V11 Service Pack 9
Loading...

Setting Up Proxy Connections Using a Predefined Network Topology

The Commvault software simplifies the firewall configuration by providing predefined network topology types that you can use when setting up connectivity between client groups that are separated by a firewall. The client groups use a network topology instance to establish connections between themselves.

If you are setting up group-to-group firewall connectivity through a proxy, consider using the network topology for proxy connections. During the configuration of the network topology instance, you will need to designate three client groups to be used for internal clients, external clients, and proxy clients.

Note: The topology for proxy connections lets you configure multiple client computers to provide a single logical proxy function. When internal and external clients have established a connection to the logical proxy, the communication becomes bi-directional.

Before You Begin

  • Make sure that the client groups that you want to use in the Network topology instance are already defined in the CommCell Console.
  • You must have Administrative Management permissions on the client groups that you plan to use in the Network topology instance.
  • If you have clients in your proxy client group that belong to other client groups that are not designated for proxy connections, then the proxy settings on the clients might be lost. To prevent this issue, perform the following steps:
    1. Access the network properties of the client, and on the Firewall Configuration tab, select the Configure Firewall Settings check box, click Advanced, and then click OK to the warning message.
    2. On the Options tab, select the This computer is in DMZ and will work as a proxy check box.

Procedure

  1. From the CommCell Browser, right-click Network Topologies > New Topology.

    The Network Topology dialog box is displayed.

  2. In the Topology Name box, enter a name for this instance of a proxy firewall arrangement.
  3. Optional: In the Description box, enter a description for this topology.
  4. In the Client Type list, choose the type of client that you will include in the topology:
    • Servers: Click if your clients are servers.
    • Laptops: Click if your clients are laptops that need to connect to servers.
  5. For Topology Type, click Via Proxy.
  6. If Client Type is set to Servers, do the following:
    1. In the Trusted Client Group 1 list, select a client group that will initiate connections to the proxy group.
    2. In the Trusted Client Group 2 list, select another client group that will initiate connections to the proxy group.
    3. In the Proxy/DMZ Group list, select the client group that you want to designate as the proxy group.
  7. If Client Type is set to Laptops, do the following:
    1. In the Infrastructure Client Group list, select a client group that will initiate connections to the proxy group.
    2. In the Laptop Client Group list, select a laptop group that will initiate connections to the proxy group.
    3. In the Proxy/DMZ Group list, select the client group that you want to designate as the proxy group.
  8. Review the Make clients from Trusted Client Group 1 use proxies for all traffic (Servers) or the Make clients from Infrastructure Group use proxies for all traffic (Laptops) check box:
    • Important: If you use third-party port mappings (TPPM), you must clear the Make clients from Trusted Client Group 1 use proxies for all traffic check box.

    • To allow external clients to communicate directly with other hosts, clear the check box or define firewall routes to the other hosts.

      By default, all traffic originating from clients in the Trusted Client Group 1 (Servers) or the Infrastructure Group (Laptops) list will use firewall routes when communicating with any other host.

    • If the check box is selected, review the following considerations:
      • The CommServe host and all MediaAgent hosts (that communicate with members of the Trusted Client Group 1) must be in the selected Trusted Client Group 2. Otherwise, you must define firewall routes to the other hosts.
      • If a client communicates with MediaAgents (or a CommServe) that are not part of the Trusted Client Group 2 or that have not been configured with other firewall routes, communications with the MediaAgent (or CommServe) will fail.
      • If you make changes to the Trusted Client Group 1 (Servers) or the Infrastructure Group (Laptops) list, you do not need to push the firewall configuration.
  9. Click OK.

What to Do Next

  1. Set up the Commvault Proxy.
  2. If your clients do not have the Commvault software installed, install the Commvault software on the clients that will be part of the network topology.

    During the client installation, configure the client to connect to the CommServe computer through a proxy. For firewall instructions during the installation, see Setting Up Connectivity to the CommServe Computer Using a Proxy.

    Note: Make sure to assign the client to the Trusted Client Group 1 that you defined in the topology.

  3. From the CommCell Browser, right-click the network topology that you configured, click Push Firewall Configurations, and then click OK.

You can configure additional advanced firewall settings, such as the Default Outgoing Tunnel Protocol option, at the client computer group level. For information about the available settings, see Incoming Ports and Options. For information about accessing the client computer group firewall settings, see Configuring Firewall Settings.