Solved

Firewall Direction and Index Server Hardening

  • 24 April 2021
  • 4 replies
  • 283 views

Badge +6

Hi There.

I have a customer that wants ALL communication within Commvault Components to be secured.

I know that the WebConsole and the WebServer can be forced to use HTTPS but in that particular Mail Archiving Project we have an Index Server.

As per BoL the Web Servers must reach the Index server on port 20000 (default) in HTTP. Customer is requesting this to also be a secured connection (HTTPS). Any Clues?

In addition to the above, he is requesting directionality of Firewall ports. they do not want to open bi-directional if it is not required so what is the direction that need to be enabled on FW for:

  • WebConsole and WebServer
  • Users and WebConsole (HTTPS 443)
  • WebConsole and CommServe
  • WebServer and CommServe
  • WebServer and Index Server
  • CommServe/Media Agents to Clients

If someone has any document/link or clues on the above it will be greatly appreciated.

Thanks and  regards

Abdellatif

 

icon

Best answer by Pradeep 26 April 2021, 12:28

View original

4 replies

Userlevel 2
Badge +9

HI Abdellatif ,

Thanks for posting Query, PFB documents which may help in understanding one-way firewall configuration to override ports.

https://documentation.commvault.com/commvault/v11/article?p=7198.htm 
https://documentation.commvault.com/commvault/v11/article?p=7182.htm
https://documentation.commvault.com/commvault/v11/article?p=7208.htm

 

Badge +6

Thanks Pradeep for your answer.

My question wasn’t on how to setup the firewall on Commvault but what direction should be opened for at the firewall level for the communication to work properly between the Commvault components I listed.

For example if we open the firewall port 443 one direction between the Source: WebConsole and Destination: WebServer. will it be ok or the WebServer also need to initiate connection to the WebConsole at some stage (Ex: Email recall, Download etc )?

My main concern is between the WebServer and the CommServe for ports 80/81 and 443 and between the WebServer and the Index server on port 20000 (for which I also need to know if it can be set HTTPS instead of HTTP).

Commvault Services we can open bi-directional or set one-way firewall as you mentioned but for the Web Services above it is not controlled from the CommServe FW topology so I need to get back to customer specifying the direction firewall ports must be opened.

Regards

Abdellatif

Userlevel 2
Badge +9

HI Abdellatif,

Generally, we recommend ports to bi-directional since this requires two way communication, but give us some time while I check for more details and share details accordingly.

Regards,
Pradeep.

Badge +6

Dear @Pradeep .

Did you have by any change find out if bi-directional is required for ALL communication ?

I am mainly concerned about Web Console to Web Server, Web Server to Index Server.

Customer is fine with Commvault Services being opened bi-directional but he does not agree for Web Services (HTTP/S requests).

 

Thanks

Abdellatif 

 

Reply