
field, select the name of the client you just installed.
In the State field, specify the status of the connection
from the client. Since in this case the client can reach the
MediaAgent, assuming that the firewall is restricting connections to
a specific port, select Restricted.
Note that if the firewall allowed any connection from the client
to the MediaAgent, then this entry is not required.
Click OK.
12.
Click the Incoming Ports tab.
Select the Listen for tunnel connections on port
option and specify the tunnel port through which connections from
the client are received on the MediaAgent computer.
Additional Open Ports: For components that handle data transfer (for
example, MediaAgent, File System iDataAgent, etc.), you can speed up the data
transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the
Additional open ports area, From and To fields. Click
Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are not used by other applications.
Review the following recommendations.
For MediaAgents involving multi-stream restores, opening additional ports
increases the restore performance. The number of open
ports should correspond to the number of simultaneously running restore
streams.
For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso
Communications Service improves the backup performance.
For MediaAgents performing SnapProtect operations with Data Replicator snap engine,
opening additional
ports increases the backup performance.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
The MediaAgent is now configured to receive communication from
the client.
13.
To configure the Client, right-click the client computer from the
CommCell Console and click Properties.
14.
Click the Firewall Configuration tab.
15.
From the Incoming Connections tab, click Add.
16.
In the From
field, specify the name of the CommServe computer.
In the State field, select Blocked, since the CommServe
cannot open connections to the Client.
Click OK.
17.
Click Add again to specify the MediaAgent connection
details.
In the From
field, specify the name of the MediaAgent computer.
In the State field, select Blocked, since
the MediaAgent cannot open connections to the Client.
Click OK.
18.
Click the Outgoing Routes tab.
Click Add.
Outgoing routes are automatically created in the direct
connectivity setup — manual entry is not required. However, you might want to create an
entry if you wish to achieve one of the following.
Enable HTTPS encryption for the tunnel or data traffic.
Encrypt the data connections by forcing the connections into the tunnel.
However, consider the following before using this option.
Direct connections always work faster. Forcing data connections into the tunnel
might degrade performance of data protection operations.
If you wish to encrypt your backup data, you must rather
configure encryption at the client level which offers more control and stores
the data in encrypted form on the backup media as well.
19.
Select the CommServe name in Remote Group/Client.
Select Direct.
Select HTTPS protocol. This will enable authentication and
encryption for tunnel connections.
Force all data (along with control) traffic into the tunnel
option is not required as this route is not toward MediaAgent.
Click OK.
20.
From the CommCell Console, right-click the client computer and click
All Tasks
|
Push Firewall Configuration. This updates the firewall configuration
files on the client computer.
21.
Click Continue.
The client is configured to communicate with
the CommServe and MediaAgent.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
22.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
Connectivity between CommServe, MediaAgent, and the client is now
established.
CommServe Connects to the
Client (One-Way Firewall)
Consider the diagram that illustrates a direct connection setup where the
CommServe opens tunnel connection towards the client.
The following sections explain the configuration required on the CommServe,
MediaAgent, and the client to operate in this scenario.
Review the following considerations before you begin.
Make a note of the port configurations on your firewall and substitute them
appropriately in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a
computer, then you will not be able to use port 443 for firewall configuration
on that computer.
In this configuration, CommServe establishes tunnel connection with the
client. Since the client is not yet available in the CommCell, follow the steps
below to create a placeholder client and configure the firewall settings before
installing the client.
1.
From the CommCell Console, right-click on the client computer node, and
click New Client.
2.
Select Windows or Unix as applicable.
3.
Provide the Client Name and the Host Name of the client
computer to be installed.
The Client Name must be the same client name that you will
provide during the client installation —
the name by which the client will be identified in the CommCell
Browser after installation. Ensure to provide the correct client
name as the firewall program uses it to establish communication.
The Host Name must be either the fully qualified domain name of
the client or the IP address that the CommServe should use to open
tunnel connection to the client. If there is a NAT router between
the client and the CommServe, provide the NAT IP address.
Click OK.
A placeholder client is created for firewall configuration use.
4.
From the CommCell Console, right-click the CommServe computer and click
Properties.
5.
Click the
Firewall Configuration tab.
6.
Click the Incoming Connections tab.
Click Add.
7.
In the From
field, select the name of the placeholder client you just added.
In the State field, select Blocked, since the
CommServe does not open tunnel connection to the client.
Click OK.
8.
Click the Incoming Ports
tab.
As the CommServe does not receive connections from the client,
not need to select Listen for tunnel connections on port.
9.
Click the Outgoing Routes tab.
Click Add to specify the outgoing route toward the proxy.
Outgoing routes are automatically created in the direct
connectivity setup — manual entry is not required. However, you might want to create an
entry if you wish to achieve one of the following.
Enable HTTPS encryption for the tunnel or data traffic.
Encrypt the data connections by forcing the connections into the tunnel.
However, consider the following before using this option.
Direct connections always work faster. Forcing data connections into the tunnel
might degrade performance of data protection operations.
If you wish to encrypt your backup data, you must rather
configure encryption at the client level which offers more control and stores
the data in encrypted form on the backup media as well.
10.
Select the name of the placeholder client in
Remote Group/Client.
Select Direct.
Select HTTP.
Force all data (along with control) traffic into the
tunnel option is not required as this route is not
toward MediaAgent.
Click OK.
11.
From the CommCell Console right-click the CommServe computer, click
All Tasks, and click Push Firewall Configuration.
12.
Click Continue.
The CommServe is configured to open tunnel
connections with the client.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
Use the following steps to establish incoming and outgoing connectivity
details between the CommServe, MediaAgent, and the client computer.
The configuration required for the CommServe to
connect to the client was done prior to installing the client. No
additional configuration is required.
1.
To configure the MediaAgent, right-click the MediaAgent computer from
the CommCell Console and click Properties.
2.
Click the Firewall Configuration tab.
3.
From the Incoming Connections tab, click Add.
4.
In the From
field, select the name of the client you just installed.
In the State field, select Blocked, since the MediaAgent
does not open tunnel connection to the client.
Note that if the firewall allowed any connection from the client
to the MediaAgent, then this entry is not required.
Click OK to continue.
5.
Click the Incoming Ports tab.
Assuming that the MediaAgent opens tunnel connection to the
client, there is no need to select Listen for tunnel connections
on port.
Click OK.
6.
Click the Outgoing Routes tab.
Click Add to specify the outgoing route toward the proxy.
Outgoing routes are automatically created in the direct
connectivity setup — manual entry is not required. However, you might want to create an
entry if you wish to achieve one of the following.
Enable HTTPS encryption for the tunnel or data traffic.
Encrypt the data connections by forcing the connections into the tunnel.
However, consider the following before using this option.
Direct connections always work faster. Forcing data connections into the tunnel
might degrade performance of data protection operations.
If you wish to encrypt your backup data, you must rather
configure encryption at the client level which offers more control and stores
the data in encrypted form on the backup media as well.
7.
Select the client name in the Remote Group/Client
field.
Select Direct.
Select HTTP.
Select Force all data (along with the control) traffic into the tunnel
to force the data traffic into the control tunnel. This automatically encrypts
the data connection.
Click OK.
8.
From the Outgoing Routes tab, click OK.
The MediaAgent
is now configured to communicate with the client.
9.
To configure the Client, right-click the client computer from the
CommCell Console and click Properties.
10.
Click the Firewall Configuration tab.
11.
From the Incoming Connections tab, click Add.
12.
In the From
field, select the name of the CommServe computer.
In the State field, select Restricted, since the
CommServe will connect to the Client through a port.
Click OK.
13.
Click Add again to specify the MediaAgent connection
details.
In the From
field, select the name of the MediaAgent computer.
In the State field, select
Restricted, since the MediaAgent will connect to the Client
through a port.
Click OK.
14.
Click the Incoming Ports tab.
Select Listen for tunnel connections on port and specify
the incoming port number on which the firewall will allow
connections from the CommServe and the MediaAgent.
Additional Open Ports: You can speed up the data
transfer by opening additional ports towards the client on the firewall and recording them as open in this screen. Specify the range of ports in the
Additional open ports area, From and To fields. Click
Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are not used by other applications.
Review the following recommendations.
For backups to MediaAgents with Optimize for concurrent LAN backups option
unchecked, opening additional incoming ports improves the backup performance. The number of open
ports should correspond to the number of simultaneously running backup streams.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
15.
From the CommCell Console, right-click the client computer and click
All Tasks
|
Push Firewall Configuration. This updates the firewall configuration
files on the client computer.
16.
Click Continue.
The client is configured to communicate with
the CommServe and MediaAgent.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
17.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
Connectivity between CommServe, MediaAgent, and the client is now
established.
Client and CommServe Connect to each other (Two-Way Firewall)
Consider the diagram that illustrates a direct connection setup where the client,
CommServe and MediaAgent open tunnel connection between them.
The following sections explain the configuration required on the CommServe,
MediaAgent, and the client to operate in this scenario.
Review the following considerations before you begin.
Make a note of the port configurations on your firewall and substitute them
appropriately in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a
computer, then you will not be able to use port 443 for firewall configuration
on that computer.
Before installing the client, you will have to provide an incoming port
number on which the CommServe will receive tunnel connections from the client.
The following steps explain the configurations required for this purpose.
1.
From the CommCell Console, right-click the CommServe computer and click
Properties.
2.
Click the
Firewall Configuration tab.
3.
Click the Incoming Ports tab.
Select Listen for tunnel connections on port and specify
the port number on which the incoming tunnel connection is received.
Click OK.
4.
From the CommCell Console, right-click the CommServe computer and click
All Tasks | Push Firewall Configuration.
5.
Click Continue.
The specified configuration is saved.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
In this
configuration the client and the CommServe establish connection between them using one or
more ports. To install the client across a firewall in this setup, you will have
to specify the path to reach the CommServe computer. During installation of the
client, use one of the following firewall configuration sequence.
Use the following steps to establish incoming and outgoing connectivity
details between the CommServe, MediaAgent, and the client computer.
1.
To configure the CommServe, right-click the CommServe computer from the
CommCell Console and click
Properties.
2.
Click the Firewall Configuration tab.
3.
From the Incoming Connections tab, click Add.
4.
In the From
field, select the name of the client you just installed.
In the State field, select Restricted, since the client can reach the CommServe.
Click OK.
5.
Click the Incoming Ports tab. You will see the tunnel
port already specified on the CommServe.
Additional Open Ports: For components that handle data transfer (for
example, MediaAgent, File System iDataAgent, etc.), you can speed up the data
transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the
Additional open ports area, From and To fields. Click
Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are not used by other applications.
Review the following recommendations.
For MediaAgents involving multi-stream restores, opening additional ports
increases the restore performance. The number of open
ports should correspond to the number of simultaneously running restore
streams.
For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso
Communications Service improves the backup performance.
For MediaAgents performing SnapProtect operations with Data Replicator snap engine,
opening additional
ports increases the backup performance.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
6.
From the CommCell Console, right-click the CommServe computer and click
All Tasks
|
Push Firewall Configuration.
7.
Click Continue.
The CommServe is configured to receive
communication from the client.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
8.
To configure the MediaAgent, right-click the MediaAgent computer from
the CommCell Console and click Properties.
9.
Click the Firewall Configuration tab.
10.
From the Incoming Connections tab, click Add.
11.
In the From
field, specify the name of the client you just installed.
In the State field, select Restricted, since the
client can reach the MediaAgent.
Click OK.
12.
Click the Incoming Ports tab.
Select the Listen for tunnel connections on port
option and specify the tunnel port through which connections from
the client are received on the MediaAgent computer.
Additional Open Ports: For components that handle data transfer (for
example, MediaAgent, File System iDataAgent, etc.), you can speed up the data
transfer by opening additional ports on the firewall and recording them as open in this screen. Specify the range of ports in the
Additional open ports area, From and To fields. Click
Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are not used by other applications.
Review the following recommendations.
For MediaAgents involving multi-stream restores, opening additional ports
increases the restore performance. The number of open
ports should correspond to the number of simultaneously running restore
streams.
For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso
Communications Service improves the backup performance.
For MediaAgents performing SnapProtect operations with Data Replicator snap engine,
opening additional
ports increases the backup performance.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
The MediaAgent is now configured to receive communication from
the client.
13.
To configure the Client, right-click the client computer from the
CommCell Console and click Properties.
14.
Click the Firewall Configuration tab.
15.
From the Incoming Connections tab, click Add.
16.
In the From
field, specify the name of the CommServe computer.
In the State field, select
Restricted, since the Client can connect to the CommServe.
Click OK.
17.
Click Add again to specify the MediaAgent connection
details.
In the From
field, specify the name of the MediaAgent computer.
In the State field, select
Restricted, since the Client can connect to the MediaAgent.
Click OK.
18.
Click the Incoming Ports tab.
Select the Listen for tunnel connections on port
option and specify the incoming port number on which the firewall
will allow connections from the CommServe and the MediaAgent. The
client will listen for incoming tunnel connections on this port.
Additional Open Ports: You can speed up the data
transfer by opening additional ports towards the client on the firewall and recording them as open in this screen. Specify the range of ports in the
Additional open ports area, From and To fields. Click
Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are not used by other applications.
Review the following recommendations.
For backups to MediaAgents with Optimize for concurrent LAN backups option
unchecked, opening additional incoming ports improves the backup performance. The number of open
ports should correspond to the number of simultaneously running backup streams.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
19.
Click the Outgoing Routes tab.
Click Add.
Outgoing routes are automatically created in the direct
connectivity setup — manual entry is not required. However, you might want to create an
entry if you wish to achieve one of the following.
Enable HTTPS encryption for the tunnel or data traffic.
Encrypt the data connections by forcing the connections into the tunnel.
However, consider the following before using this option.
Direct connections always work faster. Forcing data connections into the tunnel
might degrade performance of data protection operations.
If you wish to encrypt your backup data, you must rather
configure encryption at the client level which offers more control and stores
the data in encrypted form on the backup media as well.
20.
Select the CommServe name in Remote Group/Client.
Select Direct.
Select HTTPS protocol. This will enable authentication and
encryption for tunnel connections.
Force all data (along with control) traffic into the tunnel
option is not required as this route is not toward MediaAgent.
Click OK.
21.
From the CommCell Console, right-click the client computer and click
All Tasks
|
Push Firewall Configuration. This updates the firewall configuration
files on the client computer.
22.
Click Continue.
The client is configured to communicate with
the CommServe and MediaAgent.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
23.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
Connectivity between CommServe, MediaAgent, and the client is now
established.
There are cases where direct connectivity setups do not work. Imagine a situation
where the CommServe and MediaAgent are located inside a company’s internal
network, and the entire network is exposed to the outside world through a single IP
address. Typically this IP address belongs to a firewall/gateway that works as a
NAT device for connections from the internal network to the outside.
In scenarios like this, you can establish a port-forwarding at the gateway to forward
incoming connections on specific ports to certain machines on the internal
network (on specific ports). You can then configure the client to open a direct connection to the port-forwarder’s IP on a specific port to reach a
particular internal server. This creates a custom route from client towards the
internally running server(s).
Consider the diagram on the right that illustrates the setup. The following sections explain how to configure the software to operate in this setup.
Review the following considerations before you begin.
Make a note of the port configurations in your setup and substitute them in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a
computer, then you will not be able to use port 443 for firewall configuration
on that computer.
Any additional destination port specified in the outgoing connection routes
of the client must also be defined in the incoming port list of the remote
client (CommServe or MediaAgent).
A port-forwarding gateway sends incoming connections to
specific machines on the internal network based on the incoming connection’s
destination port number. With reference to our illustration above, the following port-forwarding must be
configured on the gateway.
Connections to gateway.company.com on port 443 must be forwarded to the internally running commserve.company.com
on port 440.
Connections to gateway.company.com on port 444
must be forwarded to the internally running mediaagent.company.com on port 440.
Note that there is no restriction on the internal port numbers. They need not
be the same as shown in the illustration. Also, for machines in the internal
network, neither the IP addresses nor the names have to be reachable or
resolvable from outside.
This procedure assumes that the CommServe is installed and available behind the gateway.
The following steps explain the configurations required
to connect to the CommServe before installing the client.
1.
From the CommCell Console, right-click the CommServe computer and click
Properties.
2.
Click the
Firewall Configuration tab.
3.
Click the Incoming Ports tab.
Select Listen for tunnel connections on port and enter
440 as the port number. The gateway will forward connections to
commserve.company.com:440 when the gateway receives them from outside on port 443.
Click OK.
4.
From the CommCell Console, right-click the CommServe computer and click
All Tasks | Push Firewall Configuration.
5.
Click Continue.
The specified configuration is saved.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
See
Installation for step-by-step installation procedures to install the client.
During installation, provide the gateway information through which
the CommServe computer can be reached. The install program communicates
to the CommServe using this information. Use one of the following firewall
configuration sequence.
The previous configurations provided a path to reach the CommServe for
installation purposes. To enable data protection operations between the two
computers, you will have to establish the communication path between them. Perform the following steps to establish the communication route.
1.
To configure the CommServe, right-click the CommServe computer from the
CommCell Console and click
Properties.
2.
Click the Firewall Configuration tab.
3.
Click the Incoming
Connections tab.
Click Add.
4.
In the From
field, specify the name of the client outside the gateway you just installed.
In the State field, specify the status of
the connection from the client. Since the connection is restricted through a
gateway,
select Restricted.
Click OK.
5.
Click the Incoming Ports tab.
You will see the tunnel port
already specified on the CommServe with port number 440.
Click OK.
6.
From the CommCell Console right-click the CommServe computer and click All Tasks
|
Push Firewall Configuration.
7.
Click Continue.
The CommServe is configured to receive communication from the client.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
8.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
9.
To configure the MediaAgent, right-click the MediaAgent computer from
the CommCell Console and click Properties.
10.
Click the Firewall Configuration tab.
11.
From the Incoming
Connections tab, click Add.
12.
In the From
field, specify the name of the client outside the gateway you just installed.
In the State field, specify the status of
the connection from the client. Since the connection is restricted through a
gateway,
select Restricted.
Select Listen for tunnel connections on port and enter
440 as the port number. The gateway will forward connections to
mediaagent.company.com:440 when the gateway receives them from
outside on port 444.
Additional Open Ports: For components that handle data transfer (for example, MediaAgent,
File System iDataAgent, etc.), you
can open and port-forward additional ports on the gateway to speed up the data transport.
Note that the additional ports may be be the same on the MediaAgent and on the
gateway since the gateway has the ability to of translating externally visible port numbers to the actual port numbers on the MediaAgent.
In this screen you need to configure the range of ports used for listening to
additional incoming connections from the clients. The mapping on how these ports are
exported by the gateway must be defined in the outgoing route from the client towards the MediaAgent.
(See Step 21)
Specify the range of ports in the
Additional open ports area, From and To fields. Click Add to add the ports.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are
not used by other applications.
Review the following recommendations:
For MediaAgents involving multi-stream restores, opening additional ports
increases the restore performance. The number of open
ports should correspond to the number of simultaneously running restore
streams.
For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso
Communications Service improves the backup performance.
For MediaAgents performing SnapProtect operations with Data Replicator snap engine,
opening additional
ports increases the backup performance.
For ContinuousDataReplicator and Workstation Backup destination computers, opening additional
incoming ports improves the replication performance.
Click OK.
The
MediaAgent is now
configured to receive communication from the client.
14.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
15.
To configure the Client, right-click the client computer from the
CommCell Console and click Properties.
16.
Click the Firewall Configuration tab.
17.
From the Incoming
Connections tab, click Add.
18.
In the From
field, specify the name of the CommServe computer behind the gateway.
In the State field, specify the status of
the connection from the CommServe. Since CommServe does not open connections towards the
client,
select Blocked.
Click OK.
19.
Click Add again to specify the MediaAgent connection
details.
In the From
field, specify the name of the MediaAgent computer behind the gateway.
In the State field, specify the status of
the connection from the CommServe. Since MediaAgent does not open connections towards the
client,
select Blocked.
Click OK.
20.
Click the Incoming Ports tab.
As the client does not receive incoming connections
from the CommServe or MediaAgent, there is no need to select Listen for tunnel
connections on port.
Click Add to specify the outgoing connection
route from this client towards the CommServe.
22.
Select the CommServe name in Remote Group/Client.
Select Via Gateway.
Force all data (along with control) traffic into the
tunnel option is not required as this route is not
toward MediaAgent.
Enter the Gateway Hostname through
which you can reach the CommServe. Referring to our diagram, it is gateway.company.com.
Enter the Gateway Tunnel Port through which the CommServe can be reached. Referring to the diagram
above, this is port number 443.
Additional destination port mapping: If you want
to configure additional destination ports, make sure that
these ports are also defined on the CommServe, then you can establish mappings between
those ports on the CommServe and the ports on the gateway
which the client
will connect to.
To add destination port mapping, specify the incoming gateway port in
GW Port and the mapping destination port in
Destination Port. Click Add to add the port mapping.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are
not used by other applications.
Click OK.
23.
Click Add again to specify the outgoing
connection route from this client towards the MediaAgent.
Select the MediaAgent in Remote Group/Client.
Select Via Gateway.
Select Force all data (along with the control) traffic into the tunnel
to force the data traffic into the control tunnel. This automatically encrypts
the data connection.
Enter the Gateway Hostname through
which you can reach the CommServe. Referring to our diagram, it is gateway.company.com.
Enter the Gateway Tunnel Port through which the MediaAgent can be reached. Referring to the diagram
above, this is port number 444.
Additional destination port mapping: If you want
to configure additional destination ports, make sure that
these ports are also defined on the MediaAgent (see
Step 13), then you can establish mappings between
those ports on the MediaAgent and the ports on the gateway
which the client
will connect to.
To add destination port mapping, specify the incoming gateway port in
GW Port and the mapping destination port in
Destination Port. Click Add to add the port mapping.
To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports
specified here are
not used by other applications.
Click OK.
24.
From the CommCell Console, right-click the client computer and click All Tasks
|
Push Firewall Configuration.
25.
Click Continue.
The client is configured to communicate with the
CommServe and MediaAgent computers behind the gateway.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
26.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
Connectivity between CommServe, MediaAgent, and the client is now
established.
Since both MediaAgent and CommServe computers are in a way exposed to the
outside world through port-forwarded connections, you might want to enable
encryption and authentication for the tunnel connections. This can be done in one
of the following ways.
Select HTTPS for the Tunnel Connection Protocol in the
Outgoing Routes tab on all outgoing routes.
Select Allow only HTTPS for the Incoming Tunnel Protocol
in the
Options tab of the CommServe and MediaAgent. Once HTTPS has been
enabled, the client and CommServe/MediaAgent will authenticate each other
and set up tunnel encryption in accordance with the HTTPS standard.
Operating Through a DMZ Using Calypso Proxy
Calypso proxy is a special proxy configuration where a dedicated
iDataAgent is placed in a
Demilitarized Zone (DMZ)
and the firewall(s) is configured to allow connections (from inside and
outside networks) into the DMZ. The proxy, which is the agent running in
the DMZ, authenticates,
encrypts, and proxies accepted tunnel connections to connect the clients
operating outside to clients operating inside. In effect, the Calypso
proxy acts like a Private Branch Exchange (PBX) that sets up secure conferences
between dial-in client calls. With this setup, firewalls can be configured
to disallow straight connections between inside and outside networks.
The diagram on right illustrates this setup where a client from outside
communicates to the CommServe and MediaAgent operating in an internal network
through the Calypso proxy.
The following sections describe the configuration required to operate
the software in this setup.
Review the following considerations before you begin.
The instructions given below are tailored to the component names and port
numbers presented in the illustration. Make a note of the details in your setup
and substitute them appropriately.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a
computer, then you will not be able to use port 443 for firewall configuration
on that computer.
Set up the Calypso Proxy
The following sections explain the steps involved
in creating the Calypso proxy.
Preconfigure the Calypso Proxy
Follow the steps below to create and configure a placeholder for the Calypso
proxy on your CommServe computer before installing it.
1.
From the CommCell Console, right-click on the client computer node, and
click New Client.
2.
Select Windows or Unix as
applicable.
3.
Provide the Client Name and
the Host Name you will use during your Calypso
proxy installation.
Click OK.
4.
From the CommCell Console, right-click the client you just
created, and click Properties.
5.
Click the
Firewall Configuration tab.
Click Add.
6.
In the From field, select the CommServe name.
In the State field, select Restricted.
Click OK.
If you have a MediaAgent, repeat this step providing the MediaAgent
computer name.
7.
Click the Incoming Ports tab.
Select Listen for tunnel
connections on port and enter port number on which the Calypso proxy
will listen from the CommServe.
Write down the port number used as
it will be needed during the Calypso proxy
installation.
8.
Click the Options tab.
Select This computer is in DMZ and will work as a proxy.
Click OK.
9.
From the CommCell Console, right-click the CommServe computer and click
Properties.
10.
Click the
Firewall Configuration tab.
From the Incoming Connections tab, click Add.
11.
In the From field, select the Calypso proxy computer.
In
the State field, select Blocked.
Click OK.
12.
Click the Outgoing Routes tab.
Click Add.
13.
Select the Calypso proxy in Remote Group/Client.
Select Direct.
Click OK.
14.
Click OK.
15.
From the CommCell Console right-click the CommServe
computer, click All Tasks, and click Push Firewall
Configuration.
16.
Click Continue.
17.
Click OK.
You are now ready to install
the Calypso proxy.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
Install the Calypso Proxy
Install a CommCell client (e.g., File System iDataAgent)
in the DMZ. This will operate as the Calypso proxy. Since DMZ always receives connections from outside, the
Calypso proxy in DMZ must communicate
to the CommServe through tunnel connections initiated by the CommServe.
If firewall is enabled on the computer where the Calypso proxy
will be installed, ensure there are open connections for the CommServe and
client computers.
During the installation, use one of the following firewall configuration
sequences:
After the installation is completed, open the CommCell Console, right-click the Calypso
proxy computer and click All Tasks | Push
Firewall Configuration.
Install the Client
To install the client across the Calypso proxy, you will have to specify the path to reach
the CommServe computer. The install program communicates to the CommServe using
this information.
See
Installation
for step-by-step installation procedures to install the client. During
installation, use one of the following firewall configuration sequences:
The following steps explain the actions required to configure routes between
CommServe, MediaAgent and
the new client through the Calypso proxy.
1.
To configure the CommServe, right-click the CommServe computer from the
CommCell Console and click
Properties.
2.
Click the Firewall Configuration tab.
Click the Outgoing Routes tab.
Click Add to specify the outgoing connection route from
the CommServe to the Client through the Calypso proxy.
3.
Select the client computer in Remote Group/Client.
Select Via Proxy.
Select the Calypso proxy in Remote Proxy.
Click OK.
4.
Click OK.
The Outgoing Routes tab
should display two routes
— the route from CommServe to the proxy and the route from
CommServe to the client through the proxy.
Note that when two computers are communicating with each other through a proxy, two routes need to be configured in each computer’s Firewall preferences: one route
to describe the connectivity of the computer with the proxy, and another route
to describe the connectivity of the computer with the remote computer via proxy.
5.
From the CommCell Console, right-click the CommServe computer
and
click All Tasks | Push Firewall Configuration.
6.
Click Continue.
7.
Click OK.
The CommServe is configured to receive
communication from the client through the Calypso proxy.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
8.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
9.
To configure the MediaAgent, right-click the MediaAgent computer from
the CommCell Console and click Properties.
10.
Click the
Firewall Configuration tab.
From the Incoming Connections tab, click Add.
11.
In the From field, select the Calypso proxy computer.
In
the State field, select Blocked.
Click OK.
12.
Click the Outgoing Routes tab.
Click Add to specify the outgoing connection route from
the MediaAgent to the Client through the Calypso
proxy.
13.
Select the client computer in Remote Group/Client.
Select Via Proxy.
Select the Calypso proxy in Remote Proxy.
Click OK.
14.
Click Add again to specify the route from MediaAgent
to the
Calypso proxy.
Select the name of the CommServe in Remote Group/Client.
Select Force all data (along with the control) traffic into the tunnel.
Click OK.
15.
Click OK.
The Outgoing Routes tab must display two routes: the route from MediaAgent to the proxy and the route from
MediaAgent to the client through the proxy.
The MediaAgent is configured to receive
communication from the client through the Calypso proxy.
16.
From the CommCell Console, right-click the MediaAgent computer
and
click All Tasks | Push Firewall Configuration.
17.
Click Continue.
18.
Click OK.
The MediaAgent is configured to receive
communication from the client through the Calypso proxy.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
19.
From the CommCell Console, right-click the MediaAgent computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the MediaAgent computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
20.
To configure the Client, right-click the client computer from the
CommCell Console and click Properties.
21.
Click the Firewall Configuration tab.
From the Incoming Connections tab, click Add.
22.
In the
From field, select the Calypso proxy computer.
In the State field, select Blocked. Since there are no incoming connections from
the proxy to the client, the connection status is Blocked.
Click OK.
23.
Click the Outgoing Routes tab.
Click Add to specify the route for outgoing connection
from the client to the Calypso proxy.
24.
Select the Calypso proxy in Remote Group/Client.
Select
Direct for Route Type.
In
case there is a port-forwarding gateway between the client and the Proxy,
you will have to select Via Gateway and configure Gateway Settings.
Select Force all data (along with the control) traffic into the tunnel
to force the data traffic into the control tunnel. This automatically encrypts
the data connection.
Click OK.
25.
Click Add again to specify the route for outgoing
connection from the client to the CommServe through the
Calypso proxy.
Select the name of the CommServe in Remote Group/Client.
Select Via Proxy.
Select the Calypso proxy in Remote Proxy.
Click OK.
26.
Click Add again to specify the route for outgoing
connection from the client to the MediaAgent through the Calypso proxy.
Select the name of the MediaAgent in Remote Group/Client.
Select Via Proxy.
Select the Calypso proxy in Remote Proxy.
Click OK.
27.
Click OK.
The Outgoing Routes tab
should display three routes: the routes from
the client to the proxy, client to to the MediaAgent, and client to the
CommServe.
Please note that the image to the right assumes the route
between the client and the proxy was configured using a Direct
route. If you used a port-forwarding gateway, you will see Via Gateway
as the route setting.
28.
From the CommCell Console, right-click the client computer
and
click All Tasks | Push Firewall Configuration.
29.
Click Continue.
30.
Click OK.
The specified configurations are saved.
Verify if your firewall configuration was pushed successfully in the Event
Viewer window.
31.
From the CommCell Console, right-click the client computer and click All
Tasks |Check Readiness. The results are displayed
in Client Connectivity dialog box.
If the client computer is not
ready, verify your settings with the above recommendations and
revise the settings if required.
Connectivity between the CommServe, MediaAgent, and the client through the Calypso
proxy is established.
Consider the scenario where you are in a public location like a coffee shop,
airport, hotel, or other such remote locations where internet access is
using public WiFi through a HTTP proxy. If you are a roaming user who
travels frequently, you might operate the software in this scenario. The
following sections describe the configuration required to operate the software through HTTP
proxy.
Install the Client
We assume that your computer contains client components only. In most cases, the client software is already installed and
ready for backup and recovery operations. You can however, install
the software from behind a HTTP proxy. The following sections present the possible
firewall scenarios that might protect the CommServe and the installer sequence
to reach the CommServe in each scenario. Select the scenario that matches your
deployment setup and follow the steps in sequence.
To configure the client to operate across HTTP Proxy:
Locate the firewall configuration file
FWConfigLocal.txt under <software_installation>/Base
folder. This file contains the firewall
configuration options provided during installation. Do not modify the
FWConfig.txt file.
This file might not be available if the client software was installed within the internal
network with no firewall separating the computer and the CommServe. In such case, contact your
system administrator for details to create this file.
Locate the [http-proxy] section at the
end of the file and remove the comment tag (#) from the section and its body.
The section and its contents will appear as follows.
# [http-proxy]
# host= <host name
of the proxy server>
# port= <HTTP proxy port number>
Provide
the correct values for the host name and port number of the HTTP server. The
software does not support HTTP proxies that require authentication.
If you are a roaming user frequently operating
using public WiFi, you will have entries from
your previous access. In such case, update the entries with the host and
port information applicable to the
current setup.
The following are sample entries for an outgoing route through HTTP
Proxy.
Windows Firewall, the built-in firewall included in Windows Operating
Systems, can be configured to allow CommCell communication by adding CommCell
programs and services to the Windows Firewall Exception list. Once the CommCell
programs are added to the Exception list, the Windows Firewall will allow
external network connections to the CommCell Console.
During installation of Windows components, the installer provides an option
to add CommCell programs and services to Windows Firewall List. You can use this
option to configure Windows Firewall during installation.
After installation, you can later
configure Windows
Firewall using AddFWExclusions.bat
program. The AddFWExclusions.bat program should
be run through the command prompt to prevent adding system32 executables to the
firewall exception list as the default system environment variable may be
triggered.
To
add CommCell programs and services to Windows Firewall Exception List:
Open the command prompt.
Navigate to the <Software_Installation_Path>/Base
folder.
Run the AddFWExclusions.bat file to
execute the commands.
All applicable CommCell communication programs and services are added to
Windows Firewall Exception List. Note that this must be done on all CommCell Computers.
If the firewall configuration
is reset on a computer for any reason (this can happen, for example, when the computer is moved
from a workgroup to a domain), then the firewall exclusions must be added again.