You have the cart before the horse so to speak.

You employ the proxy if you have a network that you cannot directly access for some reason, like a DMZ network.

In that case you would deploy the proxy and all requests that have to be serviced on the other side of the blocked network would be accessible via the proxy.

The diagram below gives you an idea of the purpose of the proxy.

I stole the diagram from this website which goes much further in depth.

Great illustration @Christopher L !!

@SysadminStephanie Yes, we are using network gateways already for more than 7 years and the concept works well, especially now they have templated it via the topologies which makes the configuration very easy and straightforward. Segregating your backup infrastructure into an isolated network segment should imho be considered mandatory these days when designing infrastructures in order to be able to defend yourself better again malicious attacks and the possibility to being able to recover when disaster strikes. 

I also use segmentation this way, for example because of the following reasons:

• It is safer then to directly access the network/vlan where your backup infra is located, in addition to your backup encryption you can introduce end-to-end https encryption on the tunnel.
• Ports can be limited as required, in some cases I could get by with only TCP 8403 for all client traffic.
• Communication on Commvault ports is being validated, Commvualt's proprietary TLS method is used to see if a system is which it says it is.
• The Command Center can be published via the proxy
• Additional ports can be opened via TPPM workflow which allows you for example to allow Java GUI connections.
• Depending on the infrastructure this can simplify network/security management. For example if you have 2 sites, you can use cascaded proxies so between the sites there is only traffic between the proxies. Elimitating the need to connect over WAN for every client in a location.

Honestly I always implement firewall rules on every client, and media agent because by default the cvfwd file is not generated otherwise.

this allows for easier troubleshooting for connectivity issues such as connection resets that would otherwise not showing up in logs.

I am puzzled how the commvault firewall and tunnel and DIP rules can even work if you don’t have an underlying firewall opening the commvault ports.  Do people just run with everything open, and use commvault tools to restrict access?  I can’t imagine anyone does THAT???

Don’t confuse the Commvault firewall rules to your internal network rules, Commvault firewall rules tell what ports to communicate on in accordance with your internal network rules not vice versa.

Right, but all the documentation leaves that out.  I think Commvault using ‘firewall’ to describe the tunnel rules is a misnomer.

I think that's why they changed the name in newer version to “Network Topology”

I have a customer who inquired about using Commvault Network Proxy Appliance since there is plans to isolate there backup network.  Are there any limitations the the Commvault Network Proxy Appliance and or a list of best practices?  Customer is concerned that if one proxy gets overloaded can more than one proxy be configured? 

Hi @Gil S 

It depends what you want to perform via the network proxy, all commvault backup and recovery actions which are performed via Commvault ports should work. Additional services need to be evaluated if this for example will work via a TPPM, it’s also very important which Commvault objects are positioned within or outside the isolated network.

Best practice also depends on what you want to achieve, security first I would say, block everything except when specific services are needed.

Regarding overload or failures, if you configure a gateway topology for example you can position multiple proxies. Then you have multiple routes and load balancing. No worries there :)