Skip to main content

Hi all,

 

I am in the process of designing an isolated HSX environment.

 

If I share what I am thinking could people have a look and advise me where I could improve.

 

Build my 3-node reference architecture cluster on 11.32 which same subnet as my CommServe & Proxy servers.

Each node will have a bonded Active-Backup for Data Protection & Storage Pool .

 

All nics with be connected to a pair of Dell 10GB switches, these switches will have a Data Protection & Storage Pool vLAN created.

The Data Protection vLAN will then be connected to the Core Switch.

 

Next, I build two Windows 2022 proxy servers that have FS & VSA agents.

I will then configure CommVault network topology to only allow these two proxies talk to my HSX nodes.

 

Finally on my Dell switch I will create an access list to only allow the IP addresses of my proxies talk to the HSX nodes.

 

Any feedback would be great.

….


What is the idea?
HSXes → WinProxies ← Commserve / all other clients


What is the idea?
HSXes → WinProxies ← Commserve / all other clients

 

yeah, exactly as you have it above 


From our perspective (no Commserve livesync considered now), it is as simple as creating two topologies in gateway scenario ie. as shown below:
 

 

This would need only one port to be opened between HSX and proxies for the whole communication.

Network layer is then completely transparent for us and everything but this single connection can be blocked from the “outside world”.


For your proxy servers, what OS did you use and did you harden or tie this down to certain ports ?


No preference, Window and Linux are both OK. 

There are additional setting thanks to which you can either bind all the services to talk internally only using the loopback, leaving network daemon listening for the incoming connection on network interface

https://documentation.commvault.com/2023e/expert/enabling_loopback_mode_on_clients_and_client_groups.html

or in multi-interface client dedicate one interface for Commvault traffic

https://documentation.commvault.com/2023e/expert/binding_services_to_specific_network_interface_card.html

 


I am planning on using a Windows OS. 

What is the best practice here

  1. Domain joined - I am going to domain join so i can apply Windows patches to it.
  2. Fire Walled - can I use the local Window Firewall to tie it down ?
  3. Ports -  do I just need port 443 & 8403 open on the proxies. Plus ports needed for patching. 

Reply