Set Up Firewall Configuration for Port-Forwarding Gateways

Operating Through a Port-Forwarding Gateway

There are cases where direct connectivity setups do not work. Imagine a situation where the CommServe and MediaAgent are located inside a company’s internal network, and the entire network is exposed to the outside world through a single IP address. Typically this IP address belongs to a firewall/gateway that works as a NAT device for connections from the internal network to the outside.

In scenarios like this, you can establish a port-forwarding at the gateway to forward incoming connections on specific ports to certain machines on the internal network (on specific ports). You can then configure the client to open a direct connection to the port-forwarder’s IP on a specific port to reach a particular internal server. This creates a custom route from client towards the internally running server(s).

Consider the diagram on the right that illustrates the setup. The following sections explain how to configure the software to operate in this setup.

Review the following considerations before you begin.

Make a note of the port configurations in your setup and substitute them in the following instructions.
Microsoft Internet Information Services (IIS) uses port number 443 by default. So if you have IIS running on a computer, then you will not be able to use port 443 for firewall configuration on that computer.

Configure the Port-Forwarding Gateway

A port-forwarding gateway sends incoming connections to specific machines on the internal network based on the incoming connection’s destination port number. With reference to our illustration above, the following port-forwarding must be configured on the gateway.

Connections to gateway.company.com on port 443 must be forwarded to the internally running commserve.company.com on port 440.
Connections to gateway.company.com on port 444 must be forwarded to the internally running mediaagent.company.com on port 440.

Note that there is no restriction on the internal port numbers. They need not be the same as shown in the illustration. Also, for machines in the internal network, neither the IP addresses nor the names have to be reachable or resolvable from outside.

SETUP CONNECTION TO THE COMMSERVE

This procedure assumes that the CommServe is installed and available behind the gateway. The following steps explain the configurations required to connect to the CommServe before installing the client.

1.	From the CommCell Console, right-click the CommServe computer and click Properties.
2.	Click the Firewall Configuration tab.
3.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and enter 440 as the port number. The gateway will forward connections to commserve.company.com:440 when the gateway receives them from outside on port 443. Click OK.
4.	From the CommCell Console right-click the CommServe computer, click All Tasks, and click Push Firewall Configuration.
5.	Click Continue. The specified configuration is saved.

Install the Client

See Installation for step-by-step installation procedures to install the client.

During installation, provide the gateway information through which the CommServe computer can be reached. The install program communicates to the CommServe using this information. Use one of the following firewall configuration sequence.

CommServe can be Reached through a Port Forwarding Gateway (Windows clients)
CommServe can be Reached through a Port Forwarding Gateway (Unix clients)

Configure the CommServe, MediaAgent and Client

The previous configurations provided a path to reach the CommServe for installation purposes. To enable data protection operations between the two computers, you will have to establish the communication path between them. Perform the following steps to establish the communication route.

1.	To configure the CommServe, right-click the CommServe computer from the CommCell Console and click Properties.
2.	Click the Firewall Configuration tab.
3.	Click the Incoming Connections tab. Click Add.
4.	In the From field, specify the name of the client outside the gateway you just installed. In the State field, specify the status of the connection from the client. Since the connection is restricted through a gateway, select Restricted. Click OK.
5.	Click the Incoming Ports tab. You will see the tunnel port already specified on the CommServe with port number 440. Click OK.
6.	From the CommCell Console right-click the CommServe computer and click All Tasks \| Push Firewall Configuration.
7.	Click Continue. The CommServe is configured to receive communication from the client.
8.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.
9.	To configure the MediaAgent, right-click the MediaAgent computer from the CommCell Console and click Properties.
10.	Click the Firewall Configuration tab.
11.	From the Incoming Connections tab, click Add.
12.	In the From field, specify the name of the client outside the gateway you just installed. In the State field, specify the status of the connection from the client. Since the connection is restricted through a gateway, select Restricted. Click OK.
13.	Click the Incoming Ports tab. Select Listen for tunnel connections on port and enter 440 as the port number. The gateway will forward connections to mediaagent.company.com:440 when the gateway receives them from outside on port 444. Additional Open Ports: For components that handle data transfer (for example, MediaAgent, File System iDataAgent, etc.), you can open and port-forward additional ports on the gateway to speed up the data transport. Note that the additional ports may be be the same on the MediaAgent and on the gateway since the gateway has the ability to of translating externally visible port numbers to the actual port numbers on the MediaAgent. In this screen you need to configure the range of ports used for listening to additional incoming connections from the clients. The mapping on how these ports are exported by the gateway must be defined in the outgoing route from the client towards the MediaAgent. (See Step 21) Specify the range of ports in the Additional open ports area, From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Review the following recommendations: For MediaAgents involving multi-stream restores, opening additional ports increases the restore performance. The number of open ports should correspond to the number of simultaneously running restore streams. For MediaAgents with Optimize for concurrent LAN backups option enabled, opening the incoming port of the Bull Calypso Communications Service improves the backup performance. For MediaAgents performing SnapProtect operations with Data Replicator snap engine, opening additional ports increases the backup performance. For ContinuousDataReplicator and Workstation Backup destination computers, opening additional incoming ports improves the replication performance. Click OK. The MediaAgent is now configured to receive communication from the client.
14.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.
15.	To configure the Client, right-click the client computer from the CommCell Console and click Properties.
16.	Click the Firewall Configuration tab.
17.	From the Incoming Connections tab, click Add.
18.	In the From field, specify the name of the CommServe computer behind the gateway. In the State field, specify the status of the connection from the CommServe. Since CommServe does not open connections towards the client, select Blocked. Click OK.
19.	Click Add again to specify the MediaAgent connection details. In the From field, specify the name of the MediaAgent computer behind the gateway. In the State field, specify the status of the connection from the CommServe. Since MediaAgent does not open connections towards the client, select Blocked. Click OK.
20.	Click the Incoming Ports tab. As the client does not receive incoming connections from the CommServe or MediaAgent, there is no need to select Listen for tunnel connections on port. Click OK.
21.	Click the Outgoing Routes tab. Click Add to specify the outgoing connection route from this client towards the CommServe.
22.	Select the CommServe name in Remote Group/Client. Select Via Gateway. Force all data (along with control) traffic into the tunnel option is not required as this route is not toward MediaAgent. Enter the Gateway Hostname through which you can reach the CommServe. Referring to our diagram, it is gateway.company.com. Enter the Gateway Tunnel Port through which the CommServe can be reached. Referring to the diagram above, this is port number 443. Click OK.
23.	Click Add again to specify the outgoing connection route from this client towards the MediaAgent. Select the MediaAgent in Remote Group/Client. Select Via Gateway. Select Force all data (along with the control) traffic into the tunnel to force the data traffic into the control tunnel. This automatically encrypts the data connection. Enter the Gateway Hostname through which you can reach the CommServe. Referring to our diagram, it is gateway.company.com. Enter the Gateway Tunnel Port through which the MediaAgent can be reached. Referring to the diagram above, this is port number 444. Additional destination port mapping: If you had configured additional open ports on the MediaAgent (see Step 13), then you need to establish mapping between open ports on the MediaAgent and the exposed open ports on the gateway the client will connect. To add destination port mapping, specify the incoming gateway port in GW Port and the mapping destination port in Destination Port. Click Add to add the port mapping. To remove a port from the listing, select the port and click Delete. The ports must be within the range of 1024 - 65000. Ensure that the ports specified here are not used by other applications. Click OK.
24.	From the CommCell Console, right-click the client computer and click All Tasks \| Push Firewall Configuration.
25.	Click Continue. The client is configured to communicate with the CommServe and MediaAgent computers behind the gateway.
26.	From the CommCell Console, right-click the client computer and click All Tasks \| Check Readiness. The results are displayed in Client Connectivity dialog box. If the client computer is not ready, verify your settings with the above recommendations and revise the settings if required.

Connectivity between CommServe, MediaAgent, and the client is now established.

Security Considerations

Since both MediaAgent and CommServe computers are in a way exposed to the outside world through port-forwarded connections, you might want to enable encryption and authentication for the tunnel connections. This can be done in one of the following ways.

Select HTTPS for the Tunnel Connection Protocol in the Outgoing Routes tab on all outgoing routes.
Select Allow only HTTPS for the Incoming Tunnel Protocol in the Options tab of the CommServe and MediaAgent. Once HTTPS has been enabled, the client and CommServe/MediaAgent will authenticate each other and set up tunnel encryption in accordance with the HTTPS standard.