Commvault

Network Routes

Quick Links to Topics:



In most modern data centers, corporate networks use one or many firewalls. A firewall blocks TCP and UDP ports between two networks, to ensure restricted users cannot access sensitive resources and data. An example is computers that are required to have direct access to the internet, such as web servers. These servers are usually isolated in a dedicated network called a demilitarized zone, or DMZ. This ensures that if a hacker successfully breaks into and accesses a web server, he or she cannot reach the corporate network since the machine is isolated in the DMZ.


There are two methods of implementing network routes:

  • Physical network appliance that segregates networks through physical connections
  • Software-based firewall that restricts inbound and/or outbound traffic


A typical illustration of a DMZ

Commvault® Software Default Ports

Commvault® software uses predefined ports to handle communication and data transfer. Some are static, and some are dynamic.


Commvault® Software Default Ports

Service

Port Number

Protocol

Commvault® Communications Service, GxCVD service, found on all CommCell® computers.

8400

TCP

Commvault® Server Event Manager, GxEvMgrS service, available on CommServe® server.

8401

TCP

GxCVD service dynamically uses free ports for communication during data protection and data recovery jobs.

1024 to 65535

TCP


Since multiple ports are used, especially dynamic ports, it makes it hard to protect a computer behind a firewall if no other mechanism is in place. If this is the case, you would have to ask your network team to open ports 1024 to 65535 between all clients in the DMZ and the internal servers. Because this scenario is not an effective solution, Commvault® software has a set of network routes in place.




Automatic Tunneling

Since service pack 15, the network configuration is easier than ever. The Commvault® components communicate using the traditional communication port and dynamic ports. If the system notices that the dynamic ports are blocked and therefore unavailable, it automatically encapsulates data transfers through a tunnel port. There is no need to configure any network topologies nor network routes in Commvault® software.

The only requirement is that the communication port (8400) and tunnel port (8403) are opened and accessible between the components.

Automatic tunneling requirements




Multi-Stream Tunneling

Traditionally, Commvault® software was capable of tunneling a single stream at a time per network route. This means that streams were sent sequentially to the MediaAgent. This was known to slow backups when using network routes as opposed to regular backups. In SP11, multi-stream tunneling was introduced to circumvent this limitation. Now there's an option available that lets you define a number of streams to use when configuring a network route. Each stream opens its own tunnel.

Note: A maximum of 8 streams can be defined when configuring a network route. If instead, automatic tunneling is used, it will automatically multi-stream jobs up to three streams.

Illustration of a multi-stream tunneled job


Defining the Number of Tunnel Streams 

The Route Settings window lets you define the number of streams for a network. The route is created in the Outgoing Route tab.




To define the number of tunnel streams

1 - Right-click the computer | Properties.

2 - Open the Network settings for the client.



3 - Select the route.

4 - Edit the route settings.

5 - Define the number of tunnel streams.


Troubleshooting a Multi-Stream Tunneled Backup

It is possible to validate the use of multiple streams using the netstat - anob command. The findstr.exe tool can also be used to filter entries with the destination system's IP address.




To monitor streams

1 - From a command prompt, type the following command:

Netstat –anob | findstr.exe <server IP address>

2 - A communication stream is established along with multiple data transfer streams.



Network Routes

CommCell® components separated by a firewall must be configured to reach each other through the firewall using network routes. Once configured, they can communicate to perform data management operations like backup, browse, and restore. For example, if a client needs to communicate with a CommServe® server through a firewall and back up data to a MediaAgent through a firewall, all three components (CommServe server, MediaAgent and client) require network route configuration.


There are three primary methods for connecting through a firewall:

  • Direct – where the CommCell components communicate directly with each other through a firewall
  • Gateway – where CommCell components communicate through a gateway resource
  • Through a proxy – where CommCell components use a proxy in a DMZ to communicate with each other



Connection methods

1 - Available connection methods are Direct, Port Forwarding and Network Gateway.


Define Network Routes for Client and Client Groups

Right-click the client or client group | Click Properties | Network
To configure network routes for a client or client group, right-click on the entity in the CommCell browser, select Properties and then click the Network button. In the Network Route Configuration tab, check the 'Configure Network Route Settings' check box. Selecting the Advanced radio button enables full network route configuration.


There are four configuration tabs available:

  • Incoming connections
  • Incoming ports
  • Outgoing routes
  • Options

A fifth tab for Network Properties displays a summary of all options configured for the network route settings. This summary is in the format used to populate the FWConfig.txt file, which is in the base folder of all CommCell® components using network route configurations.




Network route configuration

1 - Network route configuration tabs are:

-Incoming Connections

-Incoming Ports

-Outgoing Routes

-Options

2 - The Summary tab displays a summary of all network route configurations.


Configure Incoming Connections

The Incoming Connections tab is used to determine if other CommCell® components can connect the client or client group to where the network route settings are being configured.


There are two connection states:

  • Restricted – there are firewall port restrictions in place and a component on the other side of the firewall can reach the component that is currently being configured.
  • Blocked – there are firewall port restrictions in place and a component on the other side of the firewall CANNOT reach the component that is currently being configured.


Commvault® software uses port 8400 as the default communication port for all CommCell traffic. When network route settings are enabled for a CommCell component, by default, port 8403 is used as a listening port for any inbound connection attempts. Additionally, a dynamic port range can be configured to provide additional data traffic ports for backup and recovery operations. How these ports are used is dependent on several factors:

  1. Communication is based on the 'Listen for tunnel connections on port' setting.
  2. If port 8400 is available on the firewall, once initial communication is made using the listen port, by default, data transmission uses port 8400 and metadata and communication uses port 8403.
  3. By default, a dynamic port range is not used for data traffic. This is by design of the network model Commvault® software uses to transmit data to a MediaAgent. When the 'Optimize for concurrent LAN backups' MediaAgent setting in the Control tab is enabled, all data will be tunneled through a single data port. This means dynamic port ranges are not needed by Commvault software to backup and restore data through a firewall. In certain situations, performance may be improved by disabling the 'Enable for concurrent LAN backup' option and defining a dynamic port range. Keep in mind, that when the LAN optimization option is disabled, the default number of streams a MediaAgent can process is 25 and the maximum is 75.




The Incoming Connections tab

1 - Click Advanced to display the configuration tabs.

2 - The Incoming Connections tab.



To optimize connections

1 - Expand the MediaAgents entity | Right-click the MediaAgent | Properties.

2 - Enable optimization by checking the ‘Optimized for concurrent LAN backups’ option.

3 - Define the number of concurrent transfers.


Configure Outgoing Routes

The outgoing routes tab determines how CommCell® components will communicate with each other.


There are three route types:

  • Direct
  • Via gateway
  • Via proxy

For each route type, encryption options can be set by determining which connection protocol is used:

  • Regular – Authentication and data will NOT be encrypted.
  • Authenticated – Authentication will be encrypted but data transfer will not be encrypted.
  • Encrypted – Authentication and data will both be encrypted
  • Raw – Transmit TCP packet without any encapsulation. Useful when a device in the tunnel path, such as a gateway or a firewall modifies the packets.

The default option 'Authenticated' is the recommended option. If data transfer requires encryption, consider using client 'inline' encryption instead of using the 'encrypted' option in the firewall settings.

 



The Outgoing Routes tab

1 - Click Advanced to display the configuration tabs.

2 - The Outgoing Routes tab.


Configure Options

When the CommServe® server can reach clients to initiate data protection and recover jobs, it is configured as restricted on the clients. If the CommServe server cannot communicate to the client, it is configured as blocked and the client is responsible for establishing connections with the CommServe server. The 'Keep-alive Interval' and 'Tunnel Init Interval' are used to determine how connections are made and maintained when the CommServe server is blocked from communicating with clients.


The 'Tunnel Init Interval, seconds' option determines the frequency in which the client attempts to establish a connection with the CommServe server. The 'Keep-alive Interval, seconds' determines how long the connection is kept alive. At the end of the 'keep alive' interval which defaults to five minutes, the client attempts to renew the connection.




The Options tab

1 - Click Advanced to display the configuration tabs.

2 - The Outgoing Routes tab.

3Keep-alive Interval – time to maintain connection.

4Tunnel Init Interval – time to start connection.


Tip: Installing Clients Requiring Network Routes
Before you install a client on a machine behind a firewall, ensure that the network routes are already configured in the Commvault® software. If the client is installed without the routes being properly set first, communication between the client and CommServe® server might fail, and manual manipulation might have to be done on the client network route configuration file. To create network routes before you install the client, create the client in the CommCell browser by right-clicking the Client Computers entity and choosing New Client. Once the client is logically created, network routes can be configured for it.




Restricted Network Route Configuration

A restricted network route configuration is when Commvault components can communicate through a firewall, but only on specific ports. A listening port is used to establish a connection between resources. In a restricted configuration, any resource can initiate communication. Before setting up network routes, the listening port must be opened bi-directionally on the firewall between components.


Typical restricted firewall environment




To install a client using restricted network routes

1 - Right-click Client Computers | New Client.

2 - Locate the File System section and select the platform.

3 - Provide the client name and fully qualified domain name.

4 - Click Next.

5 - Click Finish to create the client.



6 - Right-click the client and select Properties.

7 - Click Network.

8 - In the Incoming Connections tab, click Advanced.

9 - Click Add.



10 - Add a restricted route for both the CommServe® and MediaAgent servers.

11 - In the Incoming Ports tab, define the port.

12 - Optionally, to increase speed on restores, an additional range of ports can be used.



13 - Add a direct outgoing route for the CommServe® ….

14 - … and the MediaAgent servers.



15 - On both the CommServe® and MediaAgent servers, create routes by clicking Properties.

16 - In the Incoming Connections tab, create a restricted rule for the client.

17 - In the Incoming Ports tab, specify the port.

18 - In the Outgoing Route tab, create a direct rule for the client.

19 - Push Network Configuration to the servers.



20 - Install the client using either the interactive or push install.

21 - On the Network Route Configuration screen, specify the communication type and port.



Blocked Network Route Configuration

A blocked network route configuration is when only components on one side of the firewall initiates communication. This is typically used in a strongly secured DMZ or when external clients such as laptop clients are connecting to the CommCell® environment from unsecured networks.

The CommCell component that establishes connection attempts to communicate with other CommCell resources when Commvault services start. Connection attempts and 'keep alive intervals' are set in the Options tab of the firewall settings.


Typical blocked firewall environment for DMZ clients


Blocked firewall environment for roaming users when no proxy is available





To install a client using blocked network routes

1 - Right-click Client Computers | New Client.

2 - Locate the File System section and select the platform.

3 - Provide the client name and fully qualified domain name.

4 - Click Next.

5 - Click Finish to create the client.



6 - Right-click the client and select Properties.

7 - Click Network.

8 - In the Incoming Connections tab, click Advanced.

9 - Click Add.



10 - Add a blocked route for both the CommServe® and MediaAgent servers.

11 - In the Incoming Ports tab, define the port.

12 - Optionally, to increase speed on restores, an additional range of ports can be used.



13 - Add a direct outgoing route for the CommServe® ….

14 - … and the MediaAgent servers.



15 - On both the CommServe® and MediaAgent servers, create routes by clicking Properties.

16 - In the Incoming Connections tab, create a restricted rule for the client.

17 - In the Incoming Ports tab, specify the port.

18 - In the Outgoing Route tab, create a direct rule for the client.

19 - Push Network Configuration to the servers.



20 - Install the client using either the interactive or push install.

21 - On the Network Route Configuration screen, specify the communication type and port.



Proxy Network Route Configuration

A proxy network route configuration is used when resources cannot directly communicate using a blocked or restricted connection. A proxy is designated in the DMZ by selecting the 'This computer is in DMZ and will work as a proxy' check box in the Options tab of the Network Route Configuration settings. Network routes must be configured from resources outside the firewall to the proxy and then from the proxy to resources inside the firewall.


Typical proxy configuration




To configure Network Route using a proxy

1 - On the proxy client machine Options tab, select the This computer is in a DMZ acting as a proxy option.

2 - For subsequent clients, when defining routes, connect Network Gateway and select it from the list.


Copyright © 2021 Commvault | All Rights Reserved.