Connecting iSCSI only for Backup

Availability for the Always-On Enterprise

Connecting iSCSI only for Backup

Veeam Logoby final » Wed Jul 05, 2017 11:21 am 3 people like this post


One of the things everyone recommends these days is to keep offline backups in case of a ransomware attack. The question is: How do you do it without having to change tapes every day (or plug / unplug a wire)?

We've implemented a secondary backup target that is only connected to the server when a backup copy job actually needs it. Since we run forever forward jobs, this is only about 40 minutes a day! The secondary NAS has a completely separate login password and is not domain joined, so it should be save during a attack on your network if the storage is not connected.

Our setup is:
- Veeam Backup Server + primary iSCSI Backup target at the data center (always connected)
- Proxy Server + secondary iSCSI Backup target at our main office.

If you connect the secondary iSCSI target to the veeam server direcly, you can put the code of connectToNAS.ps1 into preCopy.ps1 and the code of disconnectFromNAS.ps1 into postCopy.ps1

I've spent some time to get this to work (Powershell iSCSI commands are buggy and incomplete), so I thought I'd share the scripts involved. Basically, you need a pre- and post-script of your Copy job. We've been running this for two weeks now with perfect results. After the disconnect, there is no trace of an iSCSI target on the Server, so even if an attacker checked manually, he wouldn't find the target unless he finds the scripts. Note that this only works if $DestServer has a single iSCSI target. If you have multiple, you need to adjust the code respectively. The script will disconnect all iSCSI targets on the server! The scripts involved are:

Code: Select all
$PSCred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\DestServerAdminAccount", (convertto-securestring -AsPlainText -Force -String "verysecurepassword")
$session = New-PSSession -ComputerName $DestServer -Credential $PSCred
invoke-command -Session $session -ScriptBlock {c:\scriptpath\ConnectToNAS.ps1 }
Remove-PSSession $session

Code: Select all
$PSCred = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\DestServerAdminAccount", (convertto-securestring -AsPlainText -Force -String "verysecurepassword")
$session = New-PSSession -ComputerName $DestServer -Credential $PSCred
invoke-command -Session $session -ScriptBlock {c:\scriptpath\DisconnectFromNAS.ps1 }
Remove-PSSession $session

On $DestServer, we have the following files.
Code: Select all
New-IscsiTargetPortal -TargetPortalAddress nas.domain.tld -IsHeaderDigest $true -IsDataDigest $true
Get-IscsiTarget | Connect-IscsiTarget -IsDataDigest $true -IsHeaderDigest $true -IsPersistent $false -AuthenticationType ONEWAYCHAP -ChapUsername <ChapUsername> -ChapSecret <ChapSecret>
start-sleep -Seconds 3 #Wait for get-disk to actually list the disks
get-disk | ? { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Offline" } | Set-Disk -IsOffline $false
start-sleep -seconds 3 #wait for the disk to actually become available

Code: Select all
get-disk | ? { $_.BusType -eq "iSCSI" -and $_.OperationalStatus -eq "Online" } | Set-Disk -IsOffline $true
Start-Sleep -Seconds 5 #Wait for disk to go offline, we can't disconnect iSCSI if it isn't
Remove-IscsiTargetPortal -TargetPortalAddress nas.domain.tld -Confirm:$false
Get-IscsiTarget | Disconnect-IscsiTarget -Confirm:$false
$session = Get-IscsiSession
foreach ($s in $session) {
    iscsicli logouttarget $s.SessionIdentifier

Maybe you'll find this helpful or you have any feedback for it. Unfortunately, the script needs a Admin account on the DestServer and the password for that account is cleartext in the file, but Veeam launches its pre / post-script as localsystem on the backup server, and that account is not allowed to execute remote powershell on the dest server.
Posts: 23
Liked: 7 times
Joined: Sun Aug 14, 2016 7:19 pm

Return to Veeam Backup & Replication

Who is online

Users browsing this forum: Bing [Bot], jay.cheon and 20 guests