The majority of large Commvault implementations will require some sort of cross-firewall communication to clients on the WAN. Designing for this can be tricky as you’re opening pathways between trusted and untrusted networks.
As discussed on my previous post “Understanding One-Way Firewalls with Commvault” it is possible to allow communication by opening specific ports on the firewall, and using this to NAT connections between the client & Commvault infrastructure. This works well in some situations, however when multiple infrastructure components require access from external parties, this can get messy.
Utilising a proxy outside of the trusted network (typically in the DMZ) creates a central conduit for all trusted – non trusted communication.
The port shown in the above graphic is 8403 (default) however this can be substituted if required.
Official documentation for the solution can be found here. Commvault offers two methods of configuring the “Proxy in Perimiter Network” topology:
- Using a predefined network topology (preferred method)
- Using the basic or advanced firewall settings (alternative method)
This post will focus on the preferred method for connection of Servers outside the network. Laptop connections require slightly different steps which you should refer to the official documentation for guidance. I will cover the alternative (Using the basic or advanced firewall settings) method in a later post.
Before starting you will need to ensure:
- You have the following client groups configured in Commvault:
- Trusted Client Group 1: a client group that will initiate connections to the proxy group. This may contain infrastructure components such as the Commserve, MediaAgents, Web Severs etc. Ensure these are added to the group once created.
- Trusted Client Group 2: additional client group that will initiate connections to the proxy group. This may contain the servers outside of the DMZ, to which the 1st group should use a proxy to communicate.
- Proxy/DMZ Group: the client group that you want to designate as the proxy group. This group should contain the proxy.
- You have administrative permissions to the above groups.
- Proxy server will require:
- 1Ghz Dual Core Processor & 8GB RAM for <1000 clients using encryption
- 1Ghz Quad Core Processor & 8GB RAM for >1000 clients using encryption
- The Firewall topology must be completed before installing the proxy.
- Proxy server should have visibility of the same DNS zones as the infrastructure components.
- Firewall/NAT rules should be configured as follows:
- CommCell Components (CommServe, MediaAgents, WebServers, IndexServers) –> Proxy on 8403
- Proxy –> Internal DNS on 53
- Proxy –> Internal, ICMP (optional, for testing ping)
- External Clients –> Proxy on 8403
Configuration – Firewall & Proxy
- Right click Network Topologies and select New Topology. Complete the name, description (optional), Client type (Servers), Topology type (via Proxy), and the 3 groups configured earlier.
- The Make clients from Trusted Client group 1 use proxies for all traffic checkbox should be left unchecked. Click OK
- Create a placeholder client for the proxy. Right click the CommCell name and create a new File System client as shown below.
- Complete the client & host name and click Next & Finish.
- Add the placeholder proxy client to the Proxy/DMZ group. Click OK.
- Push the firewall configuration Trusted Client Group 1.
- Download the media kit matching your CommServe (at the time of writing v11 SP10) from cloud.commvault.com. Begin the software installation on the proxy server, selecting the File System Core package.
- At the Configure Roles screen select Configure as Network Proxy.
- At the Firewall Configuration screen; select “CommServe can open…” and click Next.
- Complete the Client computer information, ensure that the Host Name is resolvable by the CommServe.
- At the CommServe Information screen enter the fully qualified name.
- Select a port (default is 8403) to be used by the CommServe when establishing communication with the proxy.
- Ensure the correct client group is selected at the Additional Configuration screen.
- If communication was successfully established, you should see the following message.
- Use the Check Readiness function from the Commcell console to ensure communication is working.
- If all is well; expect the following:
- If not; check the CVD.log on the proxy, it should indicate where the communication breakdown lies.
Configuration – Client
The client configuration should be relatively simple. Communication to the CommCell will be made via the previously configured proxy.
- Start the installation as ususal using the media kit matching your CommServe (at the time of writing v11 SP10) from cloud.commvault.com.
- Follow the prompts, selecting the agents you wish to install. When you reach the Firewall Configuration screen, select “CommServe is reachable through a proxy”.
- Specify the Client Computer information and CommServe Name (Fully Qualified) at the next two screens.
- At the Firewall Connection Information screen, complete the port & proxy information as shown below. The port should match the configured rule on your perimiter firewall.
- Click Next at the Firewall HTTP Proxy Information & Certificate screen.
- At the Additional Configuration screen, ensure that Trusted Client group 2 is selected. This ensures the correct firewall rules are pushed to the client during configuration.
- At the confirmation page, click Finish. Use the check readiness function from the CommServe to ensure communication is working.
The next step is to test backups. Perform a standard file system backup to ensure data is being protected correctly. If you are testing this in a lab (without firewalls) you can stop the services on the proxy and retry the check readiness; if it fails you have proved that the proxy is being used for data transfer.