Configuring the MediaAgent and Client for One-Way Firewall (CommServe to Client)
After the client is configured to connect to the CommServe computer during the installation, you must establish incoming connectivity details between the CommServe computer, MediaAgent, and the client computer. This configuration is necessary to enable backup and restore operations on the clients.
Note: No additional firewall configurations are needed on the CommServe computer.
During the firewall configuration on the MediaAgent, you will set incoming connections from the client as Blocked.
During the firewall configuration on the client, you will set incoming connections from the CommServe and MediaAgent computers as Restricted.
- Configure the connection from the client to the MediaAgent:
- From the CommCell Browser, open Storage Resources > MediaAgents, right-click the MediaAgent computer, then click Properties.
- On the Firewall Configuration tab, select Configure Firewall Settings, then on the Incoming Connections tab, click Add.
- From the From list, select the name of the client you just installed.
- From the State list, select BLOCKED, since the client does not open a tunnel connection to the MediaAgent.
- Click OK two times.
If the firewall does not restrict connections from the client to the MediaAgent, this entry is not required.
- Expand Client Computers, right-click the client in the CommCell Browser, then click Properties and Network.
- Configure the connection from the CommServe computer to the client:
- On the Firewall Configuration > Incoming Connections tab, click Add.
- From the From list, select the name of the CommServe computer.
- In the State list, select RESTRICTED, since the CommServe will connect to the client through a port. (Restricting or Blocking Connections explains the RESTRICTED setting.)
- Click OK.
- Click Add again to specify the MediaAgent connection details:
- In the From list, select the name of the MediaAgent computer.
- In the State list, select RESTRICTED, since the MediaAgent will connect to the client through a port.
- Click OK.
- Set ports over which incoming connections can request a connection:
- Click the Incoming Ports tab.
- In the Listen for tunnel connections on port box, set the port number for the firewall to allow connections from the CommServe and the MediaAgent.
- Click OK.
- In the CommCell Browser, under Client Computers, right-click the client name, then click All Tasks > Push Firewall Configuration.
- Click Continue to dismiss the warning.
- Click OK.
The client is now configured to communicate with the CommServe and MediaAgent.
In the CommCell Console, right-click the client computer name, then click All Tasks > Check Readiness. Confirm the results shown in the Client Connectivity dialog box.
If the client computer does not pass the readiness check, verify your settings against the above recommendations and revise them as required. If you have verified the settings, and the client is still not ready, check items on the Troubleshooting page related to connectivity.
Note: Outgoing routes are automatically created for direct connections. However, you might want to set up outgoing routes to enable HTTPS encryption for data traffic, or to encrypt data connections by forcing connections into the tunnel. To set up outgoing routes from any host, see Configuring Outgoing Tunnel Connections.
The CommServe computer has been configured to open tunnel connections with the client and MediaAgent.