09-02-2018 11:29 AM
Hello Guys,
I'am trying to find the best way how to handle with protected networks, as example DMZ. For my opinion, it could be done by dedicated media server which will have access only to master serever and clients in DMZ. I'am not sure that it is possible without providing access to master server from clients as well.
Also I would like to store backup copies on Data Domain, DDBoost and OST protocol.
I have AIX/Linux hosts, Oracle and Sybase.
Any suggestions?
09-02-2018 01:22 PM
09-03-2018 04:58 AM - edited 09-03-2018 07:07 AM
In general it's just bad mojo to open IP connections in the DMZ to the inside. Consider to deploy a entire NBU enviroment in the DMZ and use DDBoost over Fibrechannel. As a alternative pull entire traffic thru firewall.
I don't see any gains in placing a media server in the DMZ, as clients want to talk to the master server - e.g. for restore requests for BMR.
If all hosts in the DMZ is VM's, use hypervisor based backups from the inside of the hypervisor network. This recommendation doesn't work
Nicolai
09-04-2018 12:08 AM
In theory file-level backups might work without direct access to the master server. However, it's a very limiting approach.
If a high level level of security required, I'd either build the entire domain in the DMZ and AIR it to the open network through Data Domain - this avoids connectivity between any active NBU components and leaves all communication channels with storage.
One more thing to worry about is the firewall throughput. More frequently than not I've seen these devices in the middle slow things down dramatically, so even if you punch holes in the firewall you might suffer from performance penalty. You avoid it either using with DD Boost over FC or SAN client, or as mentioned above, using AIR