Replication over NAT (Internet)

VMware specific discussions

Replication over NAT (Internet)

Veeam Logoby Sorenemig » Sat Jan 05, 2013 6:00 pm

We want to do replication to a single ESX host over WAN (direct Internet) but we want to avoid site-to-site VPN for various reasons. I have configured NAT for the required ports on a public IP address for the target ESX server on the remote site. I am able to add the target server to the Veeam console and the replication seems to work.

Now for my questions:

1.I know that the data is not encrypted in transit but how usable would it be anyway?
2.Does anyone have a good suggestion on how to add encryption?
3.Is this a bad idea? :)
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby Gostev » Sun Jan 06, 2013 6:24 pm

Bad idea if you care about your data/passwords/etc.
You most definitely should be using VPN.
Gostev
Veeam Software
 
Posts: 21396
Liked: 2350 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Mon Jan 07, 2013 9:11 am

What can I do with the proxy role?

What if I create a veeam proxy on the remote site and do proxy-to-proxy replication job and select the Encrypt LAN traffic check box? I can't figure out if this check box has anything to do with proxy communication.
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby tsightler » Mon Jan 07, 2013 12:51 pm

Encrypt LAN traffic is only for network mode between the proxy and the ESXi hosts, not between proxies. I'd suggest just using the built in Windows L2TP/IPsec services to configure security between the two boxes.
tsightler
Veeam Software
 
Posts: 4769
Liked: 1738 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Mon Jan 07, 2013 6:07 pm

If encypt LAN is between proxy and ESXi host and the proxy is on the source site, will this not solve the problem then? I know two proxy will give other advantages like compression etc.
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby dellock6 » Mon Jan 07, 2013 11:05 pm

If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!

A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...

Luca.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 5052
Liked: 1333 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Tue Jan 08, 2013 1:59 pm

dellock6 wrote:If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!

A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...

Luca.


Ok, I give in and forget about PAT (I wasn’t fond of the idea anyway) :-) The reason that I wanted to avoid VPN is that I want to protect the production end, because the remote site is a shared environment – I won’t allow traffic TO my production site to be initiated FROM the remote site . In my current setup I can’t filter inside the VPN tunnel, but a new router and a whole lot of work will fix that :-)

I’m uncertain about the traffic flow when two proxies are involved. I want to filter inside the site-to-site VPN so that only established traffic from the production end is allowed, will this work?
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby v.Eremin » Tue Jan 08, 2013 2:16 pm

May I ask you to provide a little more information regarding what moments stay unclear about traffic flow?

As Luca’s previously said, it’s strongly recommended in case of the offsite replication to have one Veeam agent running in the production site (closer to the source host), and another one in the remote DR site (closer to the target host).

Thus, to replicate across remote sites, you should deploy at least one local backup proxy in each site – a source backup proxy in the production site, and a target backup proxy in the remote DR site. During backup, the agents residing on proxy servers maintain a connection, which allows for uninterrupted operation over WAN.

Hope this helps.
Thanks.
v.Eremin
Veeam Software
 
Posts: 13290
Liked: 971 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Replication over NAT (Internet)

Veeam Logoby dellock6 » Tue Jan 08, 2013 3:05 pm

Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.

Luca.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 5052
Liked: 1333 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Tue Jan 08, 2013 3:42 pm

dellock6 wrote:Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.

Luca.


It’s complicated to explain but there is multiple partners who uses the same ESX server on the remote site and we want to shield these users from accessing our production LAN. Therefore, we need the filtering to apply at our end of the VPN tunnel. If we apply an “established” one-way rule, that allow traffic to be initiated from our end and only allow “return-traffic” it would accomplish that, but I don’t know if this is compatible with the way veeam proxy works. That’s why I’m asking about traffic flow and direction.

ps. English is not my native language so sorry if I’m not being clear enough :oops:
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby tsightler » Tue Jan 08, 2013 3:49 pm

This won't work by default as the target proxy makes TCP connections back to the source proxy. With 6.5 you can now "reverse" this but I don't know if it eliminates all connections from the target to the source and I have not had enough time to really dig with this feature in my lab.
tsightler
Veeam Software
 
Posts: 4769
Liked: 1738 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Replication over NAT (Internet)

Veeam Logoby v.Eremin » Tue Jan 08, 2013 3:57 pm

It seems like one of those cases when only real test is likely to put everything into place.

Thanks.
v.Eremin
Veeam Software
 
Posts: 13290
Liked: 971 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Replication over NAT (Internet)

Veeam Logoby rkovhaev » Wed Jan 09, 2013 7:33 am

6.5 works fine with one way NAT, open properties of window server-> credentials-> ports -> there you'll find an option "run server on this side"
rkovhaev
Veeam Software
 
Posts: 33
Liked: 12 times
Joined: Mon May 17, 2010 6:49 pm
Location: hockey night in canada
Full Name: Rustam

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Wed Jan 09, 2013 8:59 am

Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?


Also, thank you all for the helpful responses :-) I think I will begin a lab test!
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby foggy » Wed Jan 09, 2013 10:04 am

Sorenemig wrote:Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?


Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.
foggy
Veeam Software
 
Posts: 14746
Liked: 1083 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Next

Return to VMware vSphere



Who is online

Users browsing this forum: No registered users and 30 guests