Configure Firewall tool Commserv

Last post 07-22-2010, 4:53 PM by CraigT. 19 replies.
Sort Posts: Previous Next
  • Configure Firewall tool Commserv
    Posted: 07-15-2010, 11:09 AM

    I'm trying to do a install of agent on a oneway firewall setup.

     

    Basically going from internal to dmz which has a oneway connection.

     

    According to the documentation I need to run the firewall tool on the commserv first however I can't find the tool to do that.

  • Re: Configure Firewall tool Commserv
    Posted: 07-15-2010, 11:13 AM

    Hello ipman,  On the CommServe check under the \Program Files\CommVault\Simpana\Base.  Look for FirewallConfig.exe

    http://documentation.commvault.com/commvault/release_8_0_0/books_online_1/english_us/features/firewall/firewall_how_to.htm#firewall_windows


    Mark Spencer
    CommVault, Business Critical Support
  • Re: Configure Firewall tool Commserv
    Posted: 07-15-2010, 12:07 PM

    Thanks

     

    I remember it briefly remembered it being a tool but I wasn't sure if it was accessable from the control panel.

     

    My documentation search skills are lacking as well as I was searching firewall tool and didn't find the answer!

  • Re: Configure Firewall tool Commserv
    Posted: 07-16-2010, 1:24 PM

    Are there any known issues with the tool to test the firewall tunnels?

    QiConnect.exe?

    I'm trying to troubleshoot my firewall tunnel but when i run this it gives me an error about a registry key. [Incident: 100716-000066]

  • Re: Configure Firewall tool Commserv
    Posted: 07-16-2010, 1:41 PM

    Hey ipman, QiConnect has been removed from our documentation going forward and is no longer supported.  It is now recommended to use CommCell Readiness Report to verify wheather the ports are correctly configured.

    http://documentation.commvault.com/Dell/release_8_0_0/books_online_1/english_us/features/firewall/firewall.htm

    Troubleshooting CommCell Communications Across Firewalls

    • Verify the following, if operations across firewall(s) are not working:
      • You have opened all the necessary ports in the respective firewall.
      • The range of ports is specified in the firewall configuration wizard. Use the CommCell Readiness Report to verify whether the ports are correctly configured.
      • You have included the correct ports in the appropriate computers.
      • You have the appropriate Host Names or IP Addresses of all the computers that are separated from a computer by firewall(s).

        If your network administrator allows you to disable/remove the firewall(s), then try running the backup/restore that way. This will eliminate other causes of failure and pinpoint the problem on firewall subsystem.

        Contact your software provider for assistance if all the above mentioned verification is successful and you continue to experience failures during data protection or data recovery operations.

    • Windows XP (SP2) and Windows 2003 (SP1) both include an optional firewall that can be enabled. As a result all the data protection jobs from that computer may go into the Pending state. Hence you must open the appropriate ports as described in Port Requirements from the Windows firewall. Alternatively, you can also disable the Windows firewall if you have another firewall enabled for the computer.

    Mark Spencer
    CommVault, Business Critical Support
  • Re: Configure Firewall tool Commserv
    Posted: 07-16-2010, 2:43 PM

    You have an example of what I'd be looking for in that report that would tell me if the oneway tunnel was up?

     

    Btw this is a new connection I've ran the firewall config on the commserve setup the oneway. Then I went to the dmz host and started the install. Setup its firewall as a I way. Once that's complete it asks for the commcell address and fails to connect.

  • Re: Configure Firewall tool Commserv
    Posted: 07-16-2010, 3:54 PM

    Hello Ipman,  There is an option when you run the report to show failed items only.   Or if you specifically select this computer and uncheck the option to show failed items only.  If it has problems checking the connectivity it should list as failed, otherwise it will have Ready. 

    Readiness (failure reason): Ready.

    Something you could try to test connectivity between CommServe and the client

    telnet <Host Name, FQDN, Short Name and/or IP of client> 8400

    • You should get a blank Command Prompt window if connection is successful using the name or IP over the specified port, even if there is no telnet daemon installed.
    • To exit a telnet session type <Ctrl>+” ] “ and then type “quit”

    You can also use our TestPort Utility to test connectivity.  This utility is part of the Resource Pack.  I have attached Readme for our test port.  Check your resource pack disk for the utility.

    If you continue to have issues I would recommend opening up a support incident and we can take a quick look.


    Mark Spencer
    CommVault, Business Critical Support
    Attachment: Readme_TestPort.txt
  • Re: Configure Firewall tool Commserv
    Posted: 07-16-2010, 4:29 PM

    Hi Ipman,

    What ports did you open 1-way from Internal to DMZ?  you will need 8400 + 1 additional port (ex. 8600) for controls.  Once you have 8400+1 additional open, then double check the configuration to assure it is setup as follows:

    On CommServe:

    One Way Host Is Reachable (listing Clients name or IP)

     

    On Client:

    One Way Host Is NOT reachable (listing CommServe Name or IP)

     

    Also, is there any NAT'ing?  Is this going out through a one to many NAT (Public interface)?

     

    Also, what type of firewall (Windows/software/hardware FW?)?


    Thanks,

    Craig T.
  • Re: Configure Firewall tool Commserv
    Posted: 07-16-2010, 4:40 PM

    Internal to DMZ is completely open.

    DMZ to internal is completely blocked.

    The firewall is a cisco pix I believe.

     

    I have verified I can reach all the ports by running telnet on the client hosts on the 8400 ports. I have no problem connecting from within to the client host.

  • Re: Configure Firewall tool Commserv
    Posted: 07-19-2010, 1:52 PM

    Tried getting some assistance from support today but the I think there was a language problem.

    As the tech kept telling me I needed to open ports on my dmz host that would connect back through my firewall to the commserve.

    Which I think by the documentation is false...

    I just need ports open on my commserve host to the dmz host.

    My FwHosts looks like this:

    192.168.1.100

    FwPeers:

    192.168.1.100 192.168.1.100 8400

     

     

  • Re: Configure Firewall tool Commserv
    Posted: 07-19-2010, 3:44 PM

    Hello ipman,
    I would try one more test to see if the ports are open correctly for this setup.  You will want to use the CommVault TestPort Utility (can be found on the resource pack (can also be downloaded from the Resource Pack on the CommVault Maintenance Advantage Website). (Downloads and Packages>>Browse the Simpana 8.0 Resource Pack>>(Version(32bit, x64, etc))>>Network and Foundation)

    To test this setup, you will use the following Syntax:

    On the Client: (If Commvault Services are running, they will need to be Stopped)
    Copy the appropriate Version of TestPort (x86, x64, etc) to the CV base Directory.
    From a command prompt, navigate to the Base Directory.
    Type:
    Testport.exe -server -useipv4 -bindname <Resolvable name of the client> -bindport 8400

    This will setup a listener on the client on port 8400 (cannot have CommVault services running on the client when you do this.  this should not be an issue if the client is not yet installed).  bottom line will state "Waiting for a client to connect....."


    On the CommServe: (you do NOT need to stop CommVault Services on the CommServe)

    Copy the appropriate Version of TestPort (x86, x64, etc) to the CV base Directory.
    From a command prompt, navigate to the Base Directory.
    Type:
    Testport.exe -Client -useipv4 -bindname <CommServe Name> -srvname <Enter the Resolvable name of the client from client step above> -srvport 8400 -buffers 1000


    *NOTE:  you can replace -bindname with -bindip <IP> and srvname with srvip <ip>

    once you setup the listener on the client and connect to it from the CommServe, it should pass 1000 15k buffers and display "!! Finished !!" at the command prompt. 

    if it does not go through then the port(s) are not opened properly for this to function.  If 8400 goes through successfully then you will want to try the first port in the range as well (replace "8400" in both command lines with the first port in the dynamic/additional port range (ie...8600)).

    Let me know how it goes.


    Thanks,

    Craig T.
  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 2:52 PM

    CraigT:

    Hello ipman,
    I would try one more test to see if the ports are open correctly for this setup.  You will want to use the CommVault TestPort Utility (can be found on the resource pack (can also be downloaded from the Resource Pack on the CommVault Maintenance Advantage Website). (Downloads and Packages>>Browse the Simpana 8.0 Resource Pack>>(Version(32bit, x64, etc))>>Network and Foundation)

    To test this setup, you will use the following Syntax:

    On the Client: (If Commvault Services are running, they will need to be Stopped)
    Copy the appropriate Version of TestPort (x86, x64, etc) to the CV base Directory.
    From a command prompt, navigate to the Base Directory.
    Type:
    Testport.exe -server -useipv4 -bindname <Resolvable name of the client> -bindport 8400

    This will setup a listener on the client on port 8400 (cannot have CommVault services running on the client when you do this.  this should not be an issue if the client is not yet installed).  bottom line will state "Waiting for a client to connect....."


    On the CommServe: (you do NOT need to stop CommVault Services on the CommServe)

    Copy the appropriate Version of TestPort (x86, x64, etc) to the CV base Directory.
    From a command prompt, navigate to the Base Directory.
    Type:
    Testport.exe -Client -useipv4 -bindname <CommServe Name> -srvname <Enter the Resolvable name of the client from client step above> -srvport 8400 -buffers 1000


    *NOTE:  you can replace -bindname with -bindip <IP> and srvname with srvip <ip>

    once you setup the listener on the client and connect to it from the CommServe, it should pass 1000 15k buffers and display "!! Finished !!" at the command prompt. 

    if it does not go through then the port(s) are not opened properly for this to function.  If 8400 goes through successfully then you will want to try the first port in the range as well (replace "8400" in both command lines with the first port in the dynamic/additional port range (ie...8600)).

    Let me know how it goes.

     

    Does this tool act up?

    I'm getting an error about a missing qiutils.dll

     

  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 2:56 PM

    Hello ipman,

    You are probably getting this error for one of two reasons

    1.) it is being ran from a directory other than the CV Base directory

    2.) incorrect version (using Testport 32bit on X64 architecture


    Thanks,

    Craig T.
  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 3:01 PM

    Your right wasn't running it from BASE!

    Out of curiosity in the firewall config tool at the end when it asks to restart the services for you.

    Is the expected result supposed to exit out of the app completely automatically?

    Also by restarting those services will it kill running jobs?

  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 3:37 PM

    Yes, that is expected behaviour.

     

    It will not kill running jobs but they will most likely go pending and then resume automatically 20 minutes later (20 mins is the default retry time).  Job might also show as running /cannot be verified.


    Thanks,

    Craig T.
  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 3:39 PM

    Here is what I get when I try to run the tool on the client.

     

    Waiting for a client to connect.......
    Got a new connection [4] from mycommservip Port 62163
    Sending [TeStSrV301] to client....
    Successfully sent signature string to Client
    Waiting to recieve signature buffer from client....
    FAILED TO VERIFY CLIENT STRING, Got [] instead of [tEsTcLi301]

  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 3:49 PM

    my apologies, the reason you are getting this message is because the CommServe is setup for One Way Client is Reachable, so the CommServe will continually send out over port 8400 until the Client Services come up (since client cannot initiate to CommServe).   You could take the Client out of the CommServe FW config but realistically you just proved that 8400 is open (CS was able to connect to listener)  Try the same test with the first port in your range of ports (from the firewall config) and if it does the same thing (goes listening and then immediately states "got new connection from CS....) then you are open properly one way.  If it just sits at "Waiting for a client to connect, then complete the testport testing as described in my earlier instructions (replacing -srvport with the first port in the range of dynamic ports from the firewall config).


    Thanks,

    Craig T.
  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 4:22 PM

    So when I do as you suggested from the commserve I get an invalid pointer error.

    However if I telnet from the commserve to the port I have the client listening on I get this

     

    Waiting for a client to connect.......
    Got a new connection [4] from comservIP Port 49641
    Sending [TeStSrV301] to client....
    Successfully sent signature string to Client
    Waiting to recieve signature buffer from client....

  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 4:26 PM

    Wait typo

    That works!

     

    Waiting for Server to send Test buffer....
    Server string verified successfully
    Sending [tEsTcLi301] to server....
    Successfully sent signature to server

    Receiving buffers....

    Getting Number of Buffers to receive
    Going to receive 0 buffers


    Sending buffers...

    Going to send 1000 buffers of size 16384 bytes
    CRC of the initial buffer is 959408D2
    Sending Buffer # 1000


    Sent 16384000 Bytes in 99 secs
    Calculated network throughput is 0.16 MB/sec


    !! Finished !!
    Press Return...

     

    CommServe Check

    CommServe:  ip
    Creating firewall config files ... done.
    Starting Simpana Firewall Services ... done. (PID 8425)
    Trying to contact CommServe ip [1 of 3] ...done.

     

    And it looks like error on the firewall settings was the problem. I used dns name instead of IP!!

    So it was probably working this whole time =)

    I do appreciate the less on the porttester utility though!

     

  • Re: Configure Firewall tool Commserv
    Posted: 07-22-2010, 4:53 PM

    thats great news.  Glad to help... Smile


    Thanks,

    Craig T.
The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2019 Commvault | All Rights Reserved. | Legal | Privacy Policy