Transcript
When convult components communicate or move data through a firewall, the network settings must be configured for each component. This is accomplished by configuring individual network settings for a specific client, or using network topologies where server group firewall configurations can be set for clients and infrastructure machines. There are several key configuration options available when configuring network routes. Connections between servers which can be restricted or blocked. The ports used to communicate through a firewall and routes which can be direct via a proxy or via a gateway. Convult components communicate using a traditional communication port as well as dynamic ports. If the system notices that the dynamic ports are blocked and therefore unavailable, it automatically encapsulates data transfers through a tunnel port. There is no need to configure any network topologies or network routes in the convult software. The only requirement is that the communication port 8400 and tunnel port 8403 are open and accessible between the components. Sometimes the default automatic tunneling ports cannot be used or they cannot be opened bidirectionally. If this is the case, network configurations must be used to define a different port or to set up specific communication settings. Convult software uses network topologies to simplify network configurations between server groups. The clients in the server groups can be the commserve server, media agents or client servers. By default there is a system created computer group called infrastructure that can be leveraged for network topologies containing the convult infrastructure components. Convult also utilizes smart groups that automatically groups machines based on their roles such as my commserve or my commserve and media agents. Let's look at the network topology types. A one-way network route is a direct connection with port restrictions where one side of a pair of communicating computers can establish a one-to-one connection towards the other on specific ports. A one-way network topology consists of two server groups. The first group is servers, which is the side that can initiate the connection. This is commonly the client servers. The second group is network gateways, where members of this group cannot initiate the connection. This is commonly the infrastructure machines. When creating a one-way network topology, the servers group has restricted communications on a specific port with the network gateways group. Direct connections are initiated with the network gateways group. These systems are in the untrusted networks such as the DMZ. When implementing the network topology, the network gateways group has blocked communication with the servers. A two-way network route is a direct connection with port restrictions where either side of a pair of communicating computers can establish a one-to-one connection towards the other on specific ports. A two-way network topology consists of a servers group and an infrastructure group, which contains the commserve infrastructure components. When implementing the two-way network topology, the servers have restricted communication on a specific port with the infrastructure machines. Infrastructure machines contains the commserve server and media agents. On the other side of the firewall, infrastructure machines have restricted communication on a specific port to the servers. The Commvault network gateway is a special configuration in which a dedicated Commvault agent is placed in a perimeter network that is configured to allow connections into the perimeter network. The network gateway authenticates, encrypts and allows the tunnel connections it accepts to connect the clients operating outside of the private network to clients operating inside of it. The Commvault network gateway supports NAT operations. Similar to a network gateway, a cascading network gateway configuration works where networks span multiple zones. In each zone, a dedicated Commvault agent is placed in the perimeter network that is configured to allow connections into the perimeter network. The cascading gateways communicate with each other and authenticate, encrypt and allow the tunnel connections between the zones. There are cases in which direct connectivity setups do not work. Consider the case of the commserve and media agents being located inside a company's internal network, with the entire network being exposed to the outside world through a single IP address. Typically, this IP address belongs to a firewall or gateway that works as a network address translation device for connections from the internal network to the outside. In scenarios like this, you can establish port forwarding at the gateway to forward connections received by specific gateway ports to clients on the internal network. You can then configure the client to open a direct connection to the port forwarder's IP address on a specific port to reach a particular internal server. This creates a custom route from the client towards the internal servers. A port forwarding gateway sends incoming connections to specific machines on the internal network based on the incoming connection's destination port number. Let's look at a short demonstration of how to create a network topology. I won't go through each type as the configuration steps and user experience are the same. Start by expanding Manage and selecting Network. Then, click the Network Topologies tile. This will show any topologies already configured. In the upper right, click Add Topology. Give it a name. Select whether the client type is servers or laptops. And then select your desired topology type. We'll create a cascading gateway topology. A diagram will show you the selected network type and the groups required. Click Next. Next, we'll select the client groups for each topology section. The servers, server gateways and network gateways. For the infrastructure machines, you can select manual client groups, automatic client groups such as infrastructure or smart groups such as MyCommServe or MyCommServe and Media Agents. By clicking the Advanced toggle switch, you can force configuration settings and change the port number and keep alive settings. Click Next to finally configure advanced options where you can select to encrypt traffic, choose the tunnel protocol and set the number of parallel data transfer streams. Click Submit. Your topology will be created and the configuration settings will be automatically pushed to the relevant servers.
