commvault.com commvault.com
Solved

Firewall ports

  • 8 December 2022
  • 13 replies
  • 4880 views
B
Userlevel 2
Badge +6

Hi, in the following article Port Requirements for Commvault I can read the following:

 

Target Machine to Access

Target Ports

Accessed From

Feature or Purpose

All

8403 (configurable)

All other network peers

All data and control traffic

 

All

8400 (Default CVD port) (configurable)

All other network peers

Required to be open on MediaAgents for faster data traffic

Questions

  1. In this context, what does it mean “All” for “Target Machine to Access”? Does it mean All Commvault servers, i.e., Commserve, Media Agents, VSA. It should be more precise
  2. Port 8403 corresponds to “All data and control traffic”. I remember that in the past, we had to open Commvault data ports in the range 8600-8650. Does it mean that now only one port is required for all types of backups?
  3. Don’t we need to open the ports 8400 & 8403 from all clients to all Commvault servers on both directions?

Clearly, the documentation should be more accurate.

Thanks

Regards.

icon

Best answer by Aplynx 9 December 2022, 21:04

View original

13 replies

Aplynx
Rank
Userlevel 6
Badge +13
  1. Any machine the source machine would talk to when completing the task assigned.
  2. That’s likely because you previously configured the firewall\network configuration in commvault to only use 8600-8650 as additional ports
  3. 8400 and 8403 are default bi-directional ports. The remaining ephemeral ports are used dynamically during operations. 
Liam
B
Userlevel 2
Badge +6

Thank you but could you please be more precise because sorry but I do not unerstand your answers

  1. What should I say to a network guy as Source and Destination?
  2. But do we need those additional ports 8600-8650 to be opened? OR what is the reason to use those additional ports?
  3. You wrote “8400 and 8403 are default bi-directional ports.” But again, what should I say to a network guy as Source and Destination?

Thanks

Aplynx
Rank
Userlevel 6
Badge +13

It’s essentially all the ephemeral ports or you set what ports you are using alongside 8400/8403 and which direction one way in\out or bi directional in the network configuration. 

Liam
B
Userlevel 2
Badge +6

Sorry not clear for me.

Could you please you or someone else try to answer my questions above?

thanks

C
Rank
Userlevel 1
Badge +3

He answered the question you just don’t understand him.

The documentation is also clear, all means all.

Client’s, Media Agents, Commserve, Proxies etc. i.e ALL

 

The simplest thing to tell your network guy is that for both source and destination ports you will need ports 8400 - 8403 to be open.

 

This should cover the default ports, additional ports are just that, additional or user defined, they are not strictly speaking required by commvault but can be configured optionally by the user.

Bidirectional means communication ports have to be open between both sides i.e source and destination.

My suggestion is to remove them since it will only complicate any interactions between you and your firewall guy.

 

Though I will say now is a nice time to ask, @Aplynx what is the benefit to defining additional ports sort they are not actually required?

B
Userlevel 2
Badge +6

Perhaps I am just stupid if I don’t understand!?

And if ALL means Clients, Media Agents, Commserve, VSA Proxies etc…, it should be clearly specified!

And what does it mean “All other network peers” in the Commvault table above?

 

A network guy always requires the following information:

Source IP Source Port

Destination IP

 Destination port Protocol

 

So, to take back the example above, please what should I put in his table?

Thanks

C
Rank
Userlevel 1
Badge +3

Perhaps I am just stupid if I don’t understand!?

And if ALL means Clients, Media Agents, Commserve, VSA Proxies etc…, it should be clearly specified!

And what does it mean “All other network peers” in the Commvault table above?

 

A network guy always requires the following information:

Source IP Source Port

Destination IP

 Destination port Protocol

 

So, to take back the example above, please what should I put in his table?

Thanks

It is clearly specified, because that is what “ALL” means.

What other word would you choose to encompass, every single commvault entity that listens on its service ports?

 

Also misunderstanding something doesn’t make you stupid, Language is a low bandwidth method of communication and subject to personal interpretation all it requires is patience and the understanding that miscommunication is easy.

It should be understood that the vast majority of people on this people respond out of a sense of community. So be nice, its free.

B
Userlevel 2
Badge +6

Ok written communication is not always easy. Agree.

But we could avoid some misinterpretation with some sentences and as you wrote “Be nice next time, it’s free”. Case closed from my side.

Aplynx
Rank
Userlevel 6
Badge +13

Additional port usage: https://documentation.commvault.com/2022e/expert/7394_opening_additional_ports.html

There is an overview video you can refer to here 

Liam
Aplynx
Rank
Userlevel 6
Badge +13

It’s also generally easier to configure through groups: https://documentation.commvault.com/2022e/expert/7453_best_practices_for_network_routes.html

There should already be an infrastructure group that contains all media agents and the CommServe, so a very simple configuration would be to have a group with all the clients and then at the group level you add the infrastructure to the network configuration of the client group and the client group to the infrastructure’s network configuration.

In this simple configuration, by just having each group as a restricted connection in the other group’s network configuration, you have essentially curtailed all traffic to only use 8400 for communication (cvd) and 8403 for firewall (cvfwd). This is a very basic example. 

Liam
C
Rank
Userlevel 1
Badge +3

@Aplynx  That video is much better than I would have expected. 

Damian Andre
Rank
Userlevel 7
Badge +23

Additional port usage: https://documentation.commvault.com/2022e/expert/7394_opening_additional_ports.html

There is an overview video you can refer to here 

Video pretty much explains it all - Marking this as best answer!

For most configurations, if you open port 8400-8403 bi-bidirectionally between all servers/clients/components etc that should be sufficient. Out of the box, Commvault tries to use ports in the dynamic/ephemeral port range which, if blocked, will force it to tunnel those connections over port 8403.

If 8403 is not open then backups/restores will fail. If you want to customize the tunnel port you can, but then you need to setup the network rules manually - you can then also specify a single direction if you like (i.e only one side of the network connection will be responsible for establishing and maintaining the connection). But, the easiest way to get most things working is to open up ports 8400-8403 bidirectionally.

There are some components which will require additional ports, if for example your webserver and webconsole installs are on different servers which have blocked ports.

A
Rank
Badge

Extremely poor documentation to refer to “All” and “All other network peers”.

Makes it hard to understand from networking perspective.

Reply


Terms & ConditionsCookie settings