Solved

topology network

  • 25 May 2021
  • 3 replies
  • 1056 views

Badge +2

Hi

We have to harden backup network for some specific clients. We have no DMZ - only firewalled network, and we dont want to have network proxy setup.

The questions to my precisely understand firewall in commvault:

What does it mean that A initiates tunnel connection to B like in 1-way net topology ? Does it mean that established tunnel connection has always open defined tunnel (8403) port on B ?

Who initiates connection in 2-way connection ? Can we define it?

We need the connection which is initiated from CS to client and created tunnel with opened 8403 port on client. I have just tried all types of  topology setup (1 way - in both directions and 2-way) but in the end always port 8403 is opened on commserve server. Is it by design or I missed something? Is it possible to force tunnel to open 8403 port on client side ? How can I do that ? When we completely block port 8403 on CS than connection cannot be established at all.

TIA for your help.

 

icon

Best answer by Prakash 27 May 2021, 16:17

View original

3 replies

Userlevel 2
Badge +4

Hello Jps666,

In 1 way topology, the direction of the persistent tunnel is defined between client A to client B.  Once the tunnel has been established it would be a constant tunnel between client A to the listening port on client B (8403).

https://documentation.commvault.com/commvault/v11_sp20/article?p=7172.htm

In two way connection, the initiator is the one establishing the connection needed for communication for 2 way on-demand configuration.  So at the start of a windows file system agent job for example, the scan phase is started by the commserve, so the commserve will establish the tunnel to the client.  This cannot be controlled since this is a On-Demand tunnel creation.

8403 is the firewall daemon port by default, so it would always need to be open on all clients within the environment.  The incoming listening port can be changed to a different port if needed, but the firewall daemon will still listen on 8403 by default that is by design.

So if you want the client to be listening on 8403, a 1 way network design is recommended with the tunnel from CS/MA to the client, and the client would be accepting/listening for connections on the incoming port.

Hope that helps clarify a few things.

 

Badge +2

Hello team.

Thank You for explanation.

But one more question:
There is  "bind all services to open ports" checkbox in the options tab of Network Route Settings. What does it do in a 1way or 2 way direct configuration ? As I understand that in case of establishing a tunnel any commvault related communication is limited to tunnel so what I have this option choose for.
Similarly, another option "force all data (along with control) traffic into tunnel” option seems strange to me for the same reasons as mentioned before.

Many thanks for help to understand.

Badge +3

Hi @jps666 ,

 

 Network properties have an ‘Additional ports’ section which accepts the port range that is open between machines.

https://documentation.commvault.com/commvault/v11_sp20/article?p=7394.htm

There are 2 use cases with these additional ports.

  1. ‘Bind all services to open ports’ option uses these additional ports and enables the services running on a machine to listen only on these ports. Usually when someone wants to restrict the listening ports on a machine to a certain port range to not conflict with some other application.

  https://documentation.commvault.com/commvault/v11_sp20/article?p=7353.htm

 

  1. One-way or two-way configuration uses the tunnel port (on port restricted environment where one or few ports are open) for all communication between the configured machines. When additional ports on the remote machine are open, it will bypass the tunnel port and directly connects to the remote port when required. ‘"force all data (along with control) traffic into tunnel” will force the communication over tunnel port even though additional ports are open.

 

Thanks

Prakash

 

 

Reply