Enhanced network security in Backup Exec 2010 R3.

Article:TECH156427  |  Created: 2011-03-24  |  Updated: 2012-11-14  |  Article URL http://www.symantec.com/docs/TECH156427
Article Type
Technical Solution


Issue



Backup Exec now uses stronger protocols to ensure secure communication between the media servers and the remote agent, reducing the possibility that backup or restore operations can be compromised. 


Solution



When you connect to a remote computer from the media server you must establish a trust relationship between the media server and the remote computer. To establish a trust relationship, the media server and the remote computer exchange certificates so that each computer can confirm the identity of the other computer for subsequent operations. You should check the IP address of the remote computer to ensure that the remote computer is a trusted source before you establish the trust relationship. After you verify that the remote computer is a trusted source, you can establish the trust relationship with the media server.

Backup Exec issues security certificates for both the media server and the remote computer. The security certificate is valid for approximately one year and is automatically renewed during normal operations. However, if the certificate expires you must re‐establish the trust before the interaction with the remote computer can continue.

After the trust relationship is established, Backup Exec uses mutual authentication when establishing the connection between the media server and the remote computer. In most cases the communication between the media server and the remote computer is also encrypted.

The trust relationship between the media server and the remote computer is automatically established when the remote agent is push-installed from the media server. If the remote agent is installed using another deployment method, the trust relationship is not established automatically. You must establish the trust relationship manually when you use one of the following methods:

  • Local installation of the agent on the remote computer from installation media. This includes installation of the Remote Agent for Windows, the Remote Agent for Linux and Unix Servers (RALUS), and the Remote Agent for Macintosh Servers.
  • Push-install of the remote agent from a computer that is not a media server
  • Deployment of the remote agent using Active Directory software package distribution
  • Deployment of the remote agent using third-party application deployment software
  • Deployment of the remote agent using scripts, batch files, or some other automated means


Manually establishing a trust relationship between the media server and a remote computer

The trust relationship between the media server and a remote computer can be established manually the following ways:

  • Add the remote computer to Favorite Resources
  • Browse to the remote computer in the Active Directory or Microsoft Windows Network domain
  • Browse to the remote computer after adding it to User‐defined Selections
  • Use the Remote Agent Utility on the remote computer to configure publishing

Manually establishing a trust relationship with a remote computer by adding to Favorite Resources:

  1. On the navigation bar, click the arrow next to Backup.
  2. Click New Backup Job.
  3. On the View by Resource tab, right-click Favorite Resources.
  4. Click Add Windows System.
  5. In the System Name field, type the name of the Windows computer that you want to add.
  6. Select Add a system that already has the Remote Agent installed.
  7. In the Logon Account  field, select the logon account you use for the remote computer.  Click New to add a new logon account instead.
  8. Click Yes at the prompt to establish the trust relationship.
  9. Click OK.

Manually establishing a trust relationship with one or more remote computers by browsing to the domain:

  1. On the navigation bar, click the arrow next to Backup.
  2. Click New Backup Job.
  3. On the View by Resource tab, expand the Domains node.
  4. Do one of the following:
    • To select the remote computer from an Active Directory domain
      • Expand Active Directory Domains, and then expand the Active Directory domain where the remote computer resides.
    • To select the remote computer from a Microsoft Windows Network domain
      • Expand Microsoft Windows Network, and then expand the domain where the remote computer resides.
  5. Do one of the following:
    • To establish the trust relationship with a single remote computer:
      • Select or expand the remote computer.
      • Click Yes at the prompt to establish the trust relationship.
    • To establish a trust relationship with more than one remote computer in the same domain:
      • In the results pane on the right, click on the first remote computer to highlight it, but do not select the checkbox.
      • Use the <Ctrl> or <Shift> keys while you click on other remote computers that you want to select.
      • Right‐click the selected computers, and then click Establish trust relationship.

Manually establishing a trust relationship with one or more remote computers by adding to User-defined Selections:

  1. On the navigation bar, click the arrow next to Backup.
  2. Click New Backup Job.
  3. On the View by Resource tab, right‐click User‐defined Selections.
  4. Click Manage User‐defined Selections.
  5. In the Name field, type the name or IP address for the remote computer.
  6. Click Add.
  7. When you have finished adding selections, click Close.
  8. On the backup selections tree, expand User‐defined Selections.
  9. Do one of the following:
    • To establish the trust relationship with a single remote computer:
      • Select or expand the remote computer.
      • Click Yes at the prompt to establish the trust relationship.
    • To establish a trust relationship with more than one remote computer:
      • In the results pane on the right, click on the first remote computer to highlight it, but do not select the checkbox.
      • Use the <Ctrl> or <Shift> keys while you click on other remote computers that you want to select.
      • Right‐click the selected computers, and then click Establish trust relationship.

Manually establishing a trust relationship with a remote computer using the Remote Agent Utility:

  1. On the computer on which the Remote Agent is installed, on the task bar, click Start > All Programs > Symantec Backup Exec > Backup Exec 2010 Remote Agent Utility.
  2. Click the Publishing tab.
  3. Click Change Settings.
  4. After the utility closes and reopens, click the Publishing tab.
  5. Click Add.
  6. Type the name or the IP address of the media server, the user name, and the password. The user must have administrative privileges on the specified media server.
  7. Click OK.
  8. Click the Security tab and verify that an entry appears for the specified media server.
  9. Click OK to close the Remote Agent Utility.

Establishing a trust relationship while configuring a remote computer for deduplication

If a trust relationship with the remote computer has not been established, you can establish it when you configure the remote computer for deduplication:

  1. On the Tools menu, click Configure Devices.
  2. Click Configure Remote Agent for Deduplication.
  3. In the Server field, type the name of the remote computer.
  4. Choose the port your remote computer is configured to use (default is 10000).
  5. Type a description.
  6. Check or clear Enable ICMP ping operations, depending on your network configuration. If your firewall blocks ICMP you must clear the checkbox.
  7. Select a logon account you use for the remote computer or create a logon account.
  8. Click OK.
  9. Click Yes at the prompt to establish the trust relationship.
  10. Click Restart Now or Restart Later. The Backup Exec services on the media server must be restarted before you can use the remote computer for client-side deduplication.


Upgrading Backup Exec to use the enhanced security protocols

To take full advantage of the enhanced security protocols in Backup Exec 2010 R3 you must upgrade all the media servers and the remote agents to the new version. However, as with previous versions, Backup Exec 2010 R3 maintains compatibility with a limited number of versions of the remote agent to accommodate a more gradual upgrade process.

If Backup Exec 2010 R3 is used for backup or restore operations with a remote computer that is running a compatible previous version of the remote agent, the job runs and is expected to complete with exceptions. The following message appears in the job log, and in the alert when the job completes:


The remote computer is running a previous version of the Backup Exec Remote Agent. You must upgrade the remote agent to enable secure communication between the agent and Backup Exec media servers.
 

Symantec recommends that you upgrade all the media servers and the remote agents to the latest version of Backup Exec.


Central Administration Server Option (CASO) and SAN Shared Storage Option (SSO) Considerations

When Backup Exec 2010 R3 is installed with the Central Administration Server Option (CASO) or the SAN Shared Storage Option (SSO), the central administration server or the primary server acts as the preferred root certificate authority for signing remote agent certificates. The managed media servers or the secondary servers in the CASO or SSO configuration maintain copies of the server certificates from the central administration or the primary server, so that they are also able to establish secure communication with the remote agent computers that have a valid trust relationship with the central administration or the primary server. These servers also maintain their own local server certificates, which can also be used to establish trust relationships with remote agent computers if the central administration or primary server is unavailable.


Protecting Clusters

To protect clustered resources, the trust relationship must exist between the media server and the remote agents on all of the physical nodes in the cluster. If the remote agents on the cluster nodes were push-installed from the media server then the trust relationship was established during the installation and no further action is required. However, if the remote agents were installed using another method you must establish the trust manually with all of the physical cluster nodes, not just the virtual cluster name. This ensures that secure communication can be established between the media server and the active cluster node for backup or restore operations for all of the physical cluster nodes. Use one of the previous methods described to manually establish the trust relationship between the media server and all of the physical nodes of the cluster.


Certificate lifetime and renewal considerations

The security certificates maintained by Backup Exec 2010 R3 media servers are valid for one year, and are automatically renewed during normal operations at approximately half way through the certificate lifetime. When the media server certificates are renewed, the previous certificates are maintained throughout the remainder of their lifetime so that secure communications can continue to be established with the remote agents in which the client certificates have not yet been renewed.

After renewal of the media server certificates, the corresponding client certificates on the remote agent computers are also automatically renewed during future operations. This ensures that ongoing secure communication between media servers and remote agent computers can be maintained with minimal need for user interaction.

If a remote agent computer becomes disconnected from communication with the media server for an extended period of time and the client certificate expires, you must manually re-establish the trust relationship with the media server before normal operations can resume. 


Supplemental Materials

SourceUMI
Valuehttp://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110526_00


Article URL http://www.symantec.com/docs/TECH156427


Terms of use for this information are found in Legal Notices