A guide to installing and registering clients behind a firewall in Commvault.

The installation and registration of Clients in Commvault is very easy in an unrestricted network, but it can be confusing for those new to Commvault when the clients are behind a firewall. This guide takes a brief look into common one-way direct firewall rules scenarios, with more advanced configurations such as Network Gateways, Cascading Network Gateways, Port-Forwarding Gateways, Third-Party Port Mapping may be covered in a later blog.

Both the Commvault Command Center and the legacy CommCell Console both have capability to push an installation directly from the Software Cache however the chances are, especially for Microsoft Windows clients, that it won’t work for you. For Linux/Unix clients, you are likely to just need to have sudoer account, TCP/22 and PermitRootLogins rights. Windows installations require TCP/135/445/Fixed Port for WMI, Remote WMI enabled for admin, Remote Registry enabled, and Administrative Shares enabled. Unless you are rolling out numerous of new clients for registration in pre-production, it is highly unlikely you would ever push your installation of the Windows Agent from the CommServe. For those few that have pushed out the Windows Agent in Commvault in production, it is important that you apply hardening scripts to minimise lateral movement.

When the agent is deployed client-side from the Installer, Custom Package (2), or as an Unattended Installation; by default, your CommCell and the installer assumes that your Client has a two-way rule between it and the CommServe.

If your Client has just a one-way communication into the CommServe.

You just need to choose “CommServe will connect to this computer to finish registration” and click Next. Right?

Well, no and it is common misunderstanding because there is more you need to do before you can click Next. Hidden away in the Commvault documentation you will see a hint into what will be required.

“If a one way tunnel is configured from the CommServe computer to the client, select CommServe will connect to this computer to finish registration.”. This means there must already be a matching pre-configured placeholder Client in the CommCell and pre-created with a One-Way Network Topology. The following summarises how to on-board a new Client with this network topology;

1. Pre-create a placeholder Client with the exact Client Name and exact Hostname using the Classic CommCell Console.

1. From the CommCell Console ribbon, on the Home tab, click New Client.

1. Under the File System section, and based on the computer’s operating system, click Windows or UNIX and Linux.

1. The New Windows Client (or New UNIX Client) dialog box is displayed.

1. On the Configure Client page, perform the following steps:

1. In the Host Name box, enter the fully qualified domain of the computer where you installed the Commvault software.

1. Click Next.

1. Click Next to continue.

1. On the Summary page, review the information you provided, and then click Finish. Once the registration process finishes, the client is listed under the Client Computers node of the CommCell Browser.

1. Create or utilise an existing dedicated Server Group (e.g., DMZ Clients) either in the Command Center or Classic CommCell Console that will contain the Commvault Clients behind the one-way firewall.

1. If required, create a new One-Way Firewall Topology between the Dedicated Server Group and ‘My CommServe Computer and MediaAgents’

1. Push the network configuration on the trusted client group, the placeholder client, the CommServe computer, and the MediaAgent computer. For example:
  1. 1. From the CommCell Browser, expand Client Computer Groups, right-click the (e.g.) DMZ Clients, and then click All Tasks > Push Network Configuration.
  1. 1. When the Warning dialog box appears, click Continue, then a notification appears indicating that the push network operation was successful.

1. Install the Client Software as per Interactive Installation Using the Installation Package on Windows Client (commvault.com) | Interactive Installation Using the Installation Package on UNIX Client (commvault.com)
  1. 1. On the Client Computer Information page of the installation wizard, complete the following steps:
      1. In the Client Name box, specify the name of the client computer.
      1. In the Host Name box, specify the fully qualified domain name or IP address of the client.
      1. Proceed to the next page.
  1. 1. On the Server Information page, select the Server will connect back to the computer to complete install checkbox, and then specify the port number that the client will accept incoming connections on.
  1. 1. Continue with the client installation.

After the successful Client installation, the \Base\FwConfig.txt firewall configuration is updated on the all entities in the Firewall Topology. It is important that you never modify this \Base\FwConfig.txt because it is a managed Commvault file and altering it to anything different that the Network Summary will likely cause communication stability issues.

Now if your one-way network rule is from the Client to the CommServe, the installation process is much simpler as you do not need to pre-configure the client in the CommServe. However you should immediately add the client to a One-Way Client to CommServe Network Topology because even if you did register your clients successfully, do not expect Commvault to auto-adapt to the presence of a one-way rules.

You may now be asking, ‘why is all this work necessary’? The Commvault documentation nicely describes the CommServe-Client relationship as follows

“Commvault implements its own Certificate Authority (CA) service running on the CommServe host. In addition to creating CA certificates, the CA service also creates client certificates, which allows the CommCell environment to authenticate connections between client computers and the CommServe host. During the installation of a client computer into a CommCell environment, the installer uses built-in certificates to authenticate connections with the CommServe host. At the end of the installation, a CommCell-specific client certificate is automatically created and assigned to the client. After the certificate is assigned to the client, the client uses this unique certificate to authenticate itself in all network connections and refuses connections from other Commvault clients that are not part of this CommCell environment. Each client in the CommCell environment has a unique client certificate.”

So basically the CommServe is the single source of truth and when the client cannot initiate communication to the CommServe, the single wizard installation methods won’t work from either the client or from the CommServe with modern network hardening. Once the Client has been registered in the CommCell, Commvault leverages Mutual Authentication (mTLS) to prevent a number of adversarial communication attacks.

Anyway, coming back to my earlier observation regarding this common misunderstanding, seriously it’s not your fault. It would be nice if this whole process was a bit more easy to track down with the end-to-end steps collated under one concise document. Even better, hopefully we will see an UX improvement to the Add Server wizard in the Command Center to ease these steps when onboarding clients behind this very common one-way network topology (something similar to the ‘Register Decoupled Clients’ Workflow would be good).

In summary, you must implement the Commvault network rules to exactly match the Physical network rules, including if your DNS is case sensitive. If you do run into communication issues, try using your native operating system utilities to see if ports are open (or Commvault’s cvping or Network Test Tool) and check with your network admins to see if inspected packets are being discarded by firewalls.