Networking is by far my least skilled area, and hence getting firewall rules to work in CommVault has always been a pain. The most common cause is usual outside CommVault and with the network layer itself, however ensuring the CommVault config is correct in the first place is a good start.
The most common use for a one-way firewall is for clients outside your primary network, whether on your DMZ or connected via the internet. CommVault v11 introduced “Firewall Topologies” which go a long way to simplifying the process. With firewall topologies you can choose either 1-way, 2 way or via-proxy as template configurations which in most cases will work fine. This post aims to highlight the manual components of the firewall configuration in an effort to understand how the 1-way firewall is configured; helping to troubleshoot it if necessary.
BLOCKED vs RESTRICTED
This is one area where I believe better terminology could’ve been used, it makes sense once you’ve got your head round it but it can lead to confusion. A good way to translate this is as follows:
- BLOCKED = Cannot Initiate a connection to this object/group
- RESTRICTED = Can initiate a connection on specific ports
Examples of this used in Client groups are shown below:
In the above example CommVault has been configured to allow communications to be initiated by Laptop group members over specific ports. As there is only one public IP available; the CommServe and MediaAgents are allocated specific ports, which are translated by the NAT firewall into the actual ports & IPs used internally.
These rules can be configured on a per-client basis, however its simpler to use the client groups. Ensure your infrastructure (CommServe/MediaAgents) and External (in this case “Laptop Clients”) groups are configured.
- Enter the properties of the Laptop Clients group and choose ‘Network’. Select ‘Configure Firewall Settings’ followed by ‘Advanced’.
- Click ‘Add’. Select the ‘Infrastructure’ client group and assign it the state of BLOCKED.
- We will now specify how members of this group will initiate communication with systems on the inside of the firewall. On the ‘Outgoing Routes’ tab click ‘Add’. Select the CommServe as the remote client & ‘Via Gateway’ as the Route. Specify a gateway hostname (or IP). The port should be configured on your network hardware to forward traffic to the CommServe.
- Repeat the same process for your MediaAgent. Ensure the tunnel port is different from the CommServe and that your network hardware is configured to translate the external port to the one used internally by the MediaAgent. Once configured; click OK 3 times to return to the main console.
- Enter the properties of the infrastructure group & choose ‘Network’. Select ‘Configure Firewall Settings’ followed by ‘Advanced’.
- Click ‘Add’. Select the ‘Laptop Clients’ client group and assign it the state of RESTRICTED.
- Click OK twice to return to the console. Right click the Infrastructure group –> All Tasks –> ‘Push Firewall Configuration’. Repeat for the ‘Laptop Clients’ group.
Thats It! Now any client configured in the Infrastructure group will not try to open a communication tunnel to the ‘Laptop Clients’ group & the ‘Laptop Clients’ group will initiate tunnels on startup with the Infrastructure servers on specific ports.
When installing a new client outside of your network, ensure you use the external address and port of the CommServe. You will be given the option to select a client group, at this point select the correct group (in this case ‘Laptop Clients’) and the firewall configuration will be pushed to the client.