Backups through firewall

[cabraun]

Hello,

Does anyone out there do Galaxy backups through a firewall? We want to use Galaxy (6.1 w/ SP2) to backup our DMZ. So our commserve is internal, separated by a checkpoint firewall, from a media agent with locally attached LTO2 drive and 5 clients in the DMZ. No data is to pass through the firewall.

I have followed all of CV's documentation and worked with their support for probably 10-12 hours up to this point but it just does not want to work.

Does anyone do any backups in such a configuration? I will post additional information as needed.

 

[mybackupfailed]

Open all the Commvault ports on the firewall. Then use the firewall config tool to add the media agent's IP address (forget the DNS name). Then use the firewall config tool to add the Commserve's IP address to the media agent (forget DNS name). Then run the firewall config tool on a client and add the Commserve's and Media Agent's IP addresses. Try a backup and see what happens.

 

[cabraun]

Ports 8400-8403 and one additional port between 5000 and 32767 are open 1-way from the commserver on the internal network to the DMZ network, where the media agent and clients are.

The firewall config tool was run on the commserve configured for the 1 additional port with the "One Way Host is Reachable" option.

The firewall config tool has been run on the media agent with the same port configured as "One way host is NOT reachable" option.

Backup of the media agent file system works.

Added a 2nd client. Re-ran the firewall config tool on the commserve and added the client with the same "One way, host is reachable" option then ran the Commvault install on the client in the DMZ and chose the Yes configure FW option and configured with the same port and "One way host is NOT reachable" option to the commserve.

I can still backup the media agent, but when I try to backup the new client I am told:

"WARNING - All network ports suitable for traffic across the firewall are in use on machine <my commserve>. You may want to increase the number of ports available through the firewall. If this is a partially upgraded CommCell (from 3.7.1 or 4.1), completing the upgrade will greatly reduce the port usage."

Followed 2 minutes later with the same message but with a CRITICAL heading.

There should be no data going through the firewall as both the media agent and clients are in the DMZ and just the commserve is internal.

The way we have this configured is exactly what CV's documentation says to do, and as I said, I have worked 10-12 hours on the phone and via webex with CV support but it just won't work.

What else are we missing here?

 

[mybackupfailed]

One-way firewall, hey? Brave guy. Anyway, you need more than one additional port besides the 8400-8403 range. One extra port won't do it. You need a port per client backup opened up and added to all the firewall config. Sorry if you already tried this but it looks like you only opened up one additional from your last post.

 

[cabraun]

You are correct, that I have just 1 port open in addition to the 8400-8403. All the CommVault documentation indicates that that is all that is needed and the CV support people, supposedly firewall specialists, have never indicated otherwise and have been very hands on all along in the process and know exactly what I am trying to accomplish and quite frankly they are as bewildered as I am.

However, we have not tried to open any additional ports for this and I would certainly be willing to give it a shot. It will likely be Monday before I can get the firewall guy to open a few additional ports.

Just to make sure I am clear on your suggestion, 1 port in the range of 5000-32767 per client in the DMZ so:

8400-8403 for Commvault operations
5001-5005 for my 5 client machines, one of which is a Media Agent as well.

Anything else you can think of that might require more than those 9 ports, such as the morning DR backups etc?

Thanks

 

[mybackupfailed]

Bewildered firewall specialists won't help you much. the 6.1 firewall docs give a guideline of port requirements which should apply to both 2-way and 1-way firewalls although you wouldn't know if from the lousy layout. They say the commserver needs 1 port, the media agent needs 1 port per backup stream (total number of drives/mag libraries per media agent, more if you are multiplexing), and one per client backup stream. Then more for other jobs like aux copies and DR jobs. I would open a block of ports up (20?) and fine tune it later just to see if it gets you anywhere.

 

[birky]

Remove all of the FW text files...there should be 3 (they will be in the Galaxy/Base dir and then run the Firewall config tool again ensuring that the range of ports you want are already open.

Then run the QiConnect tool to ensure that you can communicate with the DMZ clients from the CS.

Also if there are multiple nics on the DMZ clients then try setting Data Interface Pairs to force Galaxy to use the correct nic....seen this be an issue before when multiple nics exist.

 

[cabraun]

Just wanted to followup and let everyone know that indeed opening additional ports was the answer and we are now successfully backing up our DMZ with 1-way firewall communications.

Thanks to those of you that assisted.

 

[mybackupfailed]

Yell at CV for not telling you this! This should have been their first response and you should have been able to resolve this quickly.

 

[justanotherhack]

This is hilarious. we've been doing FW backups for a while now - if i remember correctly the installer and the documentation both state that you need to open additional ports - CV support shouldn've been all over this.
It'd be great to find out who you were working with on this - especially if you can find out how long have they been there - just to judge the overall competency.

 

[cabraun]

Well I was working from the documentation titled 5.9 Firewalls originally and then after upgradeing to 6.1, the document titled 6.1 Firewalls.

The way I read the document and interpreted the diagram of the configuration that we wanted to emulate, was ports 8400-8403 and 1 dynamic port between 5000 and 32767 needed to be open from the friendly side to the hostile side and the diagram clearly showed the commserve on the friendly side and the media agent and multiple clients on the hostile side. That is what we were going off of.

 

[justanotherhack]

My firewall config is different - all the same - this experience should not be a science experiment -

 

[cabraun]

I just wanted to send an update to this since the original solution was to open 8400-8403 and enough ports in the 5000 to 32767 range for 1 each of the clients I am backing up.

As it turns out, indeed I do only need 8400 and 1 port in the above range open on the firewall to accomplish what we needed. After running with the full complement of ports and monitoring traffic, it was determined that just 2 ports are ever used. 8400 and the 1 in the dynamic range.

We have since closed all of the additional ports and everything ir running beautifully. We did still need to keep the full range of ports available in the FWHOST file but only 1 is ever needed and used.

We are now able to fully backup our DMZ systems without any data crossing the firewall and with just 2 ports open from the commserve to the DMZ only and that is what we wanted.

 

[cabraun]

Sorry, of course I meant FWPORTS not FWHOSTS above.