Setup | Advanced | Troubleshooting | Best Practices |
Firewall configuration provides additional features and functions that can be used to fine-tune CommCell communication and operations. The following sections explain the additional features and their usage.
If you have multiple clients with the same firewall configuration settings, instead of defining the configuration for each client, you can create a Client Group with clients that have the same firewall configuration and define the configuration at the Client Group level.
Use the following steps to configure firewall settings for multiple clients simultaneously:
See Getting Started - Client Computer Groups for step-by-step procedure.
Use the following steps to configure a client to inherit the firewall settings from the client computer group.
Future firewall changes will be applicable at the client group level.
When Configure Firewall Settings is selected, the firewall configuration of both the client computer and client group are merged in the client computer. |
Follow the steps below to configure multiple connection routes for a client computer:
When configuring firewall on a clustered environment, virtual nodes of a clustered client computer must be configured with the connection route to reach each other across the firewall. Once configured, the virtual nodes communicate across the firewall for all data management operations.
Use the following steps to configure firewall settings:
The configuration is now applicable for the virtual node.
Communication between CommCell components can be automatically encrypted and authenticated through Secured Socket Layer (SSL), similar to what happens when a web browser opens secure connections with https:// prefix.
The authentication and encryption is done with the help of certificates. The software supports two types of SSL certificates: Built-In certificates and CommCell certificates. Built-In certificates are present on installation media and are used primarily during installation. CommCell certificates are generated during CommServe install or upgrade and are unique to the CommCell.
Typically the software uses the built-in certificate during installation, and as soon as the newly installed client establishes its first connection with the CommServe, it retrieves CommCell certificate and uses it for all future SSL exchange. You can however, refuse connections backed by the built-in certificates and enforce CommCell certificates only by using the CommCell Lockdown feature. See Enforcing CommCell Specific Certificates for Authentication for more information.
This can be configured using firewall configuration settings in the Client Computer Properties.
Your setup would be one of the following:
Configure the firewall settings. Refer to Firewall (Setup) to review supported firewall types. Identify the type of your firewall and configure the components accordingly.
In this case, you will have to configure firewall settings just to initiate a tunnel connection to enforce HTTPS transport. Configure the components in one of the following ways:
To enable HTTPS communication:
Once a component is configured to receive HTTPS connections only, it will force all incoming tunnel connections to HTTPS by authenticating and setting up encryption in accordance with the HTTPS standard.
This is a more granular approach that involves defining the outgoing route from one component towards the other.
When Calypso proxy is in use, you can use Save As Script (.xml) file generated during the push install to configure firewall settings while performing remote installation on a new client. For more information, see Install Software on Client Using Save As Script.
CommCell environments can be locked down to prevent existing CommCell components from accepting HTTPS tunnel connections backed by a built-in certificate. In this secure Lockdown mode, CommCell components accept/initiate HTTPS connections with CommCell certificates only as opposed to accepting/initiating HTTPS connections with mutually negotiated built-in or CommCell certificates (favoring the later.) The mandatory use of CommCell certificates provides a high level of security that cannot be hacked or compromised by connections from outside the CommCell.
CommCell certificates are created during CommServe install/upgrade and are stored in the CommServe database. These certificates can be delivered to the clients either automatically or manually.
To enable CommCell specific certificates for authentication:
When you install a client on a locked down CommCell, you need CommCell certificates to authenticate the installation. The certificates can be exported from the CommServe and delivered to the client.
To export the CommCell certificate:
You can use a portable drive to store the certificates and physically deliver the drive to the new client, or transfer the data electronically.
When you install to a locked down CommServe, during installation in the Firewall Configuration sequence, the installer asks for the CommCell Certificate. In the CommCell Certificate screen, provide the location of the certificates folder. The installer uses this certificate to authenticate the connection to the CommServe during installation. Once the installation is complete, the certificate folder is available at <software_installation_path/base> folder for further authentication and access.
You can create an application-based firewall to block any rogue sessions from other CommCell Components. You can also block any undesired connections from other local and remote computers.
When a remote client is force deleted from the CommServe, the Services for the client would remain active. Such clients would still be able to initiate sessions connections to other CommCell components. Communications from such unauthorized clients would affect the performance of the software, especially if they grow more in number. CommCell Clients can be configured to blacklist and block any such connections using Session Blacklisting.
The session blacklisting works as follows. CommCell validates every incoming connection, and if an unauthorized connection is identified, then the IP address of the client initiating the session is added to a session blacklist. Any subsequent connection from the blacklisted client is immediately denied without verification. This list is dynamically created on each client. Optionally you can also record the list of such blacklisted clients in a log file for later reference; this list can be used to review the list of client that are denied connection using this feature. The log file can be located at <Software_Installation_Path>/Log Files/blacklist.log.
To block unauthorized CommCell session connections:
To disable session blacklisting, set the registry key value to '0'.
To disable logging, set the registry key value to '0'.
You can protect your computer from undesired remote connections. For each client, create the file InterfaceBlacklist.txt under <Software_Installation_Path>/Base folder and specify the IP addresses of external interface connections that must be blacklisted. When a new connection is initiated, the software consults the Interface Blacklist and drops the connection if it is initiated from a blacklisted external address.
This file can be modified at any time; you must recycle the services for the changes to take effect. The feature is not enabled if this file is not present, or empty.
To block external interface connections:
To allow connections from a computer, remove the corresponding IP address from InterfaceBlacklist.txt.
You can also protect your computer from undesired connections to local interfaces. For each client, create the file LocalInterfaceBlacklist.txt under <Software_Installation_Path>/Base folder and specify the list IP addresses or hostnames of local interfaces to which connections must be blocked. When there is a new incoming connection, the local interface to which the connection arrived is checked against this list and if found, the connection is dropped immediately without any further processing.
This file can be modified at any time; you must recycle the services for the changes to take effect. The feature is not enabled if this file is not present, or empty.
To block a local interface connection:
To allow connections from a computer, remove the corresponding IP address from LocalInterfaceBlacklist.txt.
When TCP/IP filtering is enabled on Windows computers, even same-machine connections can be restricted unless they are made on specifically open ports. In situations like this, you can force Calypso to bind all of its services to ports from the list of incoming ports configurable for the client.
To bind all services of a client to open ports:
To register a CommServe Operating Behind Firewall to the CommNet Server:
On the CommCell containing the CommServe, create a placeholder client for the CommNet Server, provide firewall configuration for CommNet Server and CommServe, and save the configuration for CommServe.
On the CommCell containing the CommNet Server, create a placeholder client for CommServe, provide firewall configuration for CommServe and CommNet Server, and save the configuration for CommNet Server.
From the CommNet Browser, register the CommServe to the CommNet Server.
17. | If the CommNet Browser is installed as a stand-alone application on a computer that operates across firewall(s) from the CommNet Server and has no other CommServe component installed, specify port number 8403 to allow connection through the firewall. | |
18. | From the CommNet Browser, click on the Setup menu, and click Cell Registration. | |
19. | In the Cell Registration window, click Add CommCell. | |
20. | In the Register CommCell window, specify the CommCell Client name of the CommServe computer. This is also the name of placeholder client for CommServe you created earlier. | |
21. |
Click OK to complete the registration.
The software connects to the newly registered CommCell through the firewall configuration defined earlier in the procedure. |
Use the following steps to remove the firewall settings for a client computer:
On upgraded CommCells with firewall configuration settings from previous releases, you have the option to continue with the existing settings. Firewall configuration files of clients with software version 7.0 and 8.0 are supported on a CommServe with software version 9.0.
However, we strongly recommend that you revise your settings with configuration options available in this release to take advantage of the additional firewall configuration capabilities. Configuration options available in this release support a wide range of standard and customized firewall scenarios.
When upgrading at the CommServe level, the old firewall files of the CommServe computer will be automatically upgraded to the new configuration available in this release if the following two conditions are met.
If the old firewall files fail to get upgraded, mainly due to hostname wildcards present in the FwPeers.txt firewall file, follow the steps below to perform a manual upgrade of your firewall files.
The firewall configuration files for the CommServe computer are upgraded.
The old firewall files of a client/MediaAgent computer will be automatically upgraded to the new configuration available in this release if the following two conditions are met.
If the old firewall files fail to get upgraded, mainly due to hostname wildcards present in the FwPeers.txt firewall file, follow the steps below to perform a manual upgrade of your firewall files.
For Unix machines, run the config_fw_deprecated command in the opt/<software installation path>/Base/ directory.
You should not delete the FwHosts.txt, FwPorts.txt and FwPeers.txt firewall files on the CommServe and MediaAgent computers until all client computers have been upgraded with the new firewall configuration. |
The firewall configuration files for the client/MediaAgent computer are upgraded.