Search This Blog

Tuesday, June 27, 2017

Setup of a Disaster Recovery (DR) site in Microsoft Azure using Lightweight, Software-Defined Networking (SDN) - Part 1

In this post, we are going to explore a lighweight software defined network (SDN) using Veeam PN to setup site to site VPN.

Veeam PN is a free Veeam solution that supplements the Veeam functionality of restore to Microsoft Azure and allows you to create a VPN connection between remote sites over the public network. You can use Veeam PN to implement the following scenarios:

  • Set up a site-to-site VPN between company offices and a Microsoft Azure network to which VMs restored in Microsoft Azure are connected.
  • Set up a point-to-site VPN between remote computers and a Microsoft Azure network to which VMs restored in Microsoft Azure are connected.
  • Allow remote users to get access to a company network through a Microsoft Azure network.

Veeam PN lets you set up VPN connections between Microsoft Azure networks and on-premises networks.

The solution is based on the OpenVPN technology and features a web-based interface that simplifies VPN configuration and administration.

In the VPN, all traffic between remote networks is routed over a secure communication channel — VPN tunnel. To establish a VPN tunnel, Veeam PN uses its appliances:
a) network hub - Network hub is the core of the VPN which is responsible for traffic routing, encryption, user management, authentication and so on.
b) site gateways- is a virtual appliance that establishes a secure connection with the network hub.


Here is my lab environment simple environment:-

[Scenario 1:- Site to Site VPN]
To configure S2S VPN, perform the following configuration:-

  • Deploy & configure Network Hub on Microsoft Azure


a) Network Hub Appliance in Microsoft Azure
Go to Azure MarketPlace:- https://azuremarketplace.microsoft.com/en-us/marketplace/apps/veeam.veeampn?tab=Overview
Using 192.168.20.0/24 Subnet on Microsoft Azure
Follow simple wizard to deploy the appliance from Azure MarketPlace. Once done, use the assigned public ip to access the appliance (https:\\veeampn public ip) & login using the credential which you've defined when create the appliance.

 This is how it look like after login in.


  • Register Veeam PN client
Go to Client
Click Add, select Entire Site
Enter Subnet 192.168.0.0/24 (on-premise subnet)

  • Deploy and Configure Site Gateway on on-premise

b) Site Gateway
Download free Veeam PN OVA package from https://www.veeam.com/cloud-disaster-recovery-azure.html and setup on-premise
Deploy it on-premise
Using 192.168.0.0/24 Subnet
Login to the virtual appliance using the following credential to get the ip address

  • username: root
  • password: VeeamPN

(use ifconfig cmd, the appliance is running on Ubuntu OS)

Use browser to login to https://veeamPN IP
Change the password
Initial configuration wizard will prompt
Select "Site Gateway"
Select the Configuration File that you've get it from Network Hub Appliance

  • Add static route for outgoing traffic on default gateway
Below result indicated that our traffic is still routed to old gateway (firewall). We need to add static route for any request to 192.168.20.0/24 should route to 192.168.0.253.



Use command "route add 192.168.20.0 mask 255.255.255.0 192.168.0.253"


Perform ping test to 192.168.20.5 (Azure VM). Result from tracert showing that traffic is now route to 192.168.0.253 (Veeam PN-Site Gateway Appliance)

Lastly, on Veeam PN (Network Hub @Microsoft Azure) dashboard is showing traffic in and out for both network.


That's concluded on our simple test on setting up site to site vpn between on-premise & Microsoft Azure using Veeam PN.

Tuesday, June 20, 2017

Webinar :- How to Migrate to VMware for Hyper-V administrators

If you’re an IT Pro who started your virtualization training with Hyper-V but find yourself in a situation where you need to work on a VMware platform, this is the perfect webinar to get up to scratch.

Sometimes department priorities change, corp. policies change, or maybe company acquisitions are made, etc. Whatever the reason, if you find yourself having to adopt to a multiple hypervisor deployment or making a complete switch to VMware altogether, you’re going to have to get yourself educated, FAST.

This webinar will help you do just that.

It’s intended for Hyper-V administrators who are thinking of using vSphere for the first time, or have recently started using VMware's virtualization platform for the first time and are having issues acclimatizing to it.

Webinar schedule:-

  • Tuesday, June 27th 2017
  • Time for US attendees: (10am PDT / 1pm EDT)
  • Time for EU attendees: (2pm CEST)
To register, click here.

Sunday, June 11, 2017

Online session: Combining monitoring and analytics with SCOM + OMS


Are you one of the many that are wondering if you can and should use SCOM and OMS together? There has been a lot of discussion around the topic of OMS and whether it will fully replace SCOM’s monitoring capabilities. To clear the air, Savision will hold a live online session: “Combining Monitoring & Analytics with SCOM and OMS”.

Hosted by Savision’s Support Manager – Chris Malay, the session will feature renowned Microsoft MVPs Thomas Maurer & Dieter Wijckmans, who will answer all your questions regarding SCOM & OMS.

The session will be held on Thursday, June 22nd at 4PM CEST | 10AM EDT | 9 AM CDT

 Discover:

  • What is new in OMS? | OMS Service Map | OMS Log Analytics
  • Is OMS a replacement for SCOM? | Why doesn’t OMS do monitoring? | Why do you still need SCOM?
  • How to get better insights from your data using advanced dashboards for SCOM + OMS
  • Demos and real-use cases from the field


Don’t miss out on this session. To register, click here.

Sunday, May 21, 2017

Tier to AWS Cloud Using Starwind Cloud VTL and Veeam

In this post, we are going to explore on how Starwind Cloud VTL and Veeam are better together for transfer backup data to AWS Public Cloud.

Concept is simple: Veeam B&R uses StarWind Virtual Tape Library (VTL) to store backup files as emulated tapes in local cache and then VTL replicates these tapes to Amazon S3/Glacier. Amazon S3 Standard - Infrequent Access for long-lived, but less frequently accessed data, and Amazon Glacier for long-term archive.

The main StarWind advantage is performance; It writes backup files to local cache ten times faster than native Amazon VTL.


Let have a quick look on how the product in action...

To start, you can download Starwind Cloud VTL for AWS from here. Install the VTL on any VM/Veeam Backup Server.


Configure Starwind VTL:-

  • Add VTL Device
  • Specify the VTL store location
  • Select Device to Emulate. It will emulate HP MSL8096
  • Create new tape or fill up the empty tape.
  • You can only specify LTO 4 or LTO 5 (max size 1.5TB per tape)








Get AWS Account. For testing, you can sign up for Free Tier (up to a year) from https://aws.amazon.com/free/


  • Create a user (example:- vtladmin)
  • Get an access key and secret access key
  • Assign user to a group - AmazonS3FullAccess and AmazonGlacierFullAccess



Create S3 bucket. Point to region that you want.
I've selected Asia Pacific (Singapore).



 Configure Starwind VTL

Next step is configure Cloud Replication.

  • Define Access Key ID (refer to setting that you've on above step)
  • Define Secret Access Key
  • Define Region 
  • Define Bucket
Note:- Asia Pacific Region does not transition data from S3 to Glacier. Select other region if you want to tier to Glasier.





Specify your tape file retention settings:-

A. When start replication to cloud when tape moved from drive.
-can be immediate
-never replicate (offline)
- set days


B. Acton after data has replicated to cloud for local copy
- delete immediately
- never delete (local copy available)
- set days

C. Action when move to Glacier

 Now infrastructure is ready, Time to mounting VTL on backup host using iscsi initiator

  • Enter iscsi target where you've installed Starwind VTL


Download latest driver from https://h20566.www2.hpe.com/hpsc/swd/public/detail?swItemId=MTX_7e9f343865d1445e92cfbaf0b1


On Veeam Backup Server

  • Perform rescan tape libraries
  • New tape library has added "HP MSL G3 Series 1070" with up to 4 drives & 96 tape available.
  • Make Tape as free
  • Create Simple Media Pool or GFS media pool (depend on your requirement)


Testing by create File to Tape Job
  • Tick Use Microsoft VSS
  • Eject media upon completion
  • Eject Export current media upon job completion
  • Run backup 


You can view tape backup status


After backup complete, tape will automatically moved to Media "Offline". You can view the content that you've backup previously.


On Starwind Management Console:-

  • Tape has moved to Offline Shelf
  • Tape indicated Local - None, Cloud - Yes. Mean local copy has removed and replicated to Cloud


On S3 bucket, able to view VTL tape that has successful replicated.


Testing restore by getting tape from AWS S3

  • On Offline Shelf, click the tape & select download.
  • Tape status - Local -Yes, Cloud - Yes . (mean has downloaded and able on local)
  • Tapes listed on Tapes




On Veeam B & R, inventory the tape. It will loaded into one of emulated drives.
Lastly, Restore. You can see your content and perform any recovery from the tape.


Starwind Cloud VTL for AWS benefits:-

  • Implementation of Disk-to-Disk-to-Cloud (D2D2C) backup strategy
  • Veeam Ready solution
  • Ability to “tier” backups between cloud storage with different performance and efficiency characteristics for maintaining low cost per GB without compromising RTO.

Give it a try. The product is now available for use. You can get Starwind VTL trial license and evaluate for 30 days.

Good Luck on your testing!

Wednesday, May 17, 2017

How to get better insights from your SCOM + OMS data


Join Savision’s new online session “How to get better insights from your SCOM + OMS data”. 

Don’t miss the session, which will take place on:

Tuesday, June 6th at 3PM CEST | 9AM EDT | 8AM CDT

The session is hosted by Savision’s Technical Sales Manager, Justin Boerrigter, who will show you how to correctly diagnose and fix problems before they impact the end-user experience.

The session will cover:

Visibility: How to improve visibility and share relevant information?
Alerts: How to make sense out of alerts and enable proactive monitoring?
Service Mapping: How are the technologies being used dependent on their underlying infrastructure and applications?
Giving the business the service-oriented monitoring it wants and needs by monitoring and managing the end-user experience and business transactions
How to get advanced SCOM + OMS dashboards

Register now to find out how to build a proactive service-oriented monitoring approach by finding the common ground between the organization’s information technology and business needs.

To register for the session, click here

Tuesday, May 16, 2017

Last Line of Defense Against WannaCry Ransomware - Part 2

This blog post is continue from Part 1 - http://www.ms4u.info/2017/05/last-line-of-defense-against-wannacry.html

In previous post, we have talked about 3-2-1 rules. For an additional protection, we added 3-2-1-1-0


3- Ensure you have at least three copies of your data
2- Use at least two different media to store the backup
1- Keep at least one copy of your backup offsite
1- Keep at least one copy as offline
0 - Perform verification to ensure no error.

This round we will focus on using Veeam Backup & Replication to recover from infection.

Based on live map on the WannaCry infection (last update on 16 May 2017-9.41pm) , up to date around 374K computer has infected.



If you're using Veeam to protect your Vmware or Hyper-V, then you can use this features to perform recovery

1. Initiate Instant VM Recovery
By using Veeam, you can bring up a system within 2 minutes by mounting the backup data using Veeam patented technology "vPower" to hypervisor.



2. Use Veeam Explorer to view healthy or unhealthy files.
By using Veeam Explorer, you can view before restore. Other legacy backup require you to restore restore point in order to identify the health of the file (encrypt/normal)

Sample of infected file by WannaCry. Pop up appear requesting user to pay ransom in order to decrypt the file. Latest ransom is $600. File is unreadable as it has encrypted.


Without restoring file, use Veeam Explorer to identify file which is healthy. File which is healthy is readable. Once identify it, you can start restoration process.



3. Failover to replicated VM
Replica VM is offline and safe from WannaCry. You can select restore point to failover to replicated VM.



4. Use On Demand Sandbox
Use Veeam to create a virtual lab from the backup data. Without restore backup data into staging server, backup data from Veeam repository can be mounted to hypervisor using Veeam vPower into an isolated environment.


Perform verification to ensure zero error by using Surebackup Job. Then you can leave the VM running so you can perform testing on the VM. Below screenshot refer to VM running on Virtual Lab.




5. Restore from Tape
Tape is offline media. Therefore your backup data store in tape is safe from WannaCry infection.
You can restore backup data from tape.

Hope this guide assist you on recover from WannaCry infection.

Good Luck!

Saturday, May 13, 2017

Last Line of Defense Against WannaCry Ransomware -Part 1

Oh no!

On 12 May 2017, WannaCry began affecting computers worldwide. After gaining access to the computers, the ransomware encrypts the computer's hard disk drive, then attempts to exploit the SMB vulnerability to spread to random computers on the Internet, and "laterally" between computers on the same LAN.

This virus demand $300 for decryption.


Please don't pay them!

Next, do you think having an antivirus is sufficient to protect your environment?
No!
No!
No!
Well, i don't agreed on it. Nowaday malware is smart and none antivirus can guarantee 100% protection. But i don't say that antivirus is NOT require.

Antivirus program is a MUST.

But you still need to look at other vulnerability such as Microsoft operating system vulnerability especially on older version.

All of these play an important roles:- antivirus, operating system, firewall, network security,etc.

Let me share some of content that I've have presented recently on how to avoid "Ransomware attack".

Here is the guidelines on how to avoid ransomware attack:
0. Antivirus must have. :) Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.
1. Keep Windows up to date. 
On March 14 Microsoft published a security update that fixes this vulnerability and it is available through Windows Update. 

Please install all the latest Windows updates on all of your PCs, laptops and VMs as soon as possible.

2. Perform a threat analysis with your security team

3. Train staff on cyber security practices on:
a. Not opening attachments or links from unknown sources
b. Inform employees if a virus reaches the company network.

4. Backup all information every day

5. Backup all information to a secure, offsite location

Apply 3-2-1 rule to ransonware protection

3- Ensure you have at least three copies of your data
2- Use at least two different media to store the backup
1- Keep at least one copy of your backup offsite & offline

It's better safe than sorry.

My journey protection on my laptop start by installing Veeam Agent for Windows (VAW) -Workstation Edition. Then, perform backup on my entire computer & protect my important files including Dropbox to External hard disk. It is not safe to put backup on local disk & my shared folder.

VAW has CryptoLocker(ransomware trojan) protection. It will eject external hard disk once backup completed. In case your laptop is infected by WannaCry, then you know where to get a safe copy from.





I've followed step 0-5 & feel more secured .
 How about you? Are you protected?


Protect your laptop/server before ransomware attack. If you're interested to read more, please check out on recent ebook which consist of 40 pages : "Conversational Ransomware Defense Survival".
Click on below image to download free ebook.


We will look on virtualization protection against ransomware on - Part 2 - Click here

Stay Tuned!