Firewall settings

Last post 05-30-2011, 4:39 PM by PhilippeMorin. 6 replies.
Sort Posts: Previous Next
  • Firewall settings
    Posted: 05-19-2011, 2:12 PM

    Hi,

    We use a third party firewall on our Windows servers which is currently in detect only mode. When looking at our MAs and Commserve, there are a lot of ports used by Commvault in the 49000-50000 range. All those ports are used for connections coming from different agents.

    I'd like to restrict the ports used by the clients to maybe 100-200 ports so I can exlude them from the firewall. I've created a group which contains all our agents and then on the Commserve's properties, firewall configuration, I added an entry to the incoming connections with the group I just created and set it to "Restricted". Then, I went in incoming ports and added a port range from 50100 to 50299. I pushed the configs to the Commserve and to the agents but they're still connecting to a bunch of ports in the 49000 range.

    Is there something I'm missing? I guess I'm not using the proper configurations but I can't seem to find any way to work around this. Unfortunately, the firewall doesn't allow to exclude exe, just ports so I can't specify CV exes.

    Thanks!
    Phil

  • Re: Firewall settings
    Posted: 05-19-2011, 4:26 PM

    Phil,

     

    What process are using the ports outside of the range?  Please run a netstat -anob and let me know.  Thanks.

     

    JW

  • Re: Firewall settings
    Posted: 05-19-2011, 4:49 PM

    The one that generates the most traffic is on the CS: AppMgrSvc.exe currently using port TCP 60176.

    I can also see the following services on the CS/MAs:

    TCP 60159 MediaManager.exe
    TCP 60667 JobMgr.exe
    TCP 64742 SRMServer.exe
    TCP 59907 SIDB2.exe

    From what I can see, they're using the same port since the last time the services were restarted which would make sense. So I guess what I'd like to do is have each of those services bind to a static port each time they're restarted.

    Is that possible?

  • Re: Firewall settings
    Posted: 05-19-2011, 6:56 PM

    Phil,

    One thing you can try is change the registry key below from *0* to 1 and then cycle the CommVault services to see if that helps out.

    nBIND_OPEN_PORTS_ONLY

    HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Instance001\Firewall

    JW

  • Re: Firewall settings
    Posted: 05-20-2011, 10:19 AM

    Tried that but it didn't work at first. I managed to kinda get it to work using your key. To be clear, here are the steps I did so far:

    1. Create an empty group (I named it "FW - Restricted")

    2. On each server hosting Simpana server side services (Commserve, MAs, SRM Server, etc.), I modified the following firewall configuration properties:
         - "Incoming Connections" tab: added the empty group and set the state to "RESTRICTED"
         - "Incoming Ports" tab: added a range of open ports from 50002 to 50050 (port numbers can change obviously. So far the maximum number of ports used on our CS is 11 so you shouldn't need too many)
         - "Options" tab: Enable the "Bind all services to open ports only" checkbox

    3. On each server hosting Simpana server side services (Commserve, MAs, SRM Server, etc.), I modified the following registry key settings though the GUI:
         - Key name: nBIND_OPEN_PORTS_ONLY
         - Location: Firewall
         - Type: REG_SZ
         - Value: 1

    Note that enabling the "Bind all services to open ports only" AND modifying the registry key to 1 were needed to get all services (cvd.exe, JobMgr.exe, AppMgrSvc.exe, MediaManager.exe, SRMServer.exe, etc.) to listen to a port in the range I wanted. If you do only one or the other, it doesn't work and all services will listen to random ports.

    When I start a backup though, MediaManager.exe seem to open a connection to each clients and will listen to a random port per client. When I do a netstat, I can see that without any jobs running, it listens to port 50008 which is good. Only thing I need to do is figure out how to prevent the service to open random ports during backups and keep it, ideally, to 50008.

    I'm guessing that would be done by putting every clients in my "FW - Restricted" group but that also mean that every time a new client is added, I'll need to add him to that group as well. Would be nice to have an option in the firewall settings to tell it that the rule applies to every clients and not only a group. Will test this and get back with the results.

    Any other suggestions are welcome!

    Phil

  • Re: Firewall settings
    Posted: 05-24-2011, 3:16 PM
    • Aplynx is not online. Last active: 03-31-2020, 10:10 AM Liam
    • Top 10 Contributor
    • Joined on 05-04-2010
    • New Jersey
    • Master
    • Points 1,808

    you need to set the firewall group to have the media agent and commserve incoming ports as well. it sounds like you only did one side. 

  • Re: Firewall settings
    Posted: 05-30-2011, 4:39 PM

    Just to get back on this. The procedure I wrote in my last post works great. I guess the issue I had with backups still opening other ports was just because the firewall policies hadn't been pushed to every components of Simpana just yet.

    I've now set it up in lab and prod (using the empty group to enable restricted ports) and now all my services are using the range I gave it.

    Phil

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2020 Commvault | All Rights Reserved. | Legal | Privacy Policy