Visibility of clients and protected data on media agents between network zones

Last post 08-11-2017, 9:09 AM by Ali. 3 replies.
Sort Posts: Previous Next
  • Visibility of clients and protected data on media agents between network zones
    Posted: 08-03-2017, 9:27 PM
    Hello, I'm looking for a little advice on expanding commvault in my environment.  We have various zones within our network, some more secure and locked down then others.  Currently I have my commserve and various media agents installed in Zone A.  All of the clients also exist in Zone A, and data can flow freely within the Zone. There are no issues with this configuration.
    Enter Zone B.  Zone B has clients that have limited connectivity to services in Zone A.  Ideally I would like to setup a media agent in Zone B, that has direct attached disk storage. I would then configure clients in Zone B to write to the disk storage on the MA in Zone B. I don't see any issues with this idea.
    My issues arise when it comes to communication between the two zones.  I would like to limit the access to clients and/or media agents in Zone B, from being accessed in Zone A. The end goal being the data in Zone B (from clients or the media agent) cannot be accessed by any commvault applications in Zone A, and our backup administrators would have to use the MA in Zone B to restore any data. The more invisible the Zone B MA and Clients are to the Commserve in Zone A, the better.  
    I've thought that maybe I could use the documentation on "Firewall Using Commvault Proxy in a Perimeter Network" (, but I'm not sure if this will give me the seperation I'm looking for.
    Looking forward to any advice anyone has!
  • Re: Visibility of clients and protected data on media agents between network zones
    Posted: 08-03-2017, 11:25 PM

    Hi there, using a CommServe Proxy via a firewall does sound to be the best way from reading what you have above as this will isolate the 2 zones.

    To make sure that the restores do not happen between zones you will need to ensure that the proxy firewall rules setup is completely isolated and only allows communication from the CommServe only and none of the other "Zone A" MA/Clients basically cutting off communication to them. 

    If Zone B has its own MA and library and there are no shared data paths then this will make it more transparent as restores will use the local paths defined by default.

    If you need to lock it down further you could look at using the roles and permission to the clients/group and only allowing specific trusted backup admins to restore those in Zone B or you could even go as far as to remove the "Restore out of place" Permission to ensure the data can’t be restored outside its original location.

  • Re: Visibility of clients and protected data on media agents between network zones
    Posted: 08-11-2017, 8:31 AM

    Thanks for the note.  As I'm thinking about this a little more and getting my hands dirty, I'm thinking a simplar way to think about this is to simply limit the restore destinations of specific clients, to only those in a specific group.

    For instance, when I go to restore data from a client in Zone B, and I can choose the restore destination, I would like to only list the other machines or MA's in Zone B.  Do you think I would be able to accomplish that by using a CommServe Proxy? 

    All I'm trying to do is not let data leave Zone B.  Data paths, file names, etc can be visible, I just don't want data to be restored outside the zone.


  • Re: Visibility of clients and protected data on media agents between network zones
    Posted: 08-11-2017, 9:09 AM
    • Ali is not online. Last active: 03-05-2018, 11:33 PM Ali
    • Top 10 Contributor
    • Joined on 08-05-2010

    To prevent seeing other entities by other users in the CommCell, its best to utilize Roles and define permissions over the needed entities and to what users there.

    If the Data Path of Zone B doesn't have Zone A, then I don't think the restores will work even if you can pick Zone A clients since.  Would suggest giving this a try in conjunction with the Proxy too, that sounds like a doable idea.

    Side note, if the users in the CommCell have permissions then they will be able to view the content regardless of what zone the clients are in, hence the suggestion to look into Roles, if you get those right, then you won't need to configure these communication rules altogether, it will just be blocked, to begin with giving you 'true' security.

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Copyright © 2018 Commvault | All Rights Reserved. | Legal | Privacy Policy