Comprehensive data protection for all workloads
Post Reply
btkrausen
Influencer
Posts: 20
Liked: 2 times
Joined: Dec 29, 2009 7:05 pm
Full Name: Bryan Krausen
Contact:

Backing up DMZ VMs

Post by btkrausen »

Having trouble backing up my VMs using VSS that are hosted in my DMZ. The problem is not related to Veeam, but affecting it, so I figured it wouldn't hurt to post here to get some ideas. I know its an authentication issue, but can't figure it out. My situation:

My Veeam backup server is a member server, so it runs under domain credentials. However, when I try VSS to my DMZ servers, even using local credentials for the DMZ server, it fails. All required services are running, but when I try to hit remote registry from the Veeam server, it fails. However, when I hit remote registry from another DMZ server to the same source server, it works fine, which proves Remote Registry service works. I can't figure out how to get Veeam to backup those DMZ servers using VSS. Any ideas?

Thanks in advance. :mrgreen:
bbeavis
Influencer
Posts: 15
Liked: never
Joined: Nov 02, 2009 1:36 pm
Contact:

Re: Backing up DMZ VMs

Post by bbeavis »

If it were my network, I'd say the firewall is the issue. I'd be cautious poking holes in the DMZ. We often consider our DMZ an isolated network, unfortunately it is not.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backing up DMZ VMs

Post by Gostev »

I am not sure how you could possibly design DMZ to make Veeam VSS work. Our agent need to communicate back to the Veeam Backup server to notify that the VSS freeze has been completed and VM snapshot creation commands needs to be issued, but by DMZ definition computers in DMZ cannot talk back to the production... or it will not be true DMZ.
btkrausen
Influencer
Posts: 20
Liked: 2 times
Joined: Dec 29, 2009 7:05 pm
Full Name: Bryan Krausen
Contact:

Re: Backing up DMZ VMs

Post by btkrausen »

I agree. I may need to deploy a Veeam server in the DMZ that is not www connected to use VSS in the domain. I do have Backup Exec running against those machines, but I have to open a few ports to the backup server for them to communicate back with Backup Exec. Instead of opening ports, I may either have to keep Backup Exec for individual files, and use Veeam to backup the VM side.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backing up DMZ VMs

Post by Gostev »

Don't forget that Veeam server needs to be able to connect to vCenter (or directly to ESX) too. Most likely they are inaccessible from inside DMZ either. Am I right?

But, do you really need Veeam VSS for DMZ computers? I am sure you are not running DC, Exchange mailbox server, SQL servers and other transactional applications or databases in DMZ, correct? Probably just some web servers and bridgeheads for some apps, which all don't really need application level quiescence - as they are not transactional apps. So regular file system freeze provided by VMware should be sufficient.
btkrausen
Influencer
Posts: 20
Liked: 2 times
Joined: Dec 29, 2009 7:05 pm
Full Name: Bryan Krausen
Contact:

Re: Backing up DMZ VMs

Post by btkrausen »

The biggest reason I wanted to use VSS is for our ftp server, but like I said, I can use backup exec for that. I'll just stick with backups w/out VSS for DMZ. Thanks guys.
tsightler
VP, Product Management
Posts: 6009
Liked: 2843 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Backing up DMZ VMs

Post by tsightler »

How would VSS help an FTP server? VSS is mostly useful for files which get locked with long writes and need to be transactionally consistent, and FTP server doesn't seem to fit that. If a file is being uploaded when the snapshot takes place it will be partial both with or without VSS.
PeterCox
Influencer
Posts: 12
Liked: never
Joined: Jan 26, 2010 10:49 pm
Full Name: Peter Cox
Contact:

Re: Backing up DMZ VMs

Post by PeterCox »

Expand the horizon a couple of orders of magnitude on this one and picture the scenario of an ASP or Cloud Computing hosting provider who must backup the clients VMs but cannot have any suggestion that the service providers network, or the Server systems of another client in the data centre for that matter, has any OS level access to the user's VMs.

Yes there is a level of trust implied on the part of the hosting provider in that the backups (Veeam backups) will be readable by the Network Operations staff, but that is a very different problem to securing the running Server and there is no way another client is going to see the backup files.

Such guests will certainly be running AD, Exchange, SQL Server, SharePoint and much more, so correct handling of VSS is essential.

This for us makes a solution to the DMZ backup question vital. The Veeam technology which talks directly to the data centre SANs and LUNs without having access to the Guest OS is about the only technology I can see which has a hope of addressing the DMZ only guest backup question.

Even an in guest product like ShadowProtect is going to have issues in that it needs to send the backup image files to a store outside the VM and that store cannot be shared by unrelated client systems in a DMZ.

A few first pass thoughts, no research into the possibilities or problems of these techniques yet:

A Veeam agent which extends VMware Tools and gets installed into each guest VM. The agent communicates via requests to ESX that are then passed to the VMWare tools interface.

Use of the feature set and API's introduced in vSphere4 to allow virus scanners to hook into the file systems of guests directly without having to install the Virus scanner inside each Windows guest. As far as I can see this API set means you can do just about anything you want to a guest without the need to connect to the guest OS via normal methods such as user logon and RPC$ etc.

As an aside I have not personally setup a data centre with this functionality enabled, but I hope VMware have the security covered off because if you get the VM with the Virus scanner running you have the whole data centre at you disposal.

Or perhaps we can convince VMware to fully support VSS in Windows guests? They would need to support all stages of the VSS backup process including the final stage to advise all writers that a backup has been completed so delete your old logs. VSS has been around for what 7 years. Maybe it is time they caught up? They apparently OEM the VM SnapShot code from StorageCraft, perhaps they could OEM the StorageCraft VSS Provider as well?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Backing up DMZ VMs

Post by Gostev »

Peter, the upcoming v5 release will not require direct network connection to guest VM in order for Veeam VSS to work.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 224 guests