Network Routes

You can configure network routes within the Commvault software in order to block unauthorized access to and provide security for networked computing and communications resources.

You can configure the following types of network routes from the CommCell Console:

  • Direct connections using port tunnels

  • Port-forwarding gateways

  • The perimeter network (also called a DMZ) using a Commvault network gateway

  • HTTP proxies (including WiFi connections)

  • Combinations of these

Note

  • Client names used in Commvault network configurations are case-sensitive and must match the names of clients as they appear in the CommCell Console.

  • Before configuring network routes, open all of the required ports on all networking equipment and software, including firewalls and other network components.

  • Before configuring network routes, exclude Commvault processes from any third-party firewall appliance's packet inspection. Also, ensure that HTTPS inspection or intrusion detection is bypassed, as it can disrupt the Commvault tunnel traffic.

  • Federal Information Processing Standard (FIPS) and post-quantum cryptography (PQC) for encrypted network tunnels is supported for CommCell environments using CPR 2024E (11.36) and above. All CommCell components must be on 11.36 or above to support FIPS or PQC mode. For more information, see the blog post Future-Proofing Your Data: Post-Quantum Cryptography and Beyond. To enable PQC, see Enabling Post-Quantum Cryptography.

Key Features

Commvault supports the following types of network configurations and communication methods:

  • Centralized configuration from the CommCell Console, for an individual client or for defined groups of clients.

  • Predefined network topologies that simplify setting up connectivity between client groups through Commvault network routes or through a network gateway group.

  • Opening additional ports for data transfer, to improve backup and restore performance.

  • Support for port-forwarding routers. Multiple CommCell components on the internal network can be exposed to the outside world via a single gateway IP address, through support for network address translation (NAT). Roaming clients can reach specific internal machines by opening tunnel or data connections to specific ports configured on a port-forwarding gateway.

  • Support for Commvault network gateway configurations. The software supports placing a Commvault agent in a perimeter network, and configuring network routes to allow connections from inside and outside networks into the perimeter network only.

  • HTTPS encryption in the tunnels. The Commvault software supports HTTPS encapsulation in all tunnel connections, which protects all data in transit by using the TLS 1.3 protocol with the replaced TLS_AES_256_GCM_SHA384 cipher suite. After a successful authentication, and based on the configuration, HTTPS traffic can be encrypted with the replaced TLS_AES_256_GCM_SHA384 cipher suite; however, if you want to save CPU cycles, you can set up connections using plain text.

  • Tunnel authentication using a CommCell-specific certificate:

    • When data is transmitted using HTTPS, all tunnel connections are both encrypted and authenticated.

    • CommCell hosts can be locked down to use CommCell-specific certificates for SSL/TLS authentication that is unique for every CommCell deployment.

    • Certificates are encrypted using 2048-bit RSA and 3DES keys.

    • Certificate authorities (CA) are provided through the CommServe host. (External CAs are not supported.)

Loading...