Firewall

Setup Advanced Troubleshooting Best Practices  

Overview

Configuring Multiple Clients Simultaneously

Inherit the Firewall Configuration from the Client Group

Configuring Multiple Connection Routes

Configuring a Clustered Environment

Configuring CommCell Components to Use HTTPS

Prerequisite

Method 1: Configure a Component to Accept HTTPS Only

Method 2: Enable HTTPS Between two Components

Configuring Firewall Using Save As Script

Enforcing CommCell Specific Certificates for Authentication

Enabling CommCell Specific Certificates

Installing on a Locked Down CommCell

Setting up Application-Based Firewall

Block Unauthorized CommCell Session Connections

Block External Interface Connections

Block Local Interface Connections

Binding Services to Open Ports

Registering a CommServe to a CommNet Server

Configure the CommServe (CommCell Console)

Configure the CommNet Server (CommCell Console)

Register the CommServe (CommNet Browser)

Removing Firewall Configuration

Upgrade Considerations

CommServe Upgrade

Client/MediaAgent Upgrade

Overview

Firewall configuration provides additional features and functions that can be used to fine-tune CommCell communication and operations. The following sections explain the additional features and their usage.

Configuring Multiple Clients Simultaneously

If you have multiple clients with the same firewall configuration settings, instead of defining the configuration for each client, you can create a Client Group with clients that have the same firewall configuration and define the configuration at the Client Group level.

Use the following steps to configure firewall settings for multiple clients simultaneously:

  1. From the CommCell Console, create a Client Computer Group with clients that have the same firewall configuration.

    See Getting Started - Client Computer Groups for step-by-step procedure.

  2. Right-click the newly-created client group and click Properties.
  3. In the Firewall Configuration tab, provide the necessary details in the Incoming Connections, Incoming Routes, Outgoing Connections, and Options tabs as discussed in the procedures of the Firewall (Setup) page.
  4. Right-click the client group, click All Tasks, and click Push Firewall Configuration. The configuration is now applicable for all the clients. You can verify the new firewall configuration on each client computer.

Inherit the Firewall Configuration from the Client Group

Use the following steps to configure a client to inherit the firewall settings from the client computer group.

  1. From the CommCell Console, right-click the client computer and click Properties.
  2. In the Firewall Configuration tab, ensure the Configure Firewall Settings option is not selected.
  3. Click OK.

    Future firewall changes will be applicable at the client group level.

  When Configure Firewall Settings is selected, the firewall configuration of both the client computer and client group are merged in the client computer.

Configuring Multiple Connection Routes

You can define the following routes for a client group or client computer:
  • Multiple proxy connections
  • A direct connection (where the client connects to the CommServe)

It is recommended to configure proxy and direct routes for a client computer because:

  • whenever the client is outside the network, the CommServe will use the proxy connection to access the client.
  • if the client is moved inside the network, the client will use the direct connection to access the CommServe.

The diagram on the right depicts this setup.

Follow the steps below to configure multiple connection routes for a client computer:

  1. Create a proxy connection as described in Operating through a DMZ using Simpana Proxy. This step can be repeated as needed to add additional proxy connections for the client.
  2. Create a direct connection as described in Client Connects to the CommServe.

Configuring a Clustered Environment

When configuring firewall on a clustered environment, virtual nodes of a clustered client computer must be configured with the connection route to reach each other across the firewall. Once configured, the virtual nodes communicate across the firewall for all data management operations.

Use the following steps to configure firewall settings:

  1. From the CommCell Console, right-click the virtual node to configure and click Properties.
  2. In the Firewall Configuration tab, provide the necessary details in the Incoming Connections, Incoming Routes, Outgoing Connections, and Options tabs as discussed in the procedures of the Firewall (Setup) page.
  3. Right-click the physical node, click All Tasks, and click Push Firewall Configuration. Repeat this step for all physical nodes of the cluster.

    The configuration is now applicable for the virtual node.

Configuring CommCell Components to Use HTTPS

Communication between CommCell components can be automatically encrypted and authenticated through Secured Socket Layer (SSL), similar to what happens when a web browser opens secure connections with https:// prefix.

Certificate for Authentication

The authentication and encryption is done with the help of certificates. The software supports two types of SSL certificates: Built-In certificates and CommCell certificates. Built-In certificates are present on installation media and are used primarily during installation. CommCell certificates are generated during CommServe install or upgrade and are unique to the CommCell.

Typically the software uses the built-in certificate during installation, and as soon as the newly installed client establishes its first connection with the CommServe, it retrieves CommCell certificate and uses it for all future SSL exchange. You can however, refuse connections backed by the built-in certificates and enforce CommCell certificates only by using the CommCell Lockdown feature. See Enforcing CommCell Specific Certificates for Authentication for more information.

Prerequisite

This can be configured using firewall configuration settings in the Client Computer Properties.

Your setup would be one of the following:

To enable HTTPS communication:

Method 1: Configure a Component to Accept HTTPS Only

Once a component is configured to receive HTTPS connections only, it will force all incoming tunnel connections to HTTPS by authenticating and setting up encryption in accordance with the HTTPS standard.

  1. From the CommCell Console, right-click the client computer and click Properties.
  2. In the Client Computer Properties window, click the Firewall Configuration tab.
  3. Click the Options tab, and for Incoming Tunnel Protocol select Allow only HTTPS.
  4. From the CommCell Console, right-click the client computer, and click All Tasks | Push Firewall Configuration. The configuration is saved.
  5. Repeat the above configuration for all components.

Method 2: Enable HTTPS Between two Components

This is a more granular approach that involves defining the outgoing route from one component towards the other.

  1. From the CommCell Console, right-click the client computer and click Properties.
  2. In the Client Computer Properties window, click the Firewall Configuration tab.
  3. Click the Outgoing Routes tab, select the remote client in Remote Group/Client, and then click Edit.
  4. In the Route Settings window, for Tunnel Connection Protocol select HTTPS.
  5. From the CommCell Console, right-click the client computer and click All Tasks | Push Firewall Configuration. The configuration is saved.
  6. Repeat the above configuration for all outgoing routes, on all components.

Configuring Firewall Using Save As Script

When Simpana proxy is in use, you can use Save As Script (.xml) file generated during the push install to configure firewall settings while performing remote installation on a new client. For more information, see Install Software on Client Using Save As Script.

Enforcing CommCell Specific Certificates for Authentication

CommCell environments can be locked down to prevent existing CommCell components from accepting HTTPS tunnel connections backed by a built-in certificate. In this secure Lockdown mode, CommCell components accept/initiate HTTPS connections with CommCell certificates only as opposed to accepting/initiating HTTPS connections with mutually negotiated built-in or CommCell certificates (favoring the later.) The mandatory use of CommCell certificates provides a high level of security that cannot be hacked or compromised by connections from outside the CommCell.

CommCell certificates are created during CommServe install/upgrade and are stored in the CommServe database. These certificates can be delivered to the clients either automatically or manually.

Enabling CommCell Specific Certificates

To enable CommCell specific certificates for authentication:

  1. From the CommCell Console, right-click the CommServe computer and click Properties.
  2. In the CommCell Properties window, click the Firewall Configuration tab.
  3. Click the Options tab and select Lock down CommCell.
  4. Click OK to save the changes.
  5. Repeat the process for other CommCell components such as MediaAgents and other clients.

Installing on a Locked Down CommCell

When you install a client on a locked down CommCell, you need CommCell certificates to authenticate the installation. The certificates can be exported from the CommServe and delivered to the client.

Export the CommCell Certificate

To export the CommCell certificate:

  1. From the CommCell Console, right-click the CommServe computer and click All Tasks | Export Firewall Certificate.
  2. In the Export Location window, specify the location to store the certificate.
  3. Click OK to export the certificate.

You can use a portable drive to store the certificates and physically deliver the drive to the new client, or transfer the data electronically.

Provide the Certificate During Installation

When you install to a locked down CommServe, during installation in the Firewall Configuration sequence, the installer asks for the CommCell Certificate. In the CommCell Certificate screen, provide the location of the certificates folder. The installer uses this certificate to authenticate the connection to the CommServe during installation. Once the installation is complete, the certificate folder is available at <software_installation_path/base> folder for further authentication and access.

Setting up Application-Based Firewall

You can create an application-based firewall to block any rogue sessions from other CommCell Components. You can also block any undesired connections from other local and remote computers.

Block Unauthorized CommCell Session Connections

When a remote client is force deleted from the CommServe, the Services for the client would remain active. Such clients would still be able to initiate sessions connections to other CommCell components. Communications from such unauthorized clients would affect the performance of the software, especially if they grow more in number. CommCell Clients can be configured to blacklist and block any such connections using Session Blacklisting.

The session blacklisting works as follows. CommCell validates every incoming connection, and if an unauthorized connection is identified, then the IP address of the client initiating the session is added to a session blacklist. Any subsequent connection from the blacklisted client is immediately denied without verification. This list is dynamically created on each client. Optionally you can also record the list of such blacklisted clients in a log file for later reference; this list can be used to review the list of client that are denied connection using this feature. The log file can be located at <Software_Installation_Path>/Log Files/blacklist.log.

To block unauthorized CommCell session connections:

  1. To enable blacklisting, create the nEnableSessionBlacklist registry key and set the value to '1'. When this registry key is set to '1', unauthorized CommCell session are identified and blocked.

    To disable session blacklisting, set the registry key value to '0'.

  2. To maintain a log file containing the list of blacklisted clients, create the nEnableSessionBlacklistLogging registry key and set the value to '1'.

    To disable logging, set the registry key value to '0'.

Block External Interface Connections

You can protect your computer from undesired remote connections. For each client, create the file InterfaceBlacklist.txt under <Software_Installation_Path>/Base folder and specify the IP addresses of external interface connections that must be blacklisted. When a new connection is initiated, the software consults the Interface Blacklist and drops the connection if it is initiated from a blacklisted external address.

This file can be modified at any time; you must recycle the services for the changes to take effect. The feature is not enabled if this file is not present, or empty.

To block external interface connections:

  1. Stop all services on the computer.
  2. In the <Software_Installation_Path>/Base folder, create a text file InterfaceBlacklist.txt.
  3. Add the IP addresses of the external computers from which you wish to block connections, one IP address per line. Note that wild characters are not supported. For example, an entry like 172.19.*.* cannot be resolved.

    To allow connections from a computer, remove the corresponding IP address from InterfaceBlacklist.txt.

  4. Connections from IP addresses listed in the InterfaceBlacklist.txt file are blocked.

Block Local Interface Connections

You can also protect your computer from undesired connections to local interfaces. For each client, create the file LocalInterfaceBlacklist.txt under <Software_Installation_Path>/Base folder and specify the list IP addresses or hostnames of local interfaces to which connections must be blocked. When there is a new incoming connection, the local interface to which the connection arrived is checked against this list and if found, the connection is dropped immediately without any further processing.

This file can be modified at any time; you must recycle the services for the changes to take effect. The feature is not enabled if this file is not present, or empty.

To block a local interface connection:

  1. Stop all services on the computer.
  2. In the <Software_Installation_Path>/Base folder, create a text file LocalInterfaceBlacklist.txt.
  3. Add the IP addresses (or host names) to which connections must be blocked, one IP address (or hostname) per line. Note that wild characters are not supported. For example, an entry like 172.19.*.* cannot be resolved.

    To allow connections from a computer, remove the corresponding IP address from LocalInterfaceBlacklist.txt.

  4. Connections from IP addresses listed in the LocalInterfaceBlacklist.txt file are blocked.

Binding Services to Open Ports

When TCP/IP filtering is enabled on Windows computers, even same-machine connections can be restricted unless they are made on specifically open ports. In situations like this, you can force Simpana to bind all of its services to ports from the list of incoming ports configurable for the client.

To bind all services of a client to open ports:

  1. From the CommCell Console, right-click the client/MediaAgent/CommServe and click Properties.
  2. In the Client Computer Properties window, select the Firewall Configuration tab.
  3. In the Options tab, select Bind all Services to open ports only.
  4. Click OK to save the changes.

Registering a CommServe to a CommNet Server

You can register a CommServe that is operating behind a firewall to a CommNet Server.

When two CommCell components operate across firewall, the firewall specifications are provided on the client properties of the components from the CommCell Console. In registering a CommServe to CommNet Server, since the CommServe is not present in the same CommCell, you will have to create a placeholder client to represent the components for firewall configuration.

The diagram on the right depicts this setup and solution.

The following sections describe the required configuration.

To register a CommServe Operating Behind Firewall to the CommNet Server:

Configure the CommServe (CommCell Console)

On the CommCell containing the CommServe, create a placeholder client for the CommNet Server, provide firewall configuration for CommNet Server and CommServe, and save the configuration for CommServe.

1. From the CommCell Console, right-click on the client computer node, and click New Client.  
2. In the Add New Client window, select Windows and click OK.  
3.
  • In the Windows Client Creation window, enter the Client Name and the Host Name of the CommNet Server computer on the other side of the firewall.

    Ensure to provide the correct client name as the firewall program uses the client name to establish connection to the CommCell.

  • Click OK.

A placeholder client for CommNet Server is created in the CommServe.

 
4. Right-click the newly created CommNet Server, and then click Properties.  
5.
  • In the Firewall Configuration tab, provide details in the Incoming Connections, Incoming Ports, Outgoing Routes, and Options tabs. Verify the details in the Summary tab.
  • Click OK.

The options you provide in the firewall configuration tabs are based on the firewall setup that separates the two computers.

6. Right-click the CommServe computer, and then click Properties.  
7.
  • In the Firewall Configuration tab, provide details in the Incoming Connections, Incoming Ports, Outgoing Routes, and Options tabs. Verify the details in the Summary tab.
  • Click OK.
 
8. Right-click the CommServe computer, click All Tasks, and then click Push Firewall Configuration.

The firewall configuration between the two computers is saved.

 

Configure the CommNet Server (CommCell Console)

On the CommCell containing the CommNet Server, create a placeholder client for CommServe, provide firewall configuration for CommServe and CommNet Server, and save the configuration for CommNet Server.

9. From the CommCell Console, right-click the client computer node, and click New Client.  
10. In the Add New Client window, select Windows and click OK.  
11.
  • In the Windows Client Creation window, enter the Client Name and the Host Name of the CommServe computer on the other side of the firewall.

    Ensure to provide the correct client name as the firewall program uses the client name to establish connection to the CommCell.

  • Click OK.

A placeholder client for CommNet Server is created in the CommServe.

 

 
12. Right-click on the newly created CommServe, and then click Properties.  
13.
  • In the Firewall Configuration tab, provide details in the Incoming Connections, Incoming Ports, Outgoing Routes, and Options tabs. Verify the details in the Summary tab.
  • Click OK.

The options you provide in the firewall configuration tabs are based on the firewall setup that separates the two computers.

14. Right-click the CommNet Server computer, and then click Properties.  
15.
  • In the Firewall Configuration tab, provide details in the Incoming Connections, Incoming Ports, Outgoing Routes, and Options tabs. Verify the details in the Summary tab.
  • Click OK.
 
16. Right-click the CommNet Server computer, click All Tasks, and then click Push Firewall Configuration.

The firewall configuration between the two computers is saved.

 

Register the CommServe (CommNet Browser)

From the CommNet Browser, register the CommServe to the CommNet Server.

17. If the CommNet Browser is installed as a stand-alone application on a computer that operates across firewall(s) from the CommNet Server and has no other CommServe component installed, specify port number 8403 to allow connection through the firewall.  
18. From the CommNet Browser, click on the Setup menu, and click Cell Registration.  
19. In the Cell Registration window, click Add CommCell.  
20. In the Register CommCell window, specify the CommCell Client name of the CommServe computer. This is also the name of placeholder client for CommServe you created earlier.  
21. Click OK to complete the registration.

The software connects to the newly registered CommCell through the firewall configuration defined earlier in the procedure.

 

Removing Firewall Configuration

Use the following steps to remove the firewall settings for a client computer:

  1. From the CommCell Browser, right-click the client and click Properties.
  2. Click the Firewall Configuration tab.
  3. Verify if the client computer has any incoming connection from other clients or client groups. If found, write down the name of the client.
  4. Clear the Configure Firewall Settings option and click OK.
  5. Right-click the client and then click All Tasks | Push Firewall Configuration.
  6. If incoming connections were found, navigate to the client(s) found in Step 3 and do the following for each of them:

Upgrade Considerations

On upgraded CommCells with firewall configuration settings from previous releases, you have the option to continue with the existing settings. Firewall configuration files of clients with software version 7.0 and 8.0 are supported on a CommServe with software version 9.0.

However, we strongly recommend that you revise your settings with configuration options available in this release to take advantage of the additional firewall configuration capabilities. Configuration options available in this release support a wide range of standard and customized firewall scenarios.

CommServe Upgrade

When upgrading at the CommServe level, the old firewall files of the CommServe computer will be automatically upgraded to the new configuration available in this release if the following two conditions are met.

  1. The IP address or hostname defined in the FwHosts.txt and FwPeers.txt firewall files literally matches the host name of the client computer as recorded in the CommServe database.
  2. The IP address or hostname defined in the FwHosts.txt and FwPeers.txt firewall files resolves to the same IP address as the one in the existing Data Interface Pairs (DIP).

If the old firewall files fail to get upgraded, mainly due to hostname wildcards present in the FwPeers.txt firewall file, follow the steps below to perform a manual upgrade of your firewall files.

  1. Upgrade the CommServe computer. See Upgrade the CommServe for more information.
  2. Configure the firewall settings by following the procedures explained in the Firewall (Setup) page.
  3. Restart the services on the CommServe.
  4. Run the FirewallConfigDeprecated.exe tool located in the <software installation path>/Base/ folder on the CommServe and remove the old firewall configuration files.

The firewall configuration files for the CommServe computer are upgraded.

Client/MediaAgent Upgrade

The old firewall files of a client/MediaAgent computer will be automatically upgraded to the new configuration available in this release if the following two conditions are met.

  1. The IP address or hostname defined in the FwHosts.txt and FwPeers.txt firewall files literally matches the host name of the client computer as recorded in the CommServe database.
  2. The IP address or hostname defined in the FwHosts.txt and FwPeers.txt firewall files resolves to the same IP address as the one in the existing Data Interface Pairs (DIP).

If the old firewall files fail to get upgraded, mainly due to hostname wildcards present in the FwPeers.txt firewall file, follow the steps below to perform a manual upgrade of your firewall files.

  1. Upgrade the client/MediaAgent computer. See Upgrade software on clients for more information.
  2. Configure firewall settings for the CommServe, MediaAgent and client computers by following the procedures explained in the Firewall (Setup) page. If you need to configure multiple client computers, see Configuring Multiple Clients Simultaneously.
  3. Restart the services on the client/MediaAgent.
  4. Run the FirewallConfigDeprecated.exe tool located in the <software installation path>/Base/ folder on the CommServe and MediaAgent computers, and remove the client computer's name from the old firewall configuration files.

    For Unix machines, run the config_fw_deprecated command in the opt/<software installation path>/Base/ directory.

    You should not delete the FwHosts.txt, FwPorts.txt and FwPeers.txt firewall files on the CommServe and MediaAgent computers until all client computers have been upgraded with the new firewall configuration.

The firewall configuration files for the client/MediaAgent computer are upgraded.

Back To Top