Most users do not need to make any changes to their firewall rules in order to use UBSi-Commvault. Users with Enclave systems may need to configure outbound rules.
VPN
Our firewall rules do not allow access to any portion of UBSi – Commvault from outside Penn State’s networks. If you are off-campus you will need to use a VPN to be able to access the web interface.
Note that we do not intend UBSi – Commvault to be used for backups of laptops or other portable devices. UBSi backups and restores of an off-campus system would also require VPN access in order to function. We strongly recommend CrashPlan (https://sites.psu.edu/crashplan/) as a superior alternative for desktop and laptop backups. CrashPlan backups can be performed while off-campus without requiring a VPN.
Inbound Rules
None.
All network traffic originates from the client system. We do not initiate traffic from our UBSi servers to your client systems, so you should not need any inbound rules. Operations that appear to “connect” to your client are communicating using the established session maintained by your client.
Outbound Rules
If you block outbound traffic by default, you will need to allow outbound client traffic to our UBSi infrastructure:
Client Traffic
All client communication (backup, restore, management)
Action: Permit / Allow
Source: (Your systems)
Destination: 10.137.240.0/25 & 10.140.240.0/25
Applications: commvault, ssl
Destination Ports: tcp 8403 (only)
On the Palo Alto firewalls, you can use these preexisting objects for the destination:
NET_10.137.240.0-25-ubsi_dpn_up
NET_10.140.240.0-25-ubsi_dpn_hy
Web Interface Access
You may or may not also wish to allow access to the web interface from your Enclave systems:
Action: Permit / Allow
Source: (Your systems)
Destination: 10.137.240.5 & 10.140.240.5
Applications: ssl, web-browsing
Destination Ports: tcp 80, tcp 443
On the Palo Alto firewalls, you can use these preexisting objects for the destination:
IP_10.137.240.5-s8-ubsi-up-cs01
IP_10.140.240.5-s8-ubsi-hy-cs01
Alternative Merged Rule
If you prefer to use a single rule for both client traffic and web interface access, you can combine them both into a similar rule:
Action: Permit / Allow
Source: (Your systems)
Destination: 10.137.240.0/25 & 10.140.240.0/25
Applications: commvault, ssl, web-browsing
Destination Ports: tcp 8403, tcp 80, tcp 443
On the Palo Alto firewalls, you can use these preexisting objects for the destination:
NET_10.137.240.0-25-ubsi_dpn_up
NET_10.140.240.0-25-ubsi_dpn_hy
NAS Devices and other Appliances
If you are able to install the client on your system, then only port 8403 is required for client traffic. The client software installed on that system will process the data and send it to port 8403 on the UBSi servers.
However, you may have a NAS appliance or similar device where you cannot install the backup software, and must use other standard protocols (SMB, NFS, NDMP, etc.) to perform a backup. Our firewall rules do not permit the use of these protocols directly.
Instead, you will need to select one or more servers to configure as “access nodes” for the backup. You will install the client software (Windows or Linux filesystem client, as appropriate) on these servers, and configure your own firewalls to allow appropriate traffic between the access node server and the NAS appliance. The UBSi servers will then be able to instruct the access node(s) to perform the backup using the approriate protocol(s), and then transfer the backup data to the UBSi infrastructure using port 8403 on the UBSi servers as usual.
In some cases we may need to perform some additional configuration in order for your access nodes to function correctly. Please feel free to Contact Us if you need help configuring backups of an appliance.