Firewall Configuration - Windows

Table of Contents

Select one of the following options for firewall configuration:

Client/MediaAgent can reach the CommServe

CommServe can reach the Client/MediaAgent

Client/MediaAgent and CommServe can reach each other

CommServe can be Reached through a Port Forwarding Gateway

CommServe can be Reached through a Proxy

Client/MediaAgent can reach the CommServe

Before configuring firewall options, ensure to setup connection to the CommServe as described in the Client Connects to the CommServe (One-Way Firewall) procedure.

Use the following procedure when the Client/MediaAgent can reach the CommServe.

1. Select the Configure Firewall Services option.

Select This machine can open connection to CommServe on tunnel port and click Next to continue.

2. Enter the fully qualified name or the IP address of the CommServe in the CommServe Host Name. This should be TCP/IP network name. e.g., computer.company.com.

The CommServe client name is the name of the computer.

Click Next to continue.

  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.
3. Enter the following:
  • The local (NetBIOS) name of the client computer.
  • The TCP/IP IP host name of the NIC that the client computer must use to communicate with the CommServe Server.

Click Next to continue.

 
  • The default network interface name of the client computer is displayed if the computer has only one network interface. If the computer has multiple network interfaces, enter the interface name that is preferred for communication with the CommServe Server.
  • Do not use spaces when specifying a new name for the Client.
4. Specify incoming port number in CommServe HTTP/HTTPS tunnel port number through which the CommServe receives tunnel connection.

Click Next to continue.

5.
  • If this computer is separated from the CommServe by a HTTP Proxy, provide the following information:

    HTTP Proxy hostname or IP address: Specify hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Specify the port number of the HTTP Proxy through which the CommServe can be reached.

    Click Next to continue.

  • If this computer is not separated from the CommServe by a HTTP Proxy, accept the default values and click Next to continue.
6. Specify the port numbers to be used by the CommVault Communications Service (CVD) and CommVault Client Event Manager (EvMgrc) Services.

Click Next to continue.

 
  • Valid range for the port number is between 1024 and 65000.
  • Ensure that the port numbers specified here are within the valid range and are not used by any other services.
7. If the CommCell is in the Lockdown mode, specify the path to the folder in which the CommCell HTTPS certificates are available.

Click Next to continue installation.

  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

CommServe can Reach the Client/MediaAgent

Before configuring firewall options, ensure to setup connection to the CommServe as described in the CommServe Connects to the Client (One-Way Firewall) procedure.

Use the following procedure when the CommServe can reach the Client/MediaAgent.

1. Select the Configure Firewall Services option.

Select CommServe can open connection toward this machine and click Next to continue.

2. Enter the name of the computer in CommServe client name field.

Click Next to continue.

  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.
3. Enter the following:
  • The local (NetBIOS) name of the client computer.
  • The TCP/IP IP host name of the NIC that the client computer must use to communicate with the CommServe Server.

Click Next to continue.

 
  • The default network interface name of the client computer is displayed if the computer has only one network interface. If the computer has multiple network interfaces, enter the interface name that is preferred for communication with the CommServe Server.
  • Do not use spaces when specifying a new name for the Client.
4. Specify a local port number through which the Client/MediaAgent will receive communication from the CommServe.

Click Next to continue.

5. Specify the port numbers to be used by the CommVault Communications Service (CVD) and CommVault Client Event Manager (EvMgrc) Services.

Click Next to continue.

 
  • Valid range for the port number is between 1024 and 65000.
  • Ensure that the port numbers specified here are within the valid range and are not used by any other services.
6. If the CommCell is in the Lockdown mode, specify the path to the folder in which the CommCell HTTPS certificates are available.

Click Next to continue installation.

  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

Client/MediaAgent and CommServe can reach each other

Before configuring firewall options, ensure to setup connection to the CommServe as described in the Client and CommServe Connect to each other (Two-Way Firewall) procedure.

Use the following procedure when the Client/MediaAgent and CommServe can reach each other.

1. Select the Configure Firewall Services option.

Select This machine can open connection to CommServe on tunnel port and click Next to continue.

2. Enter the fully qualified name or the IP address of the CommServe in the CommServe Host Name. This should be TCP/IP network name. e.g., computer.company.com.

The CommServe client name is the name of the computer.

Click Next to continue.

  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.
3. Enter the following:
  • The local (NetBIOS) name of the client computer.
  • The TCP/IP IP host name of the NIC that the client computer must use to communicate with the CommServe Server.

Click Next to continue.

 
  • The default network interface name of the client computer is displayed if the computer has only one network interface. If the computer has multiple network interfaces, enter the interface name that is preferred for communication with the CommServe Server.
  • Do not use spaces when specifying a new name for the Client.
4. Specify incoming port number in CommServe HTTP/HTTPS tunnel port number through which the CommServe receives tunnel connection.

Click Next to continue.

5.
  • If this computer is separated from the CommServe by a HTTP Proxy, provide the following information:

    HTTP Proxy hostname or IP address: Specify hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Specify the port number of the HTTP Proxy through which the CommServe can be reached.

    Click Next to continue.

  • If this computer is not separated from the CommServe by a HTTP Proxy, accept the default values and click Next to continue.
6. Specify the port numbers to be used by the CommVault Communications Service (CVD) and CommVault Client Event Manager (EvMgrc) Services.

Click Next to continue.

 
  • Valid range for the port number is between 1024 and 65000.
  • Ensure that the port numbers specified here are within the valid range and are not used by any other services.
7. If the CommCell is in the Lockdown mode, specify the path to the folder in which the CommCell HTTPS certificates are available.

Click Next to continue installation.

  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

CommServe can be Reached through a Port Forwarding Gateway

Before configuring firewall options, ensure to configure the port-forwarding gateway and to setup connection to the CommServe as described in the Operating Through a Port-Forwarding Gateway procedure.

Use the following procedure when the Client/MediaAgent connects to the CommServe through a port forwarding gateway.

1. Select the Configure firewall services option.

Select This machine can open connection to CommServe on tunnel port and click Next to continue.

2. If CommServe is located in behind a port-forwarding gateway, provide the following:
  • Provide the name of the CommServe computer in the CommServe Client Name field. This is a display name to identify the CommServe in the CommCell Console.
  • Provide the hostname of the port-forwarding gateway in CommServe Host Name field. e.g., gateway.gatewayservices.com.

Click Next to continue.

  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.
3. Enter the following:
  • The local (NetBIOS) name of the client computer.
  • The TCP/IP IP host name of the NIC that the client computer must use to communicate with the CommServe Server.

NOTES

  • The default network interface name of the client computer is displayed if the computer has only one network interface. If the computer has multiple network interfaces, enter the interface name that is preferred for communication with the CommServe Server.
  • Do not use spaces when specifying a new name for the Client.

Click Next to continue.

4. In the CommServe HTTP/HTTPS tunnel port number field, provide the incoming port number on the port-forwarding gateway through which the CommServe computer can be reached.

Click Next to continue.

5.
  • If this computer is separated from the CommServe by a HTTP Proxy, provide the following information:

    HTTP Proxy hostname or IP address: Specify hostname or IP address of the HTTP Proxy through which the CommServe can be reached.

    HTTP Proxy port number: Specify the port number of the HTTP Proxy through which the CommServe can be reached.

    Click Next to continue.

  • If this computer is not separated from the CommServe by a HTTP Proxy, accept the default values and click Next to continue.
6. Specify the port numbers to be used by the CommVault Communications Service (CVD) and CommVault Client Event Manager (EvMgrc) Services.

Click Next to continue.

 
  • Valid range for the port number is between 1024 and 65000.
  • Ensure that the port numbers specified here are within the valid range and are not used by any other services.
7. If the CommCell is in the Lockdown mode, specify the path to the folder in which the CommCell HTTPS certificates are available.

Click Next to continue installation.

  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.

CommServe can be Reached through a Proxy

Before configuring firewall options, ensure to setup the Simpana proxy as described in the Operating Through a DMZ Using Simpana Proxy procedure.

Use the following procedure when the client/MediaAgent connects to the CommServe through a proxy.

1. Select the Configure Firewall Services option.

Select CommServe is reachable only through a proxy option and click Next to continue.

2. Enter the name of the computer in CommServe client name field.

Click Next to continue.

  The name of the CommServe client is case sensitive. Ensure to specify the name with the correct letter case.
3. Enter the following:
  • The local (NetBIOS) name of the client computer.
  • The TCP/IP IP host name of the NIC that the client computer must use to communicate with the CommServe Server.

NOTES

  • Do not use spaces when specifying a new name for the Client.
  • The default network interface name of the client computer is displayed if the computer has only one network interface. If the computer has multiple network interfaces, enter the interface name that is preferred for communication with the CommServe Server.
  • If a component has already been installed, this screen will not be displayed; instead, the install program will use the same name as previously specified.

Click Next to continue.

4. Provide the following information:
  • In the Proxy HTTP/HTTPS tunnel port number field, provide the tunnel port on which the proxy is expecting connections to the CommServe. If the proxy is behind a port-forwarding gateway, then provide the port number of the port-forwarding gateway to reach the CommServe.
  • In the Proxy hostname or IP address field, specify the hostname of the proxy through which the CommServe can be reached. If the proxy is behind a port-forwarding gateway, then provide the host name or the IP address of the port-forwarding gateway.
  • In the Proxy client name field, specify the client name of Simpana proxy.
      The name of the proxy client is case sensitive. Ensure to specify the name with the correct letter case.

Click Next to continue.

5. Provide the details of the proxy computer:
  • HTTP Proxy hostname or IP address: Specify the hostname or IP address through which the CommServe can be reached.
  • HTTP Proxy port number: Specify the port number through which the CommServe can be reached.

Click Next to continue.

6. Specify the port numbers to be used by the CommVault Communications Service (CVD) and CommVault Client Event Manager (EvMgrc) Services.

Click Next to continue.

 
  • Valid range for the port number is between 1024 and 65000.
  • Ensure that the port numbers specified here are within the valid range and are not used by any other services.
7. If the CommCell is in the Lockdown mode, specify the path to the folder in which the CommCell HTTPS certificates are available.

Click Next to continue installation.

  See Enforcing CommCell Specific Certificates for Authentication for more information on the Lockdown feature and steps to export the CommCell Certification.