Firewall Requirements

Topics | How To | Related Topics


The following sections provide information on how to configure CommCell components to communicate across firewall(s).

Overview

Two-Way Firewalls

One-Way Firewalls

Configuring CommCell Console for Access Across Firewalls

Troubleshooting CommCell Communications Across Firewalls

Sample Firewall Settings

General Considerations


Overview

Firewalls provide security to networks by acting as a barrier for unauthorized outside access to the network. Typically a firewall divides the network into two parts which are broadly referred to as secure/friendly side and the hostile side. Firewalls provide security by enforcing the following restrictions on computers and applications communicating across it:

CommCell components can be configured to function across a firewall when computers hosting these components are located on different sides of firewall(s).

The system supports both one-way firewalls - where only outbound ports are opened - and two-way firewalls - where a selected set of bi-directional ports are configured.

Also the system supports both software and hardware firewall configurations, including Microsoft Windows XP firewall and  TCP/IP filtering.

Typical Configurations

The following are the most commonly seen configurations in which the CommCell components are located across a firewall:

  • CommServe and MediaAgent are on the friendly side (safe side), while some or most of the agents are located on the hostile side.

    Conversely, CommServe and MediaAgent are on the hostile side (public / DMZ side), while some or most of the agents are located on the friendly side.

  • CommServe is on the friendly side, while some or most MediaAgents and agents are on the hostile side. (Some MediaAgents and agents may even be on the same machine.)

    Conversely, CommServe is on the hostile side, while some or most MediaAgents and agents are located on the friendly side.

Keep in mind, that these configurations may in fact be located behind two firewalls.

The diagram on the right shows one such example.

   

Configuring CommCell Communications Across Firewalls

CommCell communication across firewall(s) can be configured using the Firewall Configuration wizard.

During installation, this wizard will be displayed by the CommServe, MediaAgent or Agent install program, if you choose the option Yes, configure Galaxy firewall services during the installation.

You can also use this wizard to modify an existing configuration or configure firewall communication in a CommCell, if a firewall was installed after installing the components. See the following procedures for more details:


Two-Way Firewalls

The Firewall Configuration wizard creates 3 files called the FwPeers.txt, FwHosts.txt and FwPorts.txt and configures the firewall services in the on-demand mode, where the tunnels to control traffic are opened on-demand or when needed. This type of configuration is suitable for two-way firewalls where connections to ports required by the software can be opened from both sides. In such a configuration the contents of these 3 files are as follows:

The following table lists the entries in the FwHosts.txt and FwPeers.txt using sample scenarios:

Description CommServe MediaAgent Agents
CommServe and MediaAgent on the friendly side; Agents on the hostile side. Agents Agents CommServe and MediaAgent
CommServe on the friendly side; Agents and MediaAgent on the hostile side MediaAgent and Agents CommServe CommServe
The above files can be automatically created and configured during installation or by running the Firewall Configuration wizard. See Configuring CommCell Communications Across Firewalls for more information.

Port Requirements

All CommCell computers (CommServe, MediaAgents and clients) require the following port specifications to communicate across firewall(s).

When the CommServe and the MediaAgent(s) are on the opposite side of the firewall from Client(s)as depicted in the diagram on the right:
Component Port Requirements
CommServe GxCVD + 8401/80 + 1
MediaAgent GxCVD + Total number of concurrent restore streams to the MediaAgent + 1

If the data is not multiplexed, this would also be equal to the total number of drives attached to the libraries in the MediaAgent + 1

Client GxCVD + 1

(If the Optimize for Concurrent LAN backups option is selected in the MediaAgent, which is the default setting)

GxCVD + Maximum number of concurrent backup streams from the client + 1

(If the Optimize for Concurrent LAN backups option is not selected in the MediaAgent)

NDMP Remote Server Port 10000 if you have a NAS iDataAgent, NDMP Remote Server and/or NAS filer communicating across firewall(s).

If you plan to run other concurrent jobs (such as Auxiliary Copy or data recovery operations), you must open additional ports, based on the number of streams used by these jobs.
   
When the MediaAgent(s) and Client(s) are on the same side of the firewall with the CommServe on the opposite side, as depicted in the diagram on the right:
Component Port Requirements
CommServe GxCVD+ 8401/80 + 1
MediaAgent 8400 +1
Client 8400 + 1

NOTES

Port 8401 is required when the CommCell Console is remotely accessed. If you intend to use the CommCell Console remotely through a web browser, ensure that the http service port, which is typically port 80, is also allowed connection in the firewall. (See Configuring CommCell Console for Access Across Firewalls for more details.)

All CommCell Computers interacting with one another across a firewall need not necessarily use the same ports. Consider the following:

The total number of ports in use will vary depending on the operations occurring at any given time.


One-Way Firewalls

The system also supports persistent one-way tunnels between the CommCell components. This configuration is useful when the firewall allows programs to open connections only one-way, e.g., only from CommServe to the Client, but not the other way around. In such a scenario, the software will open the necessary tunnel connections as soon as the CommServe services are started. This way, the clients on the other side of the firewall will be able to accept the tunnel connection and use it to forward control and data traffic both ways.

As explained in the previous section, the Firewall Configuration wizard creates 3 files called the FwPeers.txt, FwHosts.txt and FwPorts.txt.  In persistent one-way tunnels a second column in the FwPeers.txt file is created by duplicating the first column as shown in the following example:

189.27.271.11 189.27.271.11

189.28.79.91 189.28.79.91

190.20.44.73 190.20.44.73

cricket.company.com cricket.company.com

Note that in such configurations wildcards are not allowed in the FwPeers.txt file.

 

Port Requirements

Note that in a one-way firewall these ports must be configured as out-bound ports as follows:

When the CommServe and the MediaAgent(s) are on the opposite side of the firewall from Client(s), as depicted in the diagram on the right, with the CommServe and the MediaAgent(s) in the secure/friendly side and the clients in the hostile side, the following ports must be opened:
Component Location Port Requirements
CommServe Secure/friendly side None
MediaAgent Secure/friendly side None
Client Hostile side GxCVD + 1

(If the Optimize for Concurrent LAN backups option is selected in the MediaAgent, which is the default setting)

GxCVD + Maximum number of concurrent backup streams from the client + 1

(If the Optimize for Concurrent LAN backups option is not selected in the MediaAgent)

Conversely, when the CommServe and the MediaAgent(s) are in the hostile side and the clients in the secure/friendly side, the following ports must be opened:

Component Location Port Requirements
CommServe Hostile side GxCVD+1
MediaAgent Hostile side GxCVD + number of restore streams +1
Client Secure/friendly side None
 
When the MediaAgent(s) and Client(s) are on the same side of the firewall with the CommServe on the opposite side, as depicted in the diagram on the right, with the CommServe in the secure/friendly side and the clients and the MediaAgent(s) in the hostile side, the following ports must be opened:
Component Location Port Requirements
CommServe Secure/friendly side None
MediaAgent Hostile side GxCVD +1
Client Hostile side GxCVD +1

Conversely, when the CommServe is in the hostile side and the clients and MediaAgent(s) is in the secure/friendly side, the following ports must be opened:

Component Location Port Requirements
CommServe Hostile side GxCVD+ 1
MediaAgent Secure/friendly side None
Client Secure/friendly side None
The above files can be automatically created and configured during installation or by running the Firewall Configuration wizard. See Configuring CommCell Communications Across Firewalls for more information.

 

Considerations for One-way Firewall


Configuring CommCell Console for Access Across Firewalls

Port 8401 must be opened on the CommServe (both in one-way or two-way firewall configurations) when the CommCell Console is installed or accessed as follows:

If you intend to use the CommCell Console remotely through a web browser, then in addition to allowing connection for port 8401 through the firewall, ensure that the http service port, which is typically port 80, is also allowed connection in the firewall.

Note that other than opening the necessary ports, it is NOT necessary to use the Firewall Configuration Wizard to configure the firewall configuration files for a stand-alone CommCell Console.


Troubleshooting CommCell Communications Across Firewalls


Sample Firewall Settings

The following section describes the firewall settings in NOKIA CHECKPOINT 4.1 (with SP5).

  1. Open the init.def file located in the <firewall install directory>/lib directory.
  2. Stop the firewall services using the fwstop command.
  3. Using a text editor, edit the init.def file.
  4. Add the following command before the line ADD_TCP_TIMEOUT(0,0) for each of the firewall ports that are open:

    ADD_TCP_TIMEOUT(port,timeout)

    Where

    port is the TCP service port

    timeout is the desired timeout in seconds.

    For example if you want to open the ports 9500 through 9503 with a timeout value of 30 minutes, you must have the following entries:

    ADD_TCP_TIMEOUT(9500,1800),

    ADD_TCP_TIMEOUT(9501,1800),

    ADD_TCP_TIMEOUT(9502,1800),

    ADD_TCP_TIMEOUT(9503,1800),

  5. Restart the firewall services using the fwstart command.

See Firewall Considerations - NAT Server for information on connecting CommCell to a NAT server across the firewall.


General Considerations

The following section provides general information on firewall configuration:

GxCVD Port

Galaxy Communications Service(GxCVD) uses port 8400 by default.  If you are using another port, you need to open up the the corresponding port in the firewall. Use the steps described in Configure Firewall Services when Remote Computers use Non-Default Ports. (Note that this operation can be performed on Clients and MediaAgents. You cannot change the GxCVD port on the CommServe.)

 

Back To Top