Solved

Automatic Tunneling and Encryption for Network Traffic

  • 27 January 2021
  • 10 replies
  • 1270 views

Userlevel 2
Badge +7

Hello Community

Is this procedure https://documentation.commvault.com/commvault/v11/article?p=129268.htm equivalent to using a network topology (network gateway for instance so that the traffic is tunneled through a single port 8403) and enabling the checkbox “encrypt network traffic” on the network topologies dialog box? Also what should one observe in the network summary on the commcell level to verify that these settings “automatic tunneling and encryption for network traffic”  are in place? 

icon

Best answer by Damian Andre 27 January 2021, 16:57

View original

10 replies

Userlevel 7
Badge +23

Hey @neuwiesener,

Yes, I would say it would achieve the same objective - this forces a two-way network topology via the use of an additional setting via the automatic tunneling feature that was added a while back.

Personally, I think it would be very edge case to need to do this via setting rather than controlling via network topology, and would recommend to use the topology instead - on your point about ‘observing’ it in the commcell, you won't be able to if you use this setting as it will not generate network configuration since the additional setting forces a client-side function. The only way I think you would be able to observe the correct behavior is by looking at netstat on the respective machines are looking for established connections. This is the same for automatic tunneling today - if the client detects network restrictions are in place, it will automatically try a tunnel - but you won't see a route generated in the network config for it since it's a client-side decision. 

 

I’m curious to know your situation around why you are considering the additional setting rather than relying on the automatic tunneling to work by itself or applying a network topology.

Userlevel 2
Badge +7

Thanks @Damian Andre I am already using the network topology and was going through the steps to harden the commvault environment to protect against ransomware and this was one of the recommendations. https://documentation.commvault.com/commvault/v11/article?p=4801.htm 

So I am good to go without the additional setting. I am just going to have to set the check box to allow network traffic encryption. Now might have adverse effects on the HPE Catalyst dedupe if all primary copies are on catalyst? “ Do not enable compression, encryption, or deduplication in the Commvault software.” https://documentation.commvault.com/commvault/v11/article?p=101856.htm 

Userlevel 7
Badge +23

The good news is that if you define a topology then severs will always adhere to it unless it’s configured as ‘roaming’, which is only really used for laptops. So the policy is enforced by default.

I believe the catalyst callout is referring to setting encryption on the storage rather than the network traffic.  Storage devices are not affected by topologies as they have their own communication protocols - it’s only commvault software that use them. That being said I am fairly sure that catalyst uses encrypted SSL out of the box!

Userlevel 2
Badge +7

@Damian Andre Thanks. I understand that the check box on network topologies will only encrypt the data in-flight. Settings for data at rest will be governed by the storage policy copy setting. The hpe catalyst callout refers to not enabling it for the storage policy copy because HPE provides ecryption. However this needs an additional license. :)

Userlevel 7
Badge +23

@Damian Andre Thanks. I understand that the check box on network topologies will only encrypt the data in-flight. Settings for data at rest will be governed by the storage policy copy setting. The hpe catalyst callout refers to not enabling it for the storage policy copy because HPE provides ecryption. However this needs an additional license. :)

I think commvault encryption will cause issues with the native deduplication that catalyst uses hence the recommendtation, although I am not an expert on that. We have the great @Winston W that could maybe help answer during his timezone (APJ) :slight_smile:

Userlevel 3
Badge +4

Hi neuwiesener

 

You are correct, when leveraging HPE StoreOnce Catalyst as a target library within Commvault we leverage all the native HPE Client Binary to write to the Object Library. When using this feature we disable Compression/Encryption/Deduplication from Commvault perspective and leverage all the native capability on the HPE. Unfortunately for all the additional feature on HPE additional license is required. 

Badge

Hi There.

I have to implement this very soon for the first time and was asked if CVLT dedup is disabled, clients with large amount of data will transfer over the LAN non-dedup data.

When reading the BOL on this link: https://documentation.commvault.com/commvault/v11/article?p=99429.htm 

it states at the bottom the page that client side dedup is supported.

Not sure if I understand it properly. Does anyone already implemented HPE SO catalyst with DR copy using Catalyst Copy ?

Thanks

 

Userlevel 3
Badge +4

Hi Abdel 

For HPE StoreOnce Catalyst integration, the Client or the MediaAgent can be the Data Mover to write directly to the Catalyst Store.

So for the first Full Backup the Client/MA will most likely need to stream majority of the data across to the Catalyst Store. However for subsequent backups StoreOnce Catalyst enables the identification of duplicate data chunks by the Catalyst client as part of the backup process. This enables low-bandwidth backup by only sending unique chunks to the Catalyst store, which significantly reduces network bandwidth consumption.

In regards to Catalyst Copy (between two HPE StoreOnce):

  • Catalyst copy is an operation that must be initiated on the Source StoreOnce Appliance. So, when closing chunks, destination Media Agent will contact the Source StoreOnce Appliance to initiate the Catalyst Copy.

  • As a result of the Catalyst Copy Operation, the Destination Media Agent will also need to have access (over IP or FC) to the Source StoreOnce and configured as a Sharing Path.

So if the Source StoreOnce is configured with IP, the same protocol will need to be used on the destination and the replication network. 

Feel free to reach out if you require any further details or clarification on HPE StoreOnce integration 

Kind Regards

WW

Userlevel 2
Badge +7

The good news is that if you define a topology then severs will always adhere to it unless it’s configured as ‘roaming’, which is only really used for laptops. So the policy is enforced by default.

I believe the catalyst callout is referring to setting encryption on the storage rather than the network traffic.  Storage devices are not affected by topologies as they have their own communication protocols - it’s only commvault software that use them. That being said I am fairly sure that catalyst uses encrypted SSL out of the box!


Hi Damian wonder how these options are set for a network topology: the settings from

https://documentation.commvault.com/commvault/v11/article?p=59417.htm like the tunnel connection protocol. Does the encryption checkbox only encrypt outgoing or incoming connections as well?

Userlevel 7
Badge +23

The good news is that if you define a topology then severs will always adhere to it unless it’s configured as ‘roaming’, which is only really used for laptops. So the policy is enforced by default.

I believe the catalyst callout is referring to setting encryption on the storage rather than the network traffic.  Storage devices are not affected by topologies as they have their own communication protocols - it’s only commvault software that use them. That being said I am fairly sure that catalyst uses encrypted SSL out of the box!


Hi Damian wonder how these options are set for a network topology: the settings from

https://documentation.commvault.com/commvault/v11/article?p=59417.htm like the tunnel connection protocol. Does the encryption checkbox only encrypt outgoing or incoming connections as well?

Topologies are simplified network configurations so only expose the common options - the encryption option will force encryption on any outgoing routes for associated infrastructure included in this topology - similar to setting “Encrypted” in the outgoing route protocol. It won't force encryption for connections made outside of this topology though, or require encryption for incoming connections outside of the topology, and in that case, you could use the advanced option in the CommCell to force that option upon media agents (most common).

Reply