CONTINUITY CLOUD GUIDE
BluPointe Continuity Cloud Directions
Last Updated August 15, 2014
Solution Overview
Prepare for the worst-case scenario with the BluPointe Continuity Cloud. Downtime of critical infrastructure can cost a business dearly. When disaster strikes, backups will not be enough to keep businesses operating smoothly. The BluPointe Continuity Cloud allows bare-metal backup VMDK or VHD files stored in BluPointe’s storage cloud to be virtualized in the cloud in minutes or hours, not days or weeks. These virtual servers can then be connected to the Internet and existing LAN networks through a virtual firewall and router or VPN tunnels.
Technical Overview
The BluPointe Continuity Cloud allows fast recovery from partial site or entire site failures. In the event of a server failure (or the failure of an entire site), a local BluPointe BDR appliance can first be used to easily, quickly, and transparently virtualize the failed server(s) onsite. If the BDR has been destroyed or is otherwise unavailable, the continuity cloud can be activated to bring the failed infrastructure back up. Powerful virtual routing and firewalling features provide easy and, in certain configurations, fully transparent access to virtualized servers.
To begin using the BluPointe Continuity Cloud, a partner submits a critical (highest priority) support ticket, including details of the resources needed (number of servers, total RAM and disk space) and the account(s) containing the data for the computers to be virtualized. Our team will respond to these requests 24/7/365. Our team will provision one or more continuity cloud compute nodes for dedicated use by the partner. Once provisioned, the partner will have full self-management capabilities of the resources on the compute node and will no longer need to involve the BluPointe team to get things done.
The partner agrees to the acceptable use terms, and then is given RDP access to the compute node(s). Once logged in to a compute node, partners have full access to self-configure the virtual router and virtual firewall, allowing the configuration of any needed VPNs and NAT/PAT policies. If the partner chooses to virtualize a VDR backup directly without any conversion process (only available for certain types of BluPointe backups, or where “hot standby” VMs have already been created automatically if using BluPointe Standby Servers), VMs are configured and spun up. Otherwise, the backup VMDK or VHD files will be “restored” or otherwise converted and copied onto the storage resources dedicated to that compute node, after which the VMDK or VHD files can be virtualized. Both Hyper-V and VirtualBox are provided for maximum compatibility.
The VMs can be brought up with a variety of networking configurations. A test mode is available where the VMs are fully isolated on a virtual network. More common is the mode where VMs are bridged to a VLAN that is dedicated to and connected to all of a partner’s provisioned compute nodes. The virtual router and firewall control the flow of traffic to and from this internal, private VLAN, to a VLAN dedicated to the external connectivity of the virtual network. All compute nodes are assigned several public IPv4 addresses (IPs are provisioned as requested, up to one public IP address per VM that needs to be virtualized). All traffic to these public IPs are automatically routed to the external VLAN dedicated to the partner’s compute node(s).
The virtual router/firewall thus has full control over the entire network – virtualized servers can be exposed in a DMZ, NAT/PAT can be used, IPsec VPN tunnels can be configured as well as PPTP VPN connections, and VPN connections can be passed through to virtualized servers.
IPsec VPN tunnels are especially powerful for a partial-site failure situation where the customer site’s firewall is still operational and can form a VPN tunnel to the virtual router/firewall running in the cloud. In this situation, the internal IP addresses of the virtualized servers in the cloud can be the same as they were before, and thus users can transparently use the virtualized servers running in the cloud without any configuration changes. Point to point VPN tunnels can also be constructed to securely deal with situations where the customer’s edge firewall is no longer available. Additionally, any public services such as POP3 and OWA can be exposed through NAT/PAT policy rules—partners then update the DNS records of their servers to point to the new public IP addresses, and these public services become available again, just as before.
When the original servers are ready to be recovered, the virtualized servers can take incremental backups, which will update the backed up data like normal. The partner can then download and restore these bare-metal VMDK or VHD files as they normally would using BluPointe V2P tool, or request a copy of the data on a USB drive or NAS device. Finally, the partner submits a ticket to de-provision the cloud compute nodes, and the cloud compute nodes are automatically wiped clean back to a well-known state, so that they are ready for use by the next partner.
Technical Specifications
BluPointe Continuity Cloud Node Specifications |
Medium Node Large Node |
CPU 4 Cores 8 Cores |
RAM 32 GB 96 GB |
Node-Local Logical Storage 3 TB 10 TB |
IO Reliability and Performance RAID 10 RAID 10 |
Key Features
Virtualization
Choice of Hyper-V or VirtualBox
Powered by Server 2008 R2 Datacenter
Modern CPUs and 1333 Mhz DDR3 RAM
Good IO performance via RAID10
Virtual Router / Firewall
Full control of NAT, PAT, and private LAN network IPv4 space / routing
Full control of firewall security policies
IPSec, OpenVPN and PPTP support
Up to 100 Mbps throughput
GUI management console
Support
Hyper-V powered cloud for full
Compatibility with Virtual Standby jobs
Technical Instructions
Setting Up V5 Virtual Standby Jobs
LAN connectivity to your CORE for fast access to your VHDs
Prebuilt virtual recovery CD for more advanced recovery scenarios
BluPointe File-level Backup Support
Data backed up by BluPointe’s file-level
backup service can be quickly restored across a LAN x-connect
If customer did not opt to off-site OS
image, you have the option to rebuild their server and apps in a VM
Multiple Failback Options
Download your data over the Internet
Have your data shipped via USB/NAS
Enterprise Class Infrastructure
99.99% reliability of all core systems
SAS-70 / SSAE-16 certified data centers
Fault tolerant server hardware with
dual power supplies and power feeds
Pricing
Simple all-in-one (CPU, RAM, Storage, and Bandwidth) pricing scheme
Only pay for what you use – no expensive recurring fees to cut into your recurring margins
Partner Friendly
Competitive pricing, allowing you to enjoy good margins while still matching or beating public cloud pricing
BluPointe is 100% channel only
This section describes how to configure virtual standby jobs if you are using V5.
Virtual standby jobs allow you to keep updated Hyper-V or VMware virtual machines that represent the latest version of your protected servers. These VMs are thus ready to be started quickly in case the original protected server is no longer available. Please note that virtual standby is only available for protected Windows servers at this time.
If you are using a dedicated BluPointe Continuity Cloud node, you can also setup virtual standby jobs on your hosted target, so that any protected servers can also be virtualized in the cloud nearly instantly. If you are not using a dedicated BluPointe Continuity Cloud node, then you will only setup virtual standby jobs if and when you need to actually virtualize a server in the cloud, after you have been assigned your on-demand Continuity Cloud node(s).
Virtual standby VMs are updated after each recovery point is received by a CORE and thus are kept up to date all the time. Updates to VMs only need to apply the data blocks changed within the received incremental recovery point, and thus updates to VMs usually complete within a few seconds or minutes. The time required for the initial export depends on the amount of data and other factors, and may take several hours.
To setup virtual standby jobs, login to the source or target CORE Admin Console (see instructions above), go to the Virtual Standby tab:
In the top right, click the Actions menu, and then click Add:
The Add Virtual Standby dialog will appear:
Select the Agent you wish to add a virtual standby job for and also the export type. For Hyper-V powered BDR appliances and the BluPointe Continuity Cloud, you should choose Hyper-V Export. Then click the Next button.
When configuring the Hyper-V export, for Hyper-V powered BDR appliances choose Use local machine. For the BluPointe Continuity Cloud, for the Hyper-V Host Name, use the private IP listed in the Private-IPs.txt file on the desktop of your Continuity Cloud node, and for User name and Password use the credentials you were assigned for that Continuity Cloud node. For VM Machine Location choose a path that is local to the Hyper-V server. For BluPointe Continuity Cloud nodes and BluPointe BDR appliances, choose a directory on the X:\.
IMPORTANT: The directory should be unique to the name of the protected server you are configuring the virtual standby job for. Make sure the server name is part of the directory path. For example, in this case we are using X:\VMs\Machines\aa5-t1src.
Note that you can customize how much vRAM is assigned to the standby VM on the Options tab:
If you wish the virtual standby export to begin immediately, check the Perform initial ad-hoc export checkbox.
Otherwise the export will begin after the next recovery point is received for this agent. Now click Save to finish setting up the virtual standby job. Proceed to do this for all servers that need to use Virtual Standby.
You can monitor the progress of the virtual standby export jobs on the Events tab in the management console.
Note that for replicated agents on the target CORE, the initial replication must fully complete (or the initial seed must be fully consumed) before you can configure virtual standby.
Setting Up BluPointe v14.1 Virtual Standby Jobs
This section describes how to configure virtual standby jobs if you are using BluPointe v14.1.
Virtual standby jobs allow you to keep updated virtual machines on the target CORE that represent the latest version of protected servers. These VMs are thus ready to be virtualized in BluPointe’s Continuity Cloud in the event of a disaster.
The VMs are updated once an hour or once a day and are thus kept mostly up to date. Before you proceed to virtualize a server, you can force it to update the “rest of the way” (the last few minutes or hours of changes since the previous update), which will not take very long since the size of the changes will be small.
NOTE: Setting up virtual standby jobs is not required to use the BluPointe Continuity Cloud. Virtual standby jobs will reduce the time required to bring up virtual machines in the Continuity Cloud, but it is not required.
IMPORTANT: Virtual standby jobs require enough disk space on the target CORE server to represent the current state of the VM plus some additional snapshots. VHD files do not support inline compression, so you should plan for at least the amount of uncompressed space used by the servers plus 25%.
To setup virtual standby jobs, login to the target CORE using the Replay Admin Console (see instructions above), right click the desired replicated server, and choose properties, then go to the Virtual Standby tab:
Enable the export, and move the “Update VM” slider all the way to the right (1440) minutes.
VERY IMPORTANT: BluPointe only supports updating the VM at most once per hour. Attempting to update VMs more frequently will not provide any practical benefit and will only greatly decrease performance as the number of replicated servers on your CORE increases.
Then click the Change… button to open the configuration wizard. Note that if replication data was just consumed from a USB preload, at least one rollup operation (which happens nightly) must have completed, or you will see an error message like:
Our Continuity Cloud is powered by Hyper-V, so choose Hyper-V, and click Next.
Choose Continuous Export and click Next.
Normally you want to use virtual standby for all volumes. Configure as appropriate and click Next.
Normally you the amount of RAM for the VM will be set to the same as the original server.
IMPORTANT: All virtual standby jobs must be stored to the X:\ volume. If you have already been assigned a Continuity Cloud node, you can also store the virtual standby job directly onto the Continuity Cloud node to save time when you need to virtualize. If you want to do this, use a subfolder of the windows share listed in the Private-IPs.txt file on the desktop of the Continuity Cloud node that you have been assigned.
IMPORTANT: You must choose to update the VM Daily and not Hourly.
Now click Finish and save all changes. Proceed to do this for all servers that need to use Virtual Standby.
BluPointe Continuity Cloud
The BluPointe Continuity Cloud is provided to partners and billed on a per-use, as needed basis. When you want to access the Continuity Cloud, email support@efolder.net for access. If your servers are down and you want access afterhours, be sure to follow the instructions in the ticket auto responder email to escalate the ticket to the highest priority.
When you are granted access you will be given credentials and an IP address that gives you remote desktop access to one or more Continuity Cloud physical nodes. These physical nodes are running Hyper-V and allow you to quickly virtualize your BluPointe Virtual Standby jobs. You will be assigned public IPs that are pre-routed into a WAN-DMZ network accessible by your Continuity Cloud nodes. You will have access to a virtual router and firewall that will allow you to easily route traffic from the WAN-DMZ to and from a custom virtual LAN.
Virtualizing Servers in the BluPointe Continuity Cloud
To virtualize one or more servers, follow these instructions:
Login to the V5 target CORE admin console, and setup virtual standby jobs for each of the machines that you want to virtualize (see instructions above).
IMPORTANT: Once the virtual standby jobs have finished, in the V5 target CORE admin console, use the Virtual Standby tab to pause all virtual standby jobs for VMs that you are about to turn on. If you forget to do this, while the VMs are running, virtual standby jobs will fail with an error message like:
Next, login to the Continuity Cloud using remote desktop, and open the Hyper-V manager. Check the network configuration of each VM to ensure that the first virtual NIC is connected to the “Internal-LAN” virtual network, or the virtual network that you want to use. Here is a summary of the different types of networks the VM can be connected to:
Internal-LAN: This is normally the network you want to connect the new VM to. It is the private virtual
LAN that is also NAT’d behind the virtual firewall. Note that by default all outbound traffic is allowed by the virtual firewall. If you are only using the VM for testing, you may want to configure the virtual firewall to block all outbound traffic by default (see instructions below).
Internal-Testing-Only: This should be used if you want to completely isolate the VM from any real network. Use this if you want to test your VM without any real network connectivity.
WAN-DMZ: Do not choose this network. It is the physical network that receives DMZ traffic from your routed public IPs. It should only be connected to the virtual firewall that will already be running.
You may also wish to adjust the number of virtual processors attached to the VM:
Hyper-V currently supports up to 4 virtual processors per VM.
Once the VMs are configured, use the Hyper-V management console to turn on the VMs. Then configure the virtual firewall by following the instructions in the section below.
When you are finished running the VMs, stop the VMs using the Hyper-V management console. You can use the Admin Console to resume the virtual standby jobs. The next virtual standby export after the VM stops may take longer than normal as it will have to re-scan the VM data to determine which VM data blocks need to be changed to revert the VM back to where it was before the VM was turned on.
Virtualizing Servers in the BluPointe Continuity Cloud For BluPointe v14.1
To virtualize one or more servers, follow these instructions:
Start the Replay Admin Console and login to your target core.
For each server you are going to virtualize, edit the virtual standby settings and change the export start date/time to Suspend exports until resumed.
Login via remote desktop into your assigned Continuity Cloud node.
Unless you created the virtual standby jobs directly on the Continuity Cloud node, we next need to copy the data from your CORE server onto the Hyper-V Continuity Cloud Node. In explorer, do start, run, and put in the UNC path to the XDrive share on your assigned CORE server:
If you’re prompted for credentials, enter your credentials in the following format, and be sure to remember your credentials:
If you used the default Virtual Standby settings, your server’s VHD files will be stored in a folder on the root of the X:\ — in this example it is stored in \\aa4-examplehost.aa.sc.efscloud.net\XDrive\ts\2011-11-07-19-56-05
Use explorer to copy the data to the Continuity Cloud node in the X:\VMs\Disks\myservername directory. The data should copy over our internal datacenter network at approximately 50 MB to 60 MB per second:
VERY IMPORTANT: Make sure that you copy all of the files in the directory, including the *-snapshot.vhd files.
Next, on the Continuity Cloud node, open Hyper-V manager, and choose to create a new VM. (NOTE: this section of information is based on the KB article http://www..com/support/KB/4130325/ )
Specify the server name, and make sure that the location is somewhere on the X:\ (anywhere is fine):
Next choose how much RAM you need to allocate for the server. Keep in mind that the Hyper-V physical node will need at least 2 GB to 4 GB for its own use to maintain good performance. Continuity Cloud nodes come with 32 GB to 96 GB of RAM, so there should be plenty of RAM. Windows Servers usually need at least 2 GB for good performance, and SBS servers usually need at least 8 GB to run properly.
Next, choose the type of virtual network interface you want to connect to the virtual machine:
Here is a summary of the different types of networks to connect to:
Internal-LAN: This is normally the network you want to connect the new VM to. It is the private virtual
LAN that is also NAT’d behind the virtual firewall. Note that by default all outbound traffic is allowed by the virtual firewall. If you are only using the VM for testing, you may want to configure the virtual firewall to block all outbound traffic by default (see instructions below).
Internal-Testing-Only: This should be used if you want to completely isolate the VM from any real network. Use this if you want to test your VM without any real network connectivity.
WAN-DMZ: Do not choose this network. It is the physical network that receives DMZ traffic from your routed public IPs. It should only be connected to the virtual firewall that will already be running.
On the next step, make sure to choose to Attach a virtual hard disk later.
Now click Next and then Finish to create the VM.
Now in the Hyper-V manager open up the Settings, go to IDE Controller 0, and Add a hard drive:
Now browse to the location on the X:\ where you copied the VHD files from your CORE server, and choose the first volume that is the boot partition. If you are using Server 2008 with a system-reserved partition, this will be CWindowsSRPPartition-snapshot.vhd. Repeat these steps to add all operating system volumes (e.g., C-snapshot.vhd). NOTE: If you have additional data volumes, they will be added in a later step.
EXTREMELY IMPORTANT: When you are adding the VHD files, you must add the -snapshot.vhd version of the files. If you add the base file instead (e.g., just C.vhd instead of C-snapshot.vhd) the server will not boot and you will corrupt the virtual standby base image. You must add the snapshot VHDs, or you’ll have to start over.
Once you have attached your virtual boot and OS volumes to the IDE controller, click the Apply button.
If you have additional data volumes, for each data volume, select the SCSI Controller and use the same steps to attach the appropriate *-snapshot.vhd file:
You may also wish to adjust the number of virtual processors attached to the VM:
Hyper-V currently supports up to 4 virtual processors per VM.
Once the VMs are configured, use the Hyper-V management console to turn on the VMs. Then configure the virtual firewall by following the instructions in the section below.
When you are finished running the VMs, stop the VMs using the Hyper-V management console. You must then use the Admin Console to delete and re-create the virtual standby jobs.
Virtual Firewall and Router Configuration
Before booting the VM, you now need to configure your virtual LAN network settings and firewall policies.
On the desktop, click the Virtual Firewall shortcut:
Login with the username admin and your assigned Continuity Cloud node password.
From the menu, choose Interfaces and then LAN:
In the Static IP configuration section of the page, enter the IP address for the virtual firewall:
This IP address is will become the default gateway IP for VMs on your LAN. In this case, the VM used to be on the network 192.168.10.0/24 (netmask 255.255.255.0) with the default gateway having an IP of 192.168.10.101. Also, make sure that the Gateway is set to None. Click Save when you’re finished.
IMPORTANT: Do not check the block private networks option – this would block traffic from the WAN-DMZ.
At the top of the page, click the Apply changes button:
Next, in the menu at the top of the page, choose Services, DHCP Server. Click the LAN tab. If you need a DHCP server on the LAN network, enable the DHCP server, and enter the range of IPs you want the DHCP server to use in its pool. Note that typically you can leave the DNS server IPs blank and it will use BluPointe’s DNS infrastructure. If you don’t want the firewall to act as a DHCP server, uncheck the option. Either way, click the Save button at the bottom of the page.
All outbound traffic is allowed by default. If you want to disable all outbound traffic by default, browse to the Firewall menu, and then Rules. Click the LAN tab. Find the rule from LAN net to any destination. Click the green arrow on the left to disable the rule:
Then click the Apply changes button:
Next, setup any ports that need to be forwarded from your assigned public IPs to internal IPs. To do this, go to the Firewall, NAT menu. Click the + icon to add a new rule:
Normally you should leave the Interface set to WAN and Protocol set to TCP. For the Destination, Choose the proper DMZ IP address that corresponds to your desired public IP. Note that the “WAN Address” entry is your primary public IP. Secondary public IPs (and corresponding DMZ IPs) are also preconfigured in the drop select list. Public IP address information is in the Public-IPs.txt file on the desktop.
In this example, we’re selecting the DMZ IP 172.26.128.4, which is receiving traffic from the public IP 38.109.175.128.
Next, for the destination port range, choose from the drop down list which protocol you want to forward, or you can manually enter a range of ports. In this example, we’re forwarding remote desktop:
For the Redirect target IP and Redirect target port enter the virtual LAN IP address of the server that should receive the forwarded traffic. The target port should normally be the same (in this case, remote desktop):
For the NAT reflection setting you normally want to enable this. It allows servers in your internal LAN to connect to forward ports using your assigned public IPs (this is sometimes called NAT loopback). Note that this may not work in all scenarios.
The Filter rule association setting determines whether to automatically add a rule to the Firewall rules to allow the port forwarded traffic. You should select Add associated filter rule.
Once you’re finished configuring the port forward rule, click Save. Then click Apply Changes. Repeat this for all ports that you want to forward.
Note that you can also setup 1:1 NAT if desired. Normally you do not need to customize Outbound NAT.
If you want to tie your virtual LAN to your actual LAN through an IPsec firewall, please see detailed instructions here: http://doc.pfsense.org/index.php/VPN_Capability_IPsec
If you want to setup PPTP VPN connections for mobile clients to connect, go to VPN in the menu across the top and choose PPTP.
Change the radio button to Enable PPTP Server. The server address and remote address range determine the default gateway and assigned private IP addresses for PPTP clients. Normally, you want to choose a subsection of your LAN subset to use for your PPTP network. In this example, the LAN network is 192.168.5.0/24, so we’re assigning 32 of these addresses to be used for PPTP clients, starting with the IP address 192.168.5.192:
To finish the PPTP configuration, choose whether or not you want to require strong encryption, and then click
The virtual firewall should already be preconfigured to allow all traffic from PPTP clients to the LAN network.
Next, click the Users tab on the PPTP settings page to add PPTP users:
For each user click the add button, and then choose a username and password.
Once users are setup, each user can use a PPTP client to connect. For example, here are instructions for a Windows 7 machine: In the network and sharing center, choose to connect to a new network that is a VPN over an Internet Connection. Put in your primary WAN public IP:
Make sure to check the “Don’t connect now” option. Click Next, and put in the username and password:
In the windows tray, click the network icon, then right click the new VPN connection and choose Properties:
Go to the network tab of the properties page, select IPv4, and choose Properties, then click Advanced:
Make sure to uncheck the “use default gateway on remote network” option:
Then save all changes. The user should then be able to connect and access LAN resources.
Manage and Start VMs
Now that your virtual router and firewall is properly configure, you’re ready to start your VMs. Simply use
Hyper-V to start your VMs.
You will need to use the Hyper-V console to connect to the VMs and login and reconfigure network to use the proper LAN IP address. Note that if you are using Server 2003 and you did not install the integration services already, you will need to first install the integration services using the Action menu on the Hyper-V console:
Note that when you are logging in to the VM, you will need to press the button in the top-left to simulate pressing CTRL + ALT + DELETE:
VERY IMPORTANT: If you are virtualizing an SBS server or domain controller, the first time the server boots, when the Windows boot menu appears, you should immediately press F8 and choose Active Directory Restore Mode or Directory Services Restore Mode. Once the server comes up, login as the local Administrator
(.\Administrator) using the Directory Services Restore Mode password, then edit the settings for the network adapter to reset the static IP and the DNS server address. For SBS servers, the DNS server address will be the same as the static IP (or 127.0.0.1).
Cleaning Up
When you have finished with the BluPointe Continuity Cloud, the best practice is deleting any of your data off of the X: (using windows explorer). BluPointe will reinitialize the underlying RAID volumes when the node is re provisioned, zeroing out all data on the volume. For especially sensitive data, you may want to securely erase all of the free space on the drive in a way that adheres to DoD standards. To do this, clear the recycle bin and then open a command prompt and run the command “sdelete -c X:” – this will more securely erase any files you have deleted. Running sdelete may take 24-48 hours, so you should only run it if required by your security procedures.
To ensure that you are no longer billed for the BluPointe Continuity Cloud service, you must update or submit a ticket indicating that you are finished with the node(s) that have been provisioned for you. Please note that once you have submitted a ticket indicating you are finished with the node, you will no longer have access to the machine and BluPointe will wipe and reimage the machine from bare metal; please make sure you have any data that you need before submitting a ticket indicating that you are finished with the nodes.
Additional Assistance
BluPointe is committed to responsive, competent technical support. Our teams strive to exceed your expectations. For assistance with the BluPointe Continuity Cloud or to troubleshoot network, issues, contact BluPointe by emailing support@BluPointe.net. Extensive additional material is also available online at http://www.BluPointe.net/support/.