Manage Backups with Enterprise Manager

[r-low]

Hi Everyone,

First off, I just wanted to thank everyone for your contributions to this forum. The replies have helped me solve some issues in the past and I'm sure this will continue in the future.

I am a service provider and we have a number of clients that host their VMs with us. We currently backup their VMs for our protection (obviously) but we have requests from clients for a portal to manage their own backups. After some review, our plan is to implement an Enterprise Manager server and offer the web portal option through the Enterprise Manager server. Before we implement though, we are reviewing any best practices to ensure the system works properly. Here are some design considerations that we are considering, and I'd like some feedback as to recommendations:

- The B&R Server will be located in our MGMT Network, but should the EntMgr server sit there too, or in a DMZ?
- If the EntMgr server sits in the DMZ, a lot of ports need to be forwarded to B&R Server, vCenter Server and AD so I'm not sure which method is more secure
- If the EntMgr Server sits in the DMZ, am I good to just open up ports 9080 and 9443 to the world to expose the logon web site? Any other concerns with this type of setup?

I thank you all in advance for your responses and feedback and look forward to hearing from you soon.

Cheers,

R-Low

[skrause]

If your external customers need to connect to the portal, you will need to have some way to get "DMZ" access to your Enterprise Manager server.

Do you have a load balancer or reverse proxy server that sits in your DMZ that you could use to forward requests?

[r-low]

We do have the ability to integrate a reverse proxy server with this implementation, yes. That is one consideration that we are reviewing.

[skrause]

I would definitely make that the big focus of your "how do we get users to Enterprise Manager" network design. Putting a box that has the potential to wreck as much havoc on your (and your customers') systems as Enterprise Manger does in a DMZ makes my skin crawl a bit just tinking about it

[Vitaliy S.]

Ryan,

What kind of management capabilities did your clients ask to be provided? Did you have a chance to review our Veeam Managed Backup Portal that was specifically built for service providers?

As to your original question, then If this EM installation is only going to be used by your clients, then putting it in the DMZ seems reasonable. In this case your external users will not have access to your production network.

Thanks!

[r-low]

It's been a while since I posted on this topic so I wanted to update everyone as to how we proceeded. Our Enterprise Manager server sits in our management network, along with the B&R Servers and DCs. We configured ADFS in the environment and then configured the web application proxy server in the DMZ. All requests go to the web proxy server and then are passed to the Enterprise Manager for authentication. This configuration works and the site is accessible from outside the network.

Our next focus now is to just re-organize our backup jobs so that we can give our clients access to their own jobs and repositories. From there, they'll be able to manage all backups and restores on their own, within our environment. The one thing that I'm still not sure of and actually posted another thread was on the configuration of having multiple B&R Servers in the environment, with them talking to the same storage device (DMC DataDomain). Can 2 B&R Servers see the same repository and read/write to/from it at the same time? Can they use the same B&R proxy servers? More testing is being done but that is the point that we are at now.

-R-Low

[foggy]

Thanks for getting back to share your final design, that's much appreciated. I've already answered your questions in another thread.

[r-low]

Hi,

We've encountered another issue that I'd like some feedback on. We have our Veeam backup servers configured and being managed by Enterprise Manager Server. The web portal is up and we are able to logon and view all VMs and control backups from wherever. That part is ideal. Now, I need to create accounts for our IaaS customers. Each customer should be able to:

- Restore files to their VMs as needed.
- Control the backup jobs including when to start, scheduling, settings, etc.

The client/tenant should only be able to see their backup jobs and their VMs. I have it so that they can see their VMs on the VMs tab, but they can see all of the jobs, and all reporting for all of the Veeam servers. I can't have it where a tenant can see all of the jobs. They should be able to see their job only. Is Enterprise Manager multi-tenant aware so that a client can view their own VMs only and manage their own B&R jobs through the web console? Let me know when you get a chance. If you need any additional info, let me know.

Thanks,

R-Low

[Vitaliy S.]

Ryan, thanks for your feedback! What you describe is mostly available in Veeam Managed Backup Portal (except for the restore capabilities). Currently it is not possible to limit jobs view in EM for a specific tenant.

[r-low]

Hi Vitaliy,

Thanks for the feedback. For now we are just going to give the tenant's access to perform their own restores. We'll look at offering the ability to manage their jobs when the functionality is available.

I had one other question regarding the configuration. On the desktop when I launch the console it uses the internal name of the server. The same name is used when the reports are e-mailed out showing a status of all of the jobs. I'd like it to use the external (publicly registered) name instead. We are using a split-DNS scenario so having the same URL name for our technicians would be ideal. Let me know if there is an .ini file or something that I can configure that would use the external name instead.

Thanks,

R-Low

[Vitaliy S.]

Just to clarify - do you want to replace the backup server name in the email notification?

[r-low]

Hi,

Yes, we'd like to replace that name. We'd also like to replace the name that the icon on the server desktop references. Right now, the properties of the desktop icon shows the "Target type" as the internal name of the server. We'd like this to show the external name instead. If you need any additional info, let me know.

Thanks,

R-Low

[Vitaliy S.]

I don't think there is an easy way to change it somewhere (for example, in the config name), I will double-check and if I find a way to do that, I will let you know.