Network Routes

You can configure network routes within the Commvault software in order to block unauthorized access to and provide security for networked computing and communications resources.

You can configure the following types of network routes from the CommCell Console:

  • Direct connections using port tunnels

  • Port-forwarding gateways

  • The perimeter network (also called a DMZ) using a Commvault network gateway

  • HTTP proxies (including WiFi connections)

  • Combinations of these


  • Client names used in Commvault network configurations are case-sensitive and must match the names of clients as they appear in the CommCell Console.

  • Before configuring network routes, open all of the required ports on all networking equipment and software, including firewalls and other network components.

  • Before configuring network routes, exclude Commvault processes from any third-party firewall appliance's packet inspection. Also, ensure that HTTPS inspection or intrusion detection is bypassed, as it can disrupt the Commvault tunnel traffic.

Key Features

Commvault supports the following types of network configurations and communication methods:

  • Centralized configuration from the CommCell Console, for an individual client or for defined groups of clients.

  • Predefined network topologies that simplify setting up connectivity between client groups through Commvault network routes or through a network gateway group.

  • Opening additional ports for data transfer, to improve backup and restore performance.

  • Support for port-forwarding routers. Multiple CommCell components on the internal network can be exposed to the outside world via a single gateway IP address, through support for network address translation (NAT). Roaming clients can reach specific internal machines by opening tunnel or data connections to specific ports configured on a port-forwarding gateway.

  • Support for Commvault network gateway configurations. The software supports placing a Commvault agent in a perimeter network, and configuring network routes to allow connections from inside and outside networks into the perimeter network only.

  • HTTPS encryption in the tunnels. The Commvault software supports HTTPS encapsulation in all tunnel connections, which protects all data in transit by using the TLS 1.2 protocol with the TLS-RSA-AES256-CBC-SHA cipher suite. After a successful authentication, and based on the configuration, HTTPS traffic can be encrypted with the TLS-RSA-AES256-CBC-SHA cipher suite; however, if you want to save CPU cycles, you can set up connections using plain text.

  • Tunnel authentication using a CommCell-specific certificate:

    • When data is transmitted using HTTPS, all tunnel connections are both encrypted and authenticated.

    • CommCell hosts can be locked down to use CommCell-specific certificates for SSL/TLS authentication that is unique for every CommCell deployment.

    • Certificates are encrypted using 2048-bit RSA and 3DES keys.

    • Certificate authorities (CA) are provided through the CommServe host. (External CAs are not supported.)