Topics | How To | Related Topics
Port-Based Firewall Considerations
Application-Based Firewall Considerations
Program-Based Firewall Considerations
Firewalls provide security to networks by acting as a barrier for unauthorized outside access to the network. Firewalls provide security by enforcing restrictions on computers and applications communicating across it.
Typically a firewall divides the network into two parts which are broadly referred to as secure/friendly side and the hostile side. CommCell components can be configured to function across a firewall when computers hosting these components are located on different sides of firewall(s).
Configuring CommCell Communications Across FirewallsThe following are the most commonly seen configurations in which the CommCell components are located across a firewall:
Keep in mind that these configurations may in fact be located behind two firewalls because now there are two friendly sides to deal with. The diagram on the right shows one such example. |
For products like ContinuousDataReplicator and Workstation Backup, where the communication is between the CommServe, destination computer (installed with ContinuousDataReplicator) and the corresponding agents, then replace the MediaAgent with destination computer in the above configurations. The rest of the firewall considerations remain the same. This is also applicable for MediaAgent Replication and Remote Backup solutions. |
CommCell communication across firewall(s) can be configured using the Firewall Configuration wizard.
Firewall services can be configured during the installation of CommCell Components; the installation presents the firewall configuration wizard for configuration. However, you can configure firewall communication, or modify the existing configuration using the firewall configuration wizard at any later time. See the following procedures for more details:
The software uses a secure proprietary protocol for all inter-process communication on enabled ports. |
The system supports both one-way firewalls - where only outbound ports are opened - and two-way firewalls - where a selected set of bi-directional ports are configured. Software and hardware firewall configurations, including Microsoft Windows operating system firewall and TCP/IP filtering are supported.
The Firewall Configuration wizard creates three files called the FwPeers.txt, FwHosts.txt and FwPorts.txt and configures the firewall services in the on-demand mode, where the tunnels to control traffic are opened on-demand or when needed. This type of configuration is suitable for two-way firewalls where connections to ports required by the software can be opened from both sides. Sample contents of these three files in a two-way firewall are given below:
8600-8619
8650-8659
8800
aquila.company.com
perseus.company.com
192.168.* (Note wildcards are not supported in IPv6)
*.remote.company.com
aquila.company.com
perseus.company.com
192.168.* (Note wildcards are not supported in IPv6)
*.remote.company.com
The following table lists the entries in the FwHosts.txt and FwPeers.txt using sample scenarios:
Description | CommServe | MediaAgent | Agents |
CommServe and MediaAgent on the friendly side; Agents on the hostile side. | Agents | Agents | CommServe and MediaAgent |
CommServe on the friendly side; Agents and MediaAgent on the hostile side | MediaAgent and Agents | CommServe | CommServe |
The above files can be automatically created and configured during installation or by running the Firewall Configuration wizard. See Configuring CommCell Communications Across Firewalls for more information. |
All CommCell computers (CommServe, MediaAgents and clients) require the following port specifications to communicate across firewall(s).
When the CommServe and the MediaAgent(s) are on the opposite side of the
firewall from Client(s)as depicted in the diagram on the right:
|
|||||||||||||
When the MediaAgent(s) and Client(s) are on the same side of the firewall
with the CommServe on the opposite side, as depicted in the diagram on the
right:
|
The system also supports persistent one-way tunnels between the CommCell components. This configuration is useful when the firewall allows programs to open connections only one-way, e.g., only from CommServe to the Client, but not the other way around. In one-way firewall, network communications are initiated from the secure/friendly side of the firewall. The firewall host allows both cases, 1-Way Host Reachable and 1- Way Host Not Reachable. In such a scenario, the software will open the necessary tunnel connections as soon as the services are started on the secure side. This way, the clients on the hostile side of the firewall will be able to accept the tunnel connection and use it to forward control and data traffic both ways.
As explained in the previous sections, the Firewall Configuration wizard creates the three files FwPeers.txt, FwHosts.txt, and FwPorts.txt. Sample contents of these three files in a one-way firewall are given below:
8600-8619
8650-8659
8800
aquila.company.com
perseus.company.com
computer1.company.com @@PASSIVE@@
computer2.company.com computer2.company.com
189.27.271.11 189.27.271.11
Note the following on the contents of this file:Note that wildcards are not allowed in one-way firewall configurations. |
Note that in a one-way firewall these ports must be configured as out-bound ports as follows:
When the CommServe and the MediaAgent(s) are on the opposite side of the
firewall from Client(s), as depicted in the diagram on the right, with the
CommServe and the MediaAgent(s) in the secure/friendly side and the clients
in the hostile side, the following ports must be opened:
Conversely, when the CommServe and the MediaAgent(s) are in the hostile side and the clients in the secure/friendly side, the following ports must be opened:
|
|||||||||||||||||||||||||
When the MediaAgent(s) and Client(s) are on the same side of the firewall
with the CommServe on the opposite side, as depicted in the diagram on the
right, with the CommServe in the secure/friendly side and the clients and
the MediaAgent(s) in the hostile side, the following ports must be opened:
Conversely, when the CommServe is in the hostile side with the clients and MediaAgent(s) in the secure/friendly side, the following ports must be opened:
|
The above files can be automatically created and configured during installation or by running the Firewall Configuration wizard. See Configuring CommCell Communications Across Firewalls for more information. |
Firewall services for remote clients can be configured using registry keys. You can use Active Directory Group policy Objects (GPOs) to push out the registry keys to multiple remote client computers simultaneously. This is particularly useful when you have to update firewall configuration for multiple remote clients, like Workstation Backup Agents.
The following registry keys provide firewall configuration:
Once you create the above keys on the client computer and recycle Services, the three firewall files FWHosts.txt, FWPorts.txt, and FWPeers.txt will be created, overwriting any existing firewall configuration.
Port 8401 must be opened on the CommServe (both in one-way or two-way firewall configurations) when the CommCell Console is installed or accessed as follows:
If you intend to use the CommCell Console remotely through a web browser, then in addition to allowing connection for port 8401 through the firewall, ensure that the http service port, which is typically port 80, is also allowed connection in the firewall.
Note that other than opening the necessary ports, it is NOT necessary to use the Firewall Configuration Wizard to configure the firewall configuration files for a stand-alone CommCell Console.
If your network administrator allows you to disable/remove the firewall(s), then try running the backup/restore that way. This will eliminate other causes of failure and pinpoint the problem on firewall subsystem.
Contact your software provider for assistance if all the above mentioned verification is successful and you continue to experience failures during data protection or data recovery operations.
The following section describes the firewall settings in NOKIA CHECKPOINT 4.1 (with SP5).
ADD_TCP_TIMEOUT(port,timeout)
Where
port is the TCP service port
timeout is the desired timeout in seconds.
For example if you want to open the ports 9500 through 9503 with a timeout value of 30 minutes, you must have the following entries:
ADD_TCP_TIMEOUT(9500,1800),
ADD_TCP_TIMEOUT(9501,1800),
ADD_TCP_TIMEOUT(9502,1800),
ADD_TCP_TIMEOUT(9503,1800),
See Firewall Considerations - NAT Server for information on connecting CommCell to a NAT server across the firewall.
The following section provides information on firewall configuration:
Bull Calypso Communications Service (GxCVD) uses port 8400 by default. If you are using a non-default port, you need to open up the corresponding port in the firewall. You can specify a non-default port number for GxCVD in following ways:
The ports used by Bull Calypso services must not be used for other configurations. Verify the service port assignments before using a port for firewall configuration. |
All CommCell Computers interacting with one another across a firewall need not necessarily use the same ports. Consider the following:
In a firewall configuration, if the client computer has multiple instances of the Agent software installed, then each instance must be configured with a distinct IP address and hostname, to be uniquely identified by the CommServe.
It is NOT necessary to stop the services if you want to add or modify only the host names/IP addresses of computers separated by a firewall.
If you have more than one client in the CommCell resolving to the same IP address, then the following configuration will ensure unique client identification within the CommCell:
Firewall configuration for the client is defined during the Installation. Post installation, you can use the Firewall Configuration Wizard to set up the firewall configuration. For step-by-step instructions, see Firewall Considerations - How To.
This information is provided in the Communication Interface Name dialog during the installation. If the clients are not uniquely identified, then you will have to reinstall the client with the appropriate firewall settings. See Installation.
The application firewall can be used to block any rogue sessions from other CommCell Components. The firewall also provides option to block any undesired connections from local as well as remote computers.
When a remote client is force deleted from the CommServe, the services for the client would be still remain active. Such client would still be able to initiate sessions. Communications from such unauthorized clients would affect the performance of the software, especially if they grow more in number. CommCell Clients can be configured to block such connections. The session blacklisting works as follows:
CommCell validates every incoming connection, and if it identifies an unauthorized connection, the IP address of the client initiating the session is added to a session blacklist. Any subsequent connection from a blacklisted client is immediately denied without verification. This list is dynamically created in each client. Optionally you can also record the list of blacklisted clients in a log file. When enabled, the log file is created in the following location - <Software_Installation_Path>/Log Files/Blacklist.log.This file can be used to review the list of client that are blacklisted.
To enable (or disable) session blacklisting, see Block Unauthorized CommCell Session Connections for step-by-step instructions.
Application firewall allows you to protect your computer from undesired remote connections. The list of external IP addresses you wish to block connections from can be stored in a blacklist (InterfaceBlacklist.txt), a list of external interface connections to be blocked. This file is created in the <Software_Installation_Path>/Base folder for each client, and can be modified at any time. The feature is not enabled, if this file is not present.
To block connections from a remote computer, simply add the IP address of the computer to the blacklist. When a new connection is initiated, the software consults the blacklist, and if a connection is found to be initiated from a blacklisted external address, the connection is dropped.
For step-by-step instructions to create the external interface blacklist, see Block External Interface Connections.
You can also use the application firewall to protect your computer from undesired connections to local interfaces. The list of local IP addresses (or host names) that the application has to block connections on, is stored in LocalInterfaceBlacklist.txt. This file is created in the <Software_Installation_Path>/Base folder for each client, and can be modified at any time. If modified, the services must be recycled for the changes to take effect. The feature is not enabled if this file is not present, or empty.
When there is a new incoming connection, the local interface to which the connection arrived is checked against this list, and if found, the connection is immediately dropped without any further processing.
For step-by-step instructions to create the local interface blacklist, see Block Local Interface Connections.
Windows Firewall, the built-in firewall included in the Windows Operating Systems, can be configured to allow CommCell communications by adding CommCell programs and services to the Windows Firewall Exception list. Once the CommCell programs are added to the Exception list, the Windows Firewall will allow the external network connections made to the programs in this list. The exceptions must be added to Windows Firewall on all the CommCell Computers.
CommCell programs and services can be programmatically added to the Windows Firewall Exception List using the AddFWExclusions.bat. For step-by-step instructions, see Add Exceptions to Windows Firewall. Note that if for any reason the firewall configuration is reset on a computer (this can happen, for example, when the computer is moved from a workgroup to a domain), then the firewall exclusions must be added again.