about OS on proxy server when using Hardened Repository

[brighton0725]

Hello

I have planned Hardened Repository because I want to use immutability.

In this case, which Linux or Windows should I select as Proxy Server's OS?
Is it ok I select Windows OS?

[Andreas Neufert]

Hello Takashi,

the Proxy operating system and other roles do not really matter if you want to use the Hardened Repository

[brighton0725]

Thank you for your reply, Andreas.

When it is used non-root user account for connecting to the Hardened Repository from Proxy Server, should I select Windows OS for Proxy Server?

I guess it is not good security because proxy server uses root account when proxy server is Linux OS.

Is my understanding correct?

Regards,

[Andreas Neufert]

The Hardened Repository can not host any other Veeam role for security reasons.
The Hardened Repository work with a one time password that is not stored to rollout the software and then there is no username/password used from there on.

All other roles need Administrator or Root user access. Same on the Backup & Replication Server.

So you need a Backup & Replication Server (win physical server or VM) and a Proxy (Win/Linux). Proxy can be as well the Veeam Server.
The main point is that you securely store the backups on the hardened repository, and no one can delete the data even if they got Administrator access within Veeam.

The Hardened Repository Server need to be a physical server that is only connected on the data side. Do not connect ILO or management interfaces. Basically that only the physical server access can destroy raid or manipulate hardware.

[mriesenbeck]

Thank you for your reply, Andreas.

When it is used non-root user account for connecting to the Hardened Repository from Proxy Server, should I select Windows OS for Proxy Server?

I guess it is not good security because proxy server uses root account when proxy server is Linux OS.

Is my understanding correct?

Regards,

If you mean that you want to use a hardened repo for immu which can only be done on Linux and the use a linux or windows proxy in conjunction, that is possible. If you use a Linux for proxy, you don't need root permissions once the configuration is done. I use the veeamhubrepo tool to secure the proxy (even though it's mainly meant for hardened immu repo), so even SSH is off and only the veeam processes are listening on ports. The only thing you need to do when doing Veeam upgrades is temporarily open ssh and after the upgrade stop it again.