Solved

Windows Firewall Rules

  • 26 January 2021
  • 6 replies
  • 1385 views

Userlevel 4
Badge +7

Hello, 

did someone may know why the old way of adding firewall rules with the script are not running anymore on new deployments ? As you can see there are only two firewall rules deployed on the installation. May someone can explain why this changes are done ?

 

 

Many thanks and best Regards

Philipp 

icon

Best answer by Christian Kubik 26 January 2021, 18:39

View original

6 replies

Userlevel 3
Badge +3

I have seen this behavior as well. This should actually not be an issue with automatic tunneling putting the communication into the cvfwd port (8403) anyway. Unfortunately I have seen that in really locked down environments it may take a while for the software to realize that ports are closed and to move over to tunneled comm.

easiest fix would be to use network topologies - which I would recommend anyway as using all those high ports is a big attack surface anyway - even if windows firewall would open them based on the program rules - it’s still better to just tunnel communication on a single port … hence network topologies 

Userlevel 1
Badge +2

Starting FR20, Installer removed the screen to provide any firewall exclusion list and by default, adds the required communication processes to the list which are cvd and cvfwd. The exclusion list is determined by the installer based on the feature/package selected to install on the client. 

Userlevel 5
Badge +10

@Christian Kubik yes, I've seen that too. I know it may tunnelling rules be too much to set up if you are a single customer but when your job is to configure several customers over a year, it's adds up to a fair bit configuration time that honestly should have a pre built topology enabled that inlcudes this nice setting documentation.commvault.com/commvault/v11/article?p=95277.htm in one click.

Userlevel 4
Badge +9

@Christian Kubik yes, I've seen that too. I know it may tunnelling rules be too much to set up if you are a single customer but when your job is to configure several customers over a year, it's adds up to a fair bit configuration time that honestly should have a pre built topology enabled that inlcudes this nice setting documentation.commvault.com/commvault/v11/article?p=95277.htm in one click.

I think the main reason we don’t add those extra tunnels in topologies by default is scalability. In a large environment having hundreds of Clients, multiplying all those connections by 3 or 4 may kill the mediaagent causing TCP stack buffering issues. 

Userlevel 5
Badge +10

@Christian Kubik yes, I've seen that too. I know it may tunnelling rules be too much to set up if you are a single customer but when your job is to configure several customers over a year, it's adds up to a fair bit configuration time that honestly should have a pre built topology enabled that inlcudes this nice setting documentation.commvault.com/commvault/v11/article?p=95277.htm in one click.

I think the main reason we don’t add those extra tunnels in topologies by default is scalability. In a large environment having hundreds of Clients, multiplying all those connections by 3 or 4 may kill the mediaagent causing TCP stack buffering issues. 


Thanks @Alireza B, I suspected it had to be down to physics. Other reason i have not adopted is because you can have multiple throttling speeds applied when not using extra tunneled connections.

Userlevel 4
Badge +7

many thanks to all of you for your replys on this topic , so i am not the only one which see this :joy:

Reply