Hi Rohith,
You cannot use a bidirectional tunnel between a client and a Proxy. You need a one way tunnel. You can have the Media Agents be set up as proxies between the CS and clients, but then either the clients will maintain a persistent tunnel to the MAs, the default Proxy Network Gateway Topology, or the MA will maintain a tunnel to the client, the One Way Forwarding Topology, with the CS being in the first group, MAs in the middle, and clients in the third group.
https://documentation.commvault.com/v11/essential/setting_up_network_gateway_connection_using_predefined_network_topology_client_type_is_servers.html
https://documentation.commvault.com/v11/essential/setting_up_one_way_forwarding_connection_through_network_gateway_using_predefined_network_topology_for_servers.html
When a backup starts on the CommCell, and you have either a Network Gateway or One Way Forwarding, then the only connection from the CS to the client will be done through the established tunnels.
The tunnels, if you have the option to encrypt network traffic, and assuming you do not use custom ports, will be established as follows.
Network Gateway.
CommServe → Media Agents:8403 ← Clients
One Way Forwarding.
CommServe → Media Agents:8403 → Clients:8403
For the former, both the CS and clients need to cvping or telnet the MAs on 8403. For the latter, only the CS needs to cvping the MAs on 8403, and only the MAs need to cvping the Clients on 8403.
If you have the port 8400 open between clients and MAs, it will be used for additional throughput, as long as the topology does not have the Encrypt Network Traffic option enabled.
https://documentation.commvault.com/v11/essential/port_requirements_for_commvault.html
My advice is to use a dedicated Gateway client, and to keep the MAs separate. Sometimes it makes sense to make use of limited resources, and utilize the MAs as Gateway clients. It is entirely up to you on how to handle that.