Firewall proxy systems and methods in a backup environment

US 8,572,719 B2
Filed: 05/27/2011
Issued: 10/29/2013
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method for performing remote backup operations, the method comprising:

receiving with a proxy computing device a first unidirectional connection request from a media agent module that resides within a trusted enterprise network, the first unidirectional connection request being received through a first firewall;

receiving with the proxy computing device a second unidirectional connection request from a remote computing device coupled to an untrusted network, the second unidirectional connection request being received through a second firewall coupled to the untrusted network, the proxy computing device having a data agent executing thereon that is configured to facilitate the backup of backup data received from the remote computing device;

unidirectionally establishing a first secure connection from the media agent module to the proxy computing device in response to said receiving the first unidirectional connection request;

unidirectionally establishing a second secure connection from the remote computing device to the proxy computing device in response to said receiving the second unidirectional connection request;

routing with the proxy computing device backup data received from the remote computing device via the first secure connection to the media agent module over the second secure connection; and

with the media agent module, and at the direction of the storage manager module, storing the backup data on at least one storage device within the enterprise network, wherein during establishing said first and second secure connections identification of the media agent module or the at least one storage device is not exposed to the untrusted network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to certain aspects, a method for performing remote backup operations is provided that includes receiving a first unidirectional connection request from a media agent module to a proxy device within an enterprise network, through a firewall. The method also includes receiving a second unidirectional connection request from a remote device coupled to an untrusted network, such as through a second firewall. Secure connections are established from the media agent module to the proxy and from the remote device to the proxy. Additionally, the method can include routing with the proxy device backup data from the remote computing device to the media agent over the secured connections. The method also may include storing the backup data on a storage device within the enterprise network. In certain embodiments, during establishment of the secure connections, identification of the media agent or the storage device is not exposed to the untrusted network.

Citations

18 Claims

1. A method for performing remote backup operations, the method comprising:
- receiving with a proxy computing device a first unidirectional connection request from a media agent module that resides within a trusted enterprise network, the first unidirectional connection request being received through a first firewall;
  
  receiving with the proxy computing device a second unidirectional connection request from a remote computing device coupled to an untrusted network, the second unidirectional connection request being received through a second firewall coupled to the untrusted network, the proxy computing device having a data agent executing thereon that is configured to facilitate the backup of backup data received from the remote computing device;
  
  unidirectionally establishing a first secure connection from the media agent module to the proxy computing device in response to said receiving the first unidirectional connection request;
  
  unidirectionally establishing a second secure connection from the remote computing device to the proxy computing device in response to said receiving the second unidirectional connection request;
  
  routing with the proxy computing device backup data received from the remote computing device via the first secure connection to the media agent module over the second secure connection; and
  
  with the media agent module, and at the direction of the storage manager module, storing the backup data on at least one storage device within the enterprise network, wherein during establishing said first and second secure connections identification of the media agent module or the at least one storage device is not exposed to the untrusted network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said establishing the first secure connection comprises exchanging a secure sockets layer (SSL) certificate.
  - 3. The method of claim 1, wherein the second firewall is located between the untrusted network and the proxy computing device.
  - 4. The method of claim 1, further comprising receiving the second unidirectional connection request through a third firewall coupled between the remote computing device and the untrusted network.
  - 5. The method of claim 1, further comprising routing with the proxy computing device second backup data received from a second remote computing device to a second media agent module within the enterprise network.
  - 6. The method of claim 5, further comprising providing a same Internet Protocol (IP) address from the proxy computing device to the first and second remote computing devices.
  - 7. The method of claim 1, wherein at least one of the first and second secure connections comprises a hypertext transfer protocol secure (HTTPs) tunnel.

8. A system for performing remote backup operations, the system comprising:
- an enterprise network comprising,at least one storage device,a media agent module configured to direct backup operations with respect to the at least one storage device, anda first firewall component in communication with the media agent module and configured to prevent connection requests to the media agent module from outside the enterprise network;
  
  a second firewall component located outside the enterprise network and configured to receive communication from an untrusted network;
  
  a proxy computing device located outside the enterprise network and coupled to the first firewall component and the second firewall component, wherein the proxy computing device is configured to,receive through the second firewall component a first connection request from a remote computing device coupled to the untrusted network, the proxy computing device having a data agent executing thereon that is configured to facilitate the backup of backup data received from the remote computing device,establish a first secure connection with the remote computing device in response to said receiving the first connection request,receive through the first firewall component a second connection request from the media agent module,establish a second secure connection with the media agent module in response to said receiving the second connection request, androute backup data received from the remote computing device via the first secure connection to the media agent module over the second secure connection,and wherein the media agent module is configured to direct the backup data to the at least one storage device.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The system of claim 8, wherein the enterprise network further comprises a storage manager component configured to maintain at least one policy for managing storage of the backup data.
  - 10. The system of claim 8, wherein the storage manager is configured to generate at least one certificate to authenticate the media agent module to the proxy computing device.
  - 11. The system of claim 8, wherein the untrusted network comprises the Internet.
  - 12. The system of claim 8, wherein the first secure connection comprises a hypertext transfer protocol secure (HTTPs) tunnel.
  - 13. The system of claim 8, further comprising a third firewall component coupled between the remote computing device and the untrusted network.
  - 14. The system of claim 13, wherein the third firewall component prevents initial connection requests from the untrusted network to the remote computing device.
  - 15. The system of claim 8, wherein the second firewall component is implemented on the proxy computing device.
  - 16. The system of claim 8, wherein the proxy computing device prevents exposure of an Internet Protocol (IP) address of the media agent module to the untrusted network.

17. A system for performing remote backup operations, the system comprising:
- an enterprise network comprising,means for storing data,means for directing backup operations with respect to said storing means, andmeans for preventing connection requests to said directing means from outside the enterprise network;
  
  means for restricting communication between the enterprise network and an untrusted network;
  
  means for receiving through said restricting means a first connection request from a remote computing device coupled to the untrusted network and for receiving through said preventing means a second connection request from said directing means, wherein said receiving means is further configured to,establish a first secure connection with the remote computing device in response to receiving the first connection request, the receiving means comprising a proxy computing device having a data agent executing thereon that is configured to facilitate the backup of backup data received from the remote computing device,establish a second secure connection said directing means in response to receiving the second connection request, androute backup data received from the remote computing device via the first secure connection to said directing means over the second secure connection,and wherein said directing means is further configured to store the backup data on said storing means.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein at least one of the first and second secure connections comprises a hypertext transfer protocol secure (HTTPs) tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Erofeev, Andrei
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US13/118,169
Publication Number

US 20110296520A1
Time in Patent Office

886 Days
Field of Search

None
US Class Current

726/14
CPC Class Codes

G06F 11/1464 for networked environments

H04L 63/0209 Architectural arrangements,...

Firewall proxy systems and methods in a backup environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall proxy systems and methods in a backup environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links