Welcome! » Log In » Create A New Profile

security and file-level recovery (FLR) with NvP-vProxy

Posted by enchanter 
security and file-level recovery (FLR) with NvP-vProxy
July 05, 2018 12:59PM
All-

We went through the NetWorker 8.2.x to 9.2.x upgrade a couple weeks ago,
which also meant transitioning from the VMWare Backup Appliance (VBA)
to NVP-vProxy for our VMWare VM snapshot backups.

NVP-vProxy supports file-level recovery (FLR), in addition to entire-VM
recovery, but the FLR documentation leaves me with some unanswered
questions.

1) The documentation indicates that if you initiate a file-level recovery
via NMC, the FLR agent software will be automatically installed into the
VM as part of the recovery. There's an option to have the software removed
after the recovery completes, but that's about as much as the
documentation says.

Does anyone have any more details on this agent? Is it possible to
install the FLR agent *manually*, rather than having vProxy doing
something behind the scenes to install it? I'm not crazy about an opaque
software stack trying to be "helpful" and installing software onto our
VMs.

2) to actually do the recovery, you have to input administrator-level
credentials *for the VM in question* into the NMC. Does this make anyone
else uncomfortable? Does anyone have any detailed documentation on how
the credentials are handled, how they're secured in transit, etc? Does
anyone that has a mandatory multi-factor environment know how this does
(or doesn't) work with additional factors?

We had been really looking forward to NVP, but now that we've run into
these particular engineering design decisions, we're not certain we're
going to be able to use it. Having some more detailed information about
what is being done for these two steps would be useful.

Thanks,

Tim
--
Tim Mooney Tim.Mooney@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164


--
This list is hosted as a public service at Temple University by Stan Horwitz
If you wish to sign off this list or adjust your subscription settings, please do so via http://listserv.temple.edu/archives/emc-dataprotection-l.html
If you have any questions regarding management of this list, please send email to owner-emc-dataprotection-l@listserv.temple.edu
This message was imported via the External PhorumMail Module
Tim,

The RPM/Package that is installed by the vProxy process lives on your vproxy appliances and is installed from there via an NFS mount (using the vmtools command api). It has been almost a year since I did a POC install of it, so I don't remember the path/name of the RPM that it pulls over and installs.

My thinking at the time was for those "frequent flyers" of the recover my file for me club - I'd leave it installed to not have to re-install all the time. However, there is the tradeoff that every time you upgrade the vproxy appliance, you are probably getting a new version of that RPM as well, so leaving them installed all over the place should not be the normal operation (at least in my opinion).

Since it lives on the vproxy appliance, you can poke into the filesystem there and find it and do a manual install of it -- with the caveat that you'll have to update it manually in the future.

My belief is that the root/administrator credentials are shoved in via the vmtools command api (just as the install of the FLR agent is). Therefore, it is as secure as your vmtools command api... (which better be darned secure or we're all screwed). I don't believe it will work with MFA, but that's really a question for your EMC rep.

- Frank

> On Jul 5, 2018, at 15:22, Tim Mooney <Tim.Mooney@NDSU.EDU> wrote:
>
> All-
>
> We went through the NetWorker 8.2.x to 9.2.x upgrade a couple weeks ago,
> which also meant transitioning from the VMWare Backup Appliance (VBA)
> to NVP-vProxy for our VMWare VM snapshot backups.
>
> NVP-vProxy supports file-level recovery (FLR), in addition to entire-VM
> recovery, but the FLR documentation leaves me with some unanswered
> questions.
>
> 1) The documentation indicates that if you initiate a file-level recovery
> via NMC, the FLR agent software will be automatically installed into the
> VM as part of the recovery. There's an option to have the software removed
> after the recovery completes, but that's about as much as the
> documentation says.
>
> Does anyone have any more details on this agent? Is it possible to
> install the FLR agent *manually*, rather than having vProxy doing
> something behind the scenes to install it? I'm not crazy about an opaque
> software stack trying to be "helpful" and installing software onto our
> VMs.
>
> 2) to actually do the recovery, you have to input administrator-level
> credentials *for the VM in question* into the NMC. Does this make anyone
> else uncomfortable? Does anyone have any detailed documentation on how
> the credentials are handled, how they're secured in transit, etc? Does
> anyone that has a mandatory multi-factor environment know how this does
> (or doesn't) work with additional factors?
>
> We had been really looking forward to NVP, but now that we've run into
> these particular engineering design decisions, we're not certain we're
> going to be able to use it. Having some more detailed information about
> what is being done for these two steps would be useful.
>
> Thanks,
>
> Tim
> --
> Tim Mooney Tim.Mooney@ndsu.edu
> Enterprise Computing & Infrastructure 701-231-1076 (Voice)
> Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
> North Dakota State University, Fargo, ND 58105-5164
>
>
> --
> This list is hosted as a public service at Temple University by Stan Horwitz
> If you wish to sign off this list or adjust your subscription settings, please do so via http://listserv.temple.edu/archives/emc-dataprotection-l.html
> If you have any questions regarding management of this list, please send email to owner-emc-dataprotection-l@listserv.temple.edu


--
This list is hosted as a public service at Temple University by Stan Horwitz
If you wish to sign off this list or adjust your subscription settings, please do so via http://listserv.temple.edu/archives/emc-dataprotection-l.html
If you have any questions regarding management of this list, please send email to owner-emc-dataprotection-l@listserv.temple.edu
This message was imported via the External PhorumMail Module
Sorry, only registered users may post in this forum.

Click here to login