CommVault Forums

Solving Forward - Solving Together
Welcome to CommVault Forums Sign in | Join | Help
in

Problem setting up components to go through proxy

Last post 05-29-2013, 5:10 PM by deb. 3 replies.
Sort Posts: Previous Next
  • Problem setting up components to go through proxy
    Posted: 05-29-2013, 12:37 PM

    I have a Commserve, MA, in one network

     

    A 2nd MA and client on another

     

    Went throught the steps described in "Operating Through a DMZ Using Data Protection Suite Proxy"

    The installation of the client, using the proxy completed successfully, but I cannot push out firewall changes to the client, and "check readiness" from the commserve fails

    See the following in the cvfwd.log file on the proxy:

    • Looking for a tunnel connecting ANY with share
    • ERROR: No tunnel found that could potentially serve this client
    • => CONNECT_FAILED(147,-1, Failed to find tunnel for ANY=>share:8400/8400)
    • Accepting cvfwd connection.
    • The other side is "address of client:43743, fd=984
    • Creating new DYNAMIC tunnel to "addr of client"

    Followed by:

    • Initializing SSL/TLS for DYNAMIC tunnel to "address of client" via ("address of proxy, address of clint")
    • ERROR: Can't agree with peer on what certificate to use for authentication
    • ERROR: Peer has builtin: YES, commcell: NO
    • ERROR We have: builtin: NO, commcell: YES

     

    Commserve name = commserve

    Proxy name = proxy

    client name = share

    Here is the firewall configs from the three servers

    ==commserve
    [general]
    keepalive_interval=300
    tunnel_init_interval=1
    force_incoming_ssl=0
    lockdown=0
    bind_open_ports_only=0

    [incoming]
    tunnel_ports=0

    [outgoing]
    commserve share proxy=proxy
    commserve proxy type=persistent proto=http cvfwd=proxy.sand.box:8452

    ===share - only showing differences from commserve config

    [outgoing]
    share commserve proxy=proxy
    share proxy type=persistent proto=http cvfwd=proxy.sand.box:8452

    ===proxy - only showing differences from commserve config

    [general]
    force_incoming_ssl=1
    lockdown=1

    [incoming]
    tunnel_ports=8452

    [outgoing]
    proxy share type=passive
    proxy commserve type=passive

    ------------------

    Any hints or suggestions as to how to proceed?

  • Re: Problem setting up components to go through proxy
    Posted: 05-29-2013, 1:41 PM

    If I de-select "Lock down CommCell" on both the proxy and remote client firewall, options section.  Everything is happy.

     

    But I believe I need to have that set for security reasons.  Correct?

  • Re: Problem setting up components to go through proxy
    Posted: 05-29-2013, 3:37 PM

    Lock down forces you to use a certificate to authenticate.  IF you never provided the certifcate, the communication is attempted and fails due to the lack of certificate specified.  If you uncheck lockdown you can still force traffic over HTTPS.

    The link below explains this:

    http://documentation.commvault.com/commvault/release_9_0_0/books_online_1/english_us/features/firewall/firewall_new_how_to.htm#Lockdown

  • Re: Problem setting up components to go through proxy
    Posted: 05-29-2013, 5:10 PM

    I had done the export and used the certs when installing. 

    A question.  The proxy and the remote client both had "Lock Down" set in the options page, but the Commserve did not.  Is this potentially why I had the problem?

    Also, the documentaion mentions what to do when installing.  But we have an existing commvault setup that we need to set up this way.  Are there any issues with locking down a system that is already up and running?

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of CommVault Systems, Inc. ("CommVault") and CommVault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, CommVault.
CommVault, CommVault and logo, the “CV” logo, CommVault Systems, Solving Forward, SIM, Singular Information Management, Simpana, CommVault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of CommVault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2014 CommVault | All Rights Reserved. | Legal | Privacy Policy