Firewall Considerations

Topics | How To | Related Topics


Overview

Port-Based Firewall Considerations

Application-Based Firewall Considerations

Program-Based Firewall Considerations


Overview

Firewalls provide security to networks by acting as a barrier for unauthorized outside access to the network. Firewalls provide security by enforcing restrictions on computers and applications communicating across it.


Port-Based Firewall Considerations

Typically a firewall divides the network into two parts which are broadly referred to as secure/friendly side and the hostile side. CommCell components can be configured to function across a firewall when computers hosting these components are located on different sides of firewall(s).

Configuring CommCell Communications Across Firewalls

The following are the most commonly seen configurations in which the CommCell components are located across a firewall:

  • CommServe and MediaAgent are on the friendly side (also referred as safe side), while some or most of the agents are located on the hostile side (also referred as public / DMZ side.
  • Conversely, CommServe and MediaAgent are on the hostile side, while some or most of the agents are located on the friendly side.
  • CommServe is on the friendly side, while some or most MediaAgents and agents are on the hostile side. (Some MediaAgents and agents may even be on the same machine.)
  • Conversely, CommServe is on the hostile side, while some or most MediaAgents and agents are located on the friendly side.

Keep in mind that these configurations may in fact be located behind two firewalls because now there are two friendly sides to deal with.

The diagram on the right shows one such example.

For products like ContinuousDataReplicator and Workstation Backup, where the communication is between the CommServe, destination computer (installed with ContinuousDataReplicator) and the corresponding agents, then replace the MediaAgent with destination computer in the above configurations. The rest of the firewall considerations remain the same. This is also applicable for MediaAgent Replication and Remote Backup solutions.

CommCell communication across firewall(s) can be configured using the Firewall Configuration wizard.

Firewall services can be configured during the installation of CommCell Components; the installation presents the firewall configuration wizard for configuration. However, you can configure firewall communication, or modify the existing configuration using the firewall configuration wizard at any later time. See the following procedures for more details:

The system supports both one-way firewalls - where only outbound ports are opened - and two-way firewalls - where a selected set of bi-directional ports are configured. Software and hardware firewall configurations, including Microsoft Windows operating system firewall and TCP/IP filtering are supported.

Two-Way Firewalls

The Firewall Configuration wizard creates three files called the FwPeers.txt, FwHosts.txt and FwPorts.txt and configures the firewall services in the on-demand mode, where the tunnels to control traffic are opened on-demand or when needed. This type of configuration is suitable for two-way firewalls where connections to ports required by the software can be opened from both sides. Sample contents of these three files in a two-way firewall are given below:

The following table lists the entries in the FwHosts.txt and FwPeers.txt using sample scenarios:

Description CommServe MediaAgent Agents
CommServe and MediaAgent on the friendly side; Agents on the hostile side. Agents Agents CommServe and MediaAgent
CommServe on the friendly side; Agents and MediaAgent on the hostile side MediaAgent and Agents CommServe CommServe
The above files can be automatically created and configured during installation or by running the Firewall Configuration wizard. See Configuring CommCell Communications Across Firewalls for more information.

Port Requirements for Two-Way Firewall

All CommCell computers (CommServe, MediaAgents and clients) require the following port specifications to communicate across firewall(s).

When the CommServe and the MediaAgent(s) are on the opposite side of the firewall from Client(s)as depicted in the diagram on the right:
Component Port Requirements
CommServe 8400 + 8401 + 1
MediaAgent GxCVD Port + Total number of concurrent restore streams to the MediaAgent + 1

If the data is not multiplexed, this would also be equal to the total number of drives attached to the libraries in the MediaAgent + 1

Client GxCVD Port + 1

(If the Optimize for Concurrent LAN backups option is selected in the MediaAgent, which is the default setting)

GxCVD Port + Maximum number of concurrent backup streams from the client + 1

(If the Optimize for Concurrent LAN backups option is not selected in the MediaAgent)

NDMP Remote Server Port 10000 if you have a NAS iDataAgent, NDMP Remote Server and/or NAS filer communicating across firewall(s).

If you plan to run other concurrent jobs (such as Auxiliary Copy or data recovery operations), you must open additional ports, based on the number of streams used by these jobs.
   
When the MediaAgent(s) and Client(s) are on the same side of the firewall with the CommServe on the opposite side, as depicted in the diagram on the right:
Component Port Requirements
CommServe 8400 + 8401+ 1
MediaAgent GxCVD Port + 1
Client GxCVD Port + 1
For ContinuousDataReplicator on Unix environments, the client will require an additional port to be open on both directions — from source to destination and back. So the port requirements for the client are GxCVD Port + 2 additional ports.

One-Way Firewalls

The system also supports persistent one-way tunnels between the CommCell components. This configuration is useful when the firewall allows programs to open connections only one-way, e.g., only from CommServe to the Client, but not the other way around. In one-way firewall, network communications are initiated from the secure/friendly side of the firewall. The firewall host allows both cases, 1-Way Host Reachable and 1- Way Host Not Reachable. In such a scenario, the software will open the necessary tunnel connections as soon as the services are started on the secure side. This way, the clients on the hostile side of the firewall will be able to accept the tunnel connection and use it to forward control and data traffic both ways.

As explained in the previous sections, the Firewall Configuration wizard creates the three files FwPeers.txt, FwHosts.txt, and FwPorts.txt. Sample contents of these three files in a one-way firewall are given below:

Note that wildcards are not allowed in one-way firewall configurations.

 

Port Requirements for One-Way Firewall

Note that in a one-way firewall these ports must be configured as out-bound ports as follows:

When the CommServe and the MediaAgent(s) are on the opposite side of the firewall from Client(s), as depicted in the diagram on the right, with the CommServe and the MediaAgent(s) in the secure/friendly side and the clients in the hostile side, the following ports must be opened:
Component Location Port Requirements
CommServe Secure/friendly side None
MediaAgent Secure/friendly side None
Client Hostile side GxCVD Port + 1

(If the Optimize for Concurrent LAN backups option is selected in the MediaAgent, which is the default setting)

GxCVD Port + Maximum number of concurrent backup streams from the client + 1

(If the Optimize for Concurrent LAN backups option is not selected in the MediaAgent)

Conversely, when the CommServe and the MediaAgent(s) are in the hostile side and the clients in the secure/friendly side, the following ports must be opened:

Component Location Port Requirements
CommServe Hostile side 8400 + 1
MediaAgent Hostile side GxCVD Port + number of restore streams + 1
Client Secure/friendly side None
 
When the MediaAgent(s) and Client(s) are on the same side of the firewall with the CommServe on the opposite side, as depicted in the diagram on the right, with the CommServe in the secure/friendly side and the clients and the MediaAgent(s) in the hostile side, the following ports must be opened:
Component Location Port Requirements
CommServe Secure/friendly side None
MediaAgent Hostile side GxCVD Port + 1
Client Hostile side GxCVD Port + 1

Conversely, when the CommServe is in the hostile side with the clients and MediaAgent(s) in the secure/friendly side, the following ports must be opened:

Component Location Port Requirements
CommServe Hostile side GxCVD Port + 1
MediaAgent Secure/friendly side None
Client Secure/friendly side None
The above files can be automatically created and configured during installation or by running the Firewall Configuration wizard. See Configuring CommCell Communications Across Firewalls for more information.

Firewall Configuration for Remote Clients

Firewall services for remote clients can be configured using registry keys. You can use Active Directory Group policy Objects (GPOs) to push out the registry keys to multiple remote client computers simultaneously. This is particularly useful when you have to update firewall configuration for multiple remote clients, like Workstation Backup Agents.

The following registry keys provide firewall configuration:

Once you create the above keys on the client computer and recycle Services, the three firewall files FWHosts.txt, FWPorts.txt, and FWPeers.txt will be created, overwriting any existing firewall configuration.

Configuring CommCell Console for Access Across Firewalls

Port 8401 must be opened on the CommServe (both in one-way or two-way firewall configurations) when the CommCell Console is installed or accessed as follows:

If you intend to use the CommCell Console remotely through a web browser, then in addition to allowing connection for port 8401 through the firewall, ensure that the http service port, which is typically port 80, is also allowed connection in the firewall.

Note that other than opening the necessary ports, it is NOT necessary to use the Firewall Configuration Wizard to configure the firewall configuration files for a stand-alone CommCell Console.

Troubleshooting CommCell Communications Across Firewalls

Sample Firewall Settings

The following section describes the firewall settings in NOKIA CHECKPOINT 4.1 (with SP5).

  1. Open the init.def file located in the <firewall install directory>/lib directory.
  2. Stop the firewall services using the fwstop command.
  3. Using a text editor, edit the init.def file.
  4. Add the following command before the line ADD_TCP_TIMEOUT(0,0) for each of the firewall ports that are open:

    ADD_TCP_TIMEOUT(port,timeout)

    Where

    port is the TCP service port

    timeout is the desired timeout in seconds.

    For example if you want to open the ports 9500 through 9503 with a timeout value of 30 minutes, you must have the following entries:

    ADD_TCP_TIMEOUT(9500,1800),

    ADD_TCP_TIMEOUT(9501,1800),

    ADD_TCP_TIMEOUT(9502,1800),

    ADD_TCP_TIMEOUT(9503,1800),

  5. Restart the firewall services using the fwstart command.

See Firewall Considerations - NAT Server for information on connecting CommCell to a NAT server across the firewall.


Firewall Considerations

The following section provides information on firewall configuration:

GxCVD Port

Bull Calypso Communications Service (GxCVD) uses port 8400 by default. If you are using a non-default port, you need to open up the corresponding port in the firewall. You can specify a non-default port number for GxCVD in following ways:

The ports used by Bull Calypso services must not be used for other configurations. Verify the service port assignments before using a port for firewall configuration.

Considerations for Two-Way Firewall

All CommCell Computers interacting with one another across a firewall need not necessarily use the same ports. Consider the following:

Considerations for One-Way Firewall

Multi Instancing

In a firewall configuration, if the client computer has multiple instances of the Agent software installed, then each instance must be configured with a distinct IP address and hostname, to be uniquely identified by the CommServe.

General

SRM

Unique Client Identification

If you have more than one client in the CommCell resolving to the same IP address, then the following configuration will ensure unique client identification within the CommCell:


Application-Based Firewall Considerations

The application firewall can be used to block any rogue sessions from other CommCell Components. The firewall also provides option to block any undesired connections from local as well as remote computers.

Block Unauthorized CommCell Session Connections

When a remote client is force deleted from the CommServe, the services for the client would be still remain active. Such client would still be able to initiate sessions. Communications from such unauthorized clients would affect the performance of the software, especially if they grow more in number. CommCell Clients can be configured to block such connections. The session blacklisting works as follows:

CommCell validates every incoming connection, and if it identifies an unauthorized connection, the IP address of the client initiating the session is added to a session blacklist. Any subsequent connection from a blacklisted client is immediately denied without verification. This list is dynamically created in each client. Optionally you can also record the list of blacklisted clients in a log file. When enabled, the log file is created in the following location - <Software_Installation_Path>/Log Files/Blacklist.log.This file can be used to review the list of client that are blacklisted.

To enable (or disable) session blacklisting, see Block Unauthorized CommCell Session Connections for step-by-step instructions.

Block External Interface Connections

Application firewall allows you to protect your computer from undesired remote connections. The list of external IP addresses you wish to block connections from can be stored in a blacklist (InterfaceBlacklist.txt), a list of external interface connections to be blocked. This file is created in the <Software_Installation_Path>/Base folder for each client, and can be modified at any time. The feature is not enabled, if this file is not present.

To block connections from a remote computer, simply add the IP address of the computer to the blacklist. When a new connection is initiated, the software consults the blacklist, and if a connection is found to be initiated from a blacklisted external address, the connection is dropped.

For step-by-step instructions to create the external interface blacklist, see Block External Interface Connections.

Block Local Interface Connections

You can also use the application firewall to protect your computer from undesired connections to local interfaces. The list of local IP addresses (or host names) that the application has to block connections on, is stored in LocalInterfaceBlacklist.txt. This file is created in the <Software_Installation_Path>/Base folder for each client, and can be modified at any time. If modified, the services must be recycled for the changes to take effect. The feature is not enabled if this file is not present, or empty.

When there is a new incoming connection, the local interface to which the connection arrived is checked against this list, and if found, the connection is immediately dropped without any further processing.

For step-by-step instructions to create the local interface blacklist, see Block Local Interface Connections.


Program-Based Firewall Considerations

Windows Firewall, the built-in firewall included in the Windows Operating Systems, can be configured to allow CommCell communications by adding CommCell programs and services to the Windows Firewall Exception list. Once the CommCell programs are added to the Exception list, the Windows Firewall will allow the external network connections made to the programs in this list. The exceptions must be added to Windows Firewall on all the CommCell Computers.

CommCell programs and services can be programmatically added to the Windows Firewall Exception List using the AddFWExclusions.bat. For step-by-step instructions, see Add Exceptions to Windows Firewall. Note that if for any reason the firewall configuration is reset on a computer (this can happen, for example, when the computer is moved from a workgroup to a domain), then the firewall exclusions must be added again.


Back To Top