Commvault TCP ports can be statically or dynamically assigned.
Static Ports
Several services used by the software listen for incoming network traffic on predefined network ports. The CommServe computer, MediaAgents, and agents within the CommCell environment communicate with each other through these ports. Essential CommServe computer services are automatically assigned registered, static port numbers during installation. MediaAgents, agents, and other software components can use the same default static port numbers or any static port numbers specified during installation.
For the services listed, Commvault registers the following ports by default:
Note
If there is a firewall between the client and the CommServe computer or MediaAgent, ensure that the tunnel port (default = 8403) is open bidirectionally. The tunnel port is equal to the port number of the CVD plus 3 (for example, if the port number of the CVD is 8400, then the tunnel port equals 8403). In addition, if there are traffic-pattern rules in third-party firewalls, these rules must also be disabled.
Service |
Port Number |
Protocol |
---|---|---|
Commvault Communications Service (GxCVD, found in all client computers) |
8400 |
TCP |
Commvault Server Event Manager (GxEvMgrS, available in CommServe) |
8401 |
TCP |
Commvault Firewall (GxFWD, tunnel port for HTTP/HTTPS) |
8403 |
TCP |
Note
-
For the CommServe computer: The CommServe cvfwd.exe process is hard-coded to bind to port 8403. This is done so that laptop clients can create a tracking tunnel towards the CommServe computer on this port when a firewall is not configured explicitly between the CommServe computer and the client. The laptop clients use this tracking tunnel to inform the CommServe computer about client online messages.
-
For CommServe computers using the LiveSync operation for disaster recovery, the production and standby CommServe hosts communicate with each other using port 8408 on the MS SQL client instance. A default topology, Firewall Topology created for failover clients, is created for communication between the production and standby CommServe hosts using port 8408. This topology is created irrespective of the option selected for communication.
-
For all other clients: The cvfwd.exe process is hard-coded to bind to a tunnel port. The tunnel port is by default configured to use the port number of the CVD plus 3. For example, if the port number of the CVD is 8400, then the tunnel port equals 8403 (that is, 8400 plus 3). The tunnel port is used for automatic tunneling.
-
For automatic tunneling, note the following:
-
Whenever there is a port restriction in place via network address translation (NAT) or firewall, and explicit network routes are not configured, Commvault automatically creates an on-demand tunnel to the destination client as long as the tunnel port (CVD port plus 3) is open bidirectionally between the source and destination clients. Therefore, you do not need to create a two-way network route even when there is a port restriction in place. [Note: The tunnel port (CVD plus 3; default = 8403) should be open bidirectionally.]
-
Automatic tunneling uses the HTTP tunnel protocol. For more information, see the following:
-
For information on binding services to static ports, see Binding Services to Static Ports.
Dynamic Ports
While running, Commvault opens and closes dynamic ports to permit certain types of transient traffic. Commvault uses the dynamic port range that is set at the OS level, no matter which OS you are using.
The GxCVD service dynamically uses free ports between 49152 and 65535 to communicate during data protection and data recovery jobs. The system dynamically assigns a number of free ports to be used by each job to allow parallel data movement. After the job is finished, if no other job is pending, the dynamic ports are released.
Forcing Commvault Traffic to Use Only the Data Ports as Defined in the Commvault Firewall Rule
Typically, if all data ports are in use, the connectivity application will fall back and bind to any other available port.
To enforce no fallback, and to use only the data ports as defined in the Commvault firewall rule, you can use the nPREBIND_TO_OPEN_PORTS additional setting as shown in the following table.
For information about adding an additional setting from the CommCell Console, see Adding an Additional Setting from the CommCell Console.
Additional setting |
Category |
Type |
Value |
---|---|---|---|
Firewall |
Integer |
0: Do not enforce traffic to use only defined data ports 1: Enforce traffic to use only defined data ports |
Increasing the Range of Dynamic Ports
If you have a large CommCell environment and you want to increase the range of dynamic ports, log on to the CommServe computer, open the command prompt, and then enter the following command:
netsh int <IP_Version> set dynamicportrange <TransportProtocol> start=<StartNumber> num=<TotalNumber> store=<StoreValue>
Where:
-
<IP_Version> is the IP protocol (IPv4 or IPv6)
-
<TransportProtocol> is the transport protocol (TCP or UDP)
-
<StartNumber> is the starting port number (for example, 10000)
-
<TotalNumber> is the total number of ports (for example, 1000)
-
<StoreValue> is active (store until next boot) or persistent (store permanently)
Note
-
During new installations of the CommServe computer and the MediaAgent, this command is run automatically to facilitate a larger dynamic port range (depending on the OS version).
-
Network TCP port requirements remain the same whether the IPv4 or IPv6 protocol family is used.
-
Dynamic port range can be used by a client for internal and external communication.
-
Use of dynamic port range by Commvault services may be restricted internally by binding services to open ports. For more information, see Binding Services to Open Ports.
-
If use of dynamic ports for external communication is restricted by firewall, see Network Routes for more information.
-
During new installations of the CommServe computer and the MediaAgent, this command is run automatically to facilitate a larger dynamic port range (between 33535 and 65535). You do not need to run this command manually.
-
If you want to skip the modification of this dynamic TCP port range, see Skipping the Modification in Dynamic Port Range.
Ports Required During Fresh Installation
For ports required during a fresh installation, see "Review Firewall and Network Port Requirements" in Prerequisites for Installations Using the CommCell Console.