Hey Anders,
The most secure way to go about this (assuming you have a DMZ of some sort) would be to have a network gateway client in your DMZ and configure firewalls accordingly - so clients connect to the CS/MA’s via the proxy. The direction of traffic would be Client → proxy in DMZ ← CS/MA (everything connecting TO the proxy).
There are many different DMZ and firewall configurations which could be used here - but if you don’t have a DMZ and are just simply firewalling ports - then really I don’t see how one direction is more secure than the other - but consider the fact that if having the Commserve initiate the connections, this can put extra strain on the Commserve.
Hi Anders,
As Edd mentioned having a proxy based connection is the most secure way. Coming back to your question though it also depends where client is sitting. If client for example is exposed to external users\networks then yes having a connection coming from internal\CS to client is best practice. In case the client is exploited you don’t want to allow connection initiation from client to internal. If client is also internal then yeh don’t worry about direction.
Thank you guys for your replies.
We do have 50+ networks we do backup of, but today we just have a single firewall opening from all the networks to our backup network, but sounds like I should look into the proxy version.
If I setup a proxy, I guess this proxy needs to be of a certain size CPU/memory wise, to not slow down the backup/restore speeds, are there any recommendations on the size?
Regards
-Anders
Thank you guys for your replies.
We do have 50+ networks we do backup of, but today we just have a single firewall opening from all the networks to our backup network, but sounds like I should look into the proxy version.
If I setup a proxy, I guess this proxy needs to be of a certain size CPU/memory wise, to not slow down the backup/restore speeds, are there any recommendations on the size?
Regards
-Anders
Yes, there is - here you go. This is the recommended spec, you could always adjust based on what you are seeing around usage (assuming its a VM).
https://documentation.commvault.com/commvault/v11_sp20/article?p=7296.htm
‘Network gateway’ is the new name, but its the same thing as a network proxy