Topics | How To | Related Topics
Port-Based Firewall Considerations
Configure or Modify Firewall Settings on Windows Computers
Configure or Modify Firewall Settings on Unix Computers
Configure or Modify Firewall Settings on NetWare Computers
Uninstall Firewall Configuration
Configure Firewall when Non-Default Ports are Used for Services
Application-Based Firewall Considerations
Block Unauthorized CommCell Session Connections
Block External Interface Connections
Block Local Interface Connections
Program-Based Firewall Considerations
Add Exceptions to Windows Firewall
Before You Begin |
||||||||||||||
|
||||||||||||||
Configuration Procedure |
||||||||||||||
1. | Run the following program: <software installation path>/Base/config_fw |
|||||||||||||
2. | Type 1 to continue. | Firewall services are currently
NOT configured.
Please select one of the options below:
Your selection: [2] |
||||||||||||
3. |
Enter the port range(s), and then press Enter to continue.
NOTES
|
Calypso needs to know which TCP ports of this machine are available for
connections initiated by machines on the other side of the firewall.
If this machine is not reachable from the other side of the firewall at all
(because the FW is one-way and allows only outgoing connections), enter any
unused port number here (e.g. 8600). Currently there are no ports configured. Please enter a single port number or a port range (like 8600-8620) to be added to the FW configuration: Port range: [8600-8620] |
||||||||||||
4. |
Enter the number corresponding to the option you wish to perform. NOTES
|
What would you like to do: 1) Add another open port or a range of ports 2) Delete an existing port or a range of ports3) Continue with the firewalled host setup Your choice: [3] |
||||||||||||
5. | Enter the host name(s) of the computers that will need to be contacted through a firewall, and then press Enter to continue. |
We need to know which Calypso hosts are located on the other side of the
firewall, and whether the firewall will allow direct or reverse connections
to/from those hosts.
You can specify hosts by either entering their names, IP addresses or name/IP wildcards. The wildcards are available only if the firewall is symmetrical, i.e. allows to open connections to certain ports both ways. Currently there are no firewall hosts configured. Please enter the name or IP address of a host on the other side of the firewall. If the firewall is symmetrical, you are allowed to use wildcards, i.e. things like 192.168.* or *.firewall.company.com: Firewalled Host: lavender.company.com |
||||||||||||
The following table lists the entries in the FwHosts.txt and FwPeers.txt using sample scenarios:
|
||||||||||||||
6. |
Choose the option associated with type of firewall configuration based on the
firewall setup in your environment.
NOTES
|
Please specify the type of the firewall separating this machine from
172.19.61.89.
1) Two-way (symmetrical) firewall 2) One-way firewall, 172.19.61.89 is reachable from here 3) One-way firewall, this machine is reachable from 172.19.61.89 Your choice: [1] |
||||||||||||
7. |
Enter the number corresponding to the option you wish to perform. NOTES
|
What would you like to do: 1) Configure another host 2) Delete an existing host 3) Continue with the firewall keep-alive setup Your choice: [3] 1 |
||||||||||||
8. |
If desired, modify the Keep Alive interval, and then press Enter to
continue, or Press Enter to accept the default. |
Please specify Keep Alive interval for Calypso firewall services.
Many firewalls disconnect idle Network connections after some period of time.
Some of the Calypso Services need continuous connections. Calypso keeps such
connections active by sending periodic "keep-alive" packets. Keep-alive interval, minutes [5] |
||||||||||||
9. |
To configure advanced
firewall settings, type Yes, and then press Enter. Proceed to
the next Step. If you do not want to configure advanced firewall settings, type No, and then press Enter. Proceed to the next section. |
The Generic part of the Calypso Firewall Config has been completed
successfully. There are some additional advanced settings that you may want to
review now. All of them can be customized later by editing the .properties file
under /etc/CommVaultRegistry/Galaxy/Instance003/Firewall. Would you like to review the advanced settings now? [no] |
||||||||||||
10. |
To bind the local end of tunnel connections to a specified interface, type Yes, and then press Enter. Proceed to
the next Step. If you do not want to bind the local end of tunnel connections to a specified interface, type No, and then press Enter. Skip the next Step. |
Normally Calypso Firewall code doesn't bind
local end of TCP/IP sockets when establishing outgoing tunnel connections
relying on the OS to pick correct interface and arbitrary port automatically.
Usually this doesn't cause connectivity problems because we require that the
firewall must allow connections for as long as 1meither source or destination
socket end is bound to one of the ports in the open range.
Sometimes, however, on hosts with several NICs it's important to force the OS to bind the local socket end to a specific network interface. There is a Calypso setting called 1mnBIND_BEFORE_CONNECT_IFACEm, which enables this behavior. If present, Calypso will bind the local end of tunnel connections to the specified interface. Would you like to configure nBIND_BEFORE_CONNECT_IFACE? [no] |
||||||||||||
11. |
Type a number corresponding to one of the listed network interfaces, to use for outgoing tunnel connections through
the firewall. Press Enter to continue. |
Please select network interface that should
be used for all outgoing tunnel connections:
1) <ip_address> Interface number: [1] |
||||||||||||
12. |
If desired, modify the Tunnel Initialization interval by typing a number. Press Enter to continue. |
When tunnel to a destination machine cannot be
established because the machine is down or is not accepting connections, Calypso
will retry the connection after some time. Tunnels piercing one-way firewalls are
1mPERSISTENTm meaning that Calypso will keep on trying to initialize them until
success. These attempts can generate a lot of network traffic if a central machine
(e.g. CommServe) suddenly goes down.
Here you can adjust the interval (called 1mnTUNNEL_INIT_INTERVALm in registry) between tunnel init attempts. Tunnel Init Interval, seconds, [5] |
||||||||||||
13. | Type 6 to exit the wizard. | Firewall services are currently
CONFIGURED.
Please select one of the options below:
Your selection: [6] |
||||||||||||
Post-Configuration |
||||||||||||||
|
Before You Begin |
||||||||||||||
|
||||||||||||||
Configuration Procedure |
||||||||||||||
1. | Place the
software
installation disc containing the NetWare packages into the Novell client's
disc drive or a mapped disc drive on another computer.
|
|||||||||||||
2. | Click Next to continue. | |||||||||||||
3. | Select the name of a server to configure.
NOTES
|
|||||||||||||
4. |
Click the Specify list of machine across the firewall option and then
specify the list of hosts separated from this computer by a firewall. Make sure
you correctly describe whether the firewall allows two-way communication (but on
a limited range of ports), or one-way communication (with either only remote
host being able to make connections to this computer, or vice versa).
For all one-way firewalls allowing incoming connections and those one-way firewalls allowing outgoing connections without additional port filtering, skip this step. Click Next to continue. NOTES
|
|||||||||||||
5. |
Click the Specify list of restricted open ports option and then
specify the port range. Add the starting and ending port range and then click
Add to place it in the Open Port List. Repeat as needed.
If firewall separating this computer from others allows incoming connections, but these connections can be made only on a limited set of ports, then configure the appropriate port range here. For all other scenarios, skip this step. Note that if you do not specify hostname(s) as well as port number(s), then the firewall services will not be configured. NOTES
Click Next to continue. |
|||||||||||||
The following table lists the entries in the FwHosts.txt and FwPeers.txt using sample scenarios:
|
||||||||||||||
6. |
If desired, modify the Keep Alive interval.
Click Next to continue. |
|||||||||||||
7. |
Optionally, select Advanced Firewall Configuration and specify a local
host name interface to use for outgoing tunnel connections through
the firewall. Otherwise, the interface and port is automatically selected for
you by the OS. Click Next to continue. |
|||||||||||||
8. |
If desired, modify the Tunnel Initialization interval.
Click Next to continue. |
|||||||||||||
9. | Click Yes if you want to configure another server
and repeat steps 3 to 8 to configure another server. or click No to continue. |
|||||||||||||
10. | Click Finish to save the changes or click Back to modify the settings. | |||||||||||||
11. | Click OK and then unload and load the software as directed. | |||||||||||||
Post-Configuration |
||||||||||||||
If you are configuring the firewall communication on a client for the first time, or if you are changing the range of ports, ensure that the ports specified in step 3 are allowed connections through the firewall. |
To uninstall the firewall configuration on Window & NetWare computers:
To uninstall the firewall configuration on UNIX computers:
<software installation path>/Base/config_fw
<software installation path>/Base/FwPeers.txt
The file contains a list of hosts located on the other side of the firewall. For example in a 1-way firewall FwPeers.txt may contain entries similar to the following:
190.20.44.73 190.20.44.73
cricket.company.com cricket.company.com
And in a 2-way firewall FwPeers.txt may contain entries similar to the following:
190.20.44.73
cricket.company.com
The ports used by Bull Calypso services (by default, ports 8400, 8401, 8402, and 8403) must not be used for configurations in the FwPort.txt file. Verify the service port assignments before using a port for firewall configurations. |
190.20.44.73 190.20.44.73 8405
cricket.company.com cricket.company.com 8405
And in a 2-way firewall FwPeers.txt may contain entries similar to the following:
190.20.44.73 8405
cricket.company.com 8405
To block an unauthorized CommCell session connection:
To disable session blacklisting, set the registry key value to '0'.
If you do not wish to maintain the log, set the registry key value to '0'.
To block an external interface connection:
To allow connections from a computer, remove the corresponding IP address from InterfaceBlacklist.txt.
To block a local interface connection:
To allow connections from a computer, remove the corresponding IP address from LocalInterfaceBlacklist.txt.
To add program based exceptions to Windows Firewall: