For this test, we use a virtual appliance. We encourage you to use this solution before deploying on your infrastructure. After downloaded an HyperV appliance, we create a virual machine on Windows 10. This machine has ip address 172.17.166.138.
Openvpn Hyper V Appliance
A side note, Sonicwall launched a virtual appliance for Azure several years ago under the the NSv product name. I looked into this in 2018 and discovered that it was buggy, old, and apparently abandoned. If you are pursuing Sonicwall virtual appliances for VPN in Azure, avoid the NSv and go for the SMA 500v. The SMA 500v is running an almost identical firmware/operating system to the on-premise SMA hardware devices. It is routinely updated as of the date of this article, stable, and easy to manage if you are already familiar with their other SMA lines.
There are several addresses you should permit for all deployments. All of these ports are outgoing connections from the Unitrends appliance. We do not require incoming NAT of ports or exposing the unit to a public IP, only outgoing communication from a local source Unitrends appliance is needed.
During deployment, these network settings were configured for the appliance: IP address, subnet, gateway, primary DNS, hosts file, and open ports. Settings were either configured manually (if using a static IP address) or by DHCP.
Additional ports must be open if there is a firewall between your appliance and its protected assets, for connectivity to the Internet, and for connectivity to any hot backup copy target. See the following for details:
Unitrends appliances are managed and monitored from the User Interface (UI). A user account is required to access the UI. By default, a superuser named root is created on the appliance, but you can create additional user accounts. You can set up users on the appliance itself or use Active Directory (AD) authentication.
Unitrends' self service role-based access control model enables you to restrict a user's access at the appliance, asset, and task level. Each user account is assigned a role that defines the types of operations the user can perform on the appliance. In addition, the Manage role can be further customized by applying an access level and other options. User roles and access levels are described in the following table.
Check this box to prevent the user from recovering from backup copies that reside in the Unitrends Cloud or on a remote hot backup copy target. The user can recover from local hot backup copies only (hot copies that reside on the appliance they are logged in to). The user is not able to:
Users in the Unitrends AD groups can now log in to the appliance UI by using their AD credentials. Note that AD users do not display on the Users tab in the Unitrends UI (unless you add an AD user role for the user).
Once you have set up AD authentication, users that have been added to the Unitrends AD security groups in your AD domain can log in to the appliance and perform operations that are enabled for their group. No further setup is required.
Users log in to the appliance UI by supplying UI user and password credentials. These UI users are created as described in Users and roles. In addition to these UI users, the appliance also has an operating system account for command line access.
During deployment, date and time settings were configured for the appliance. You can edit these settings as needed. You can manually set the date and time or sync to an NTP server. To use an NTP server, you will need to supply its address. Edit these settings from the Date Time tab of the Configure > Appliances > Edit > Edit Appliance page.
The VM replicas feature creates standby replicas of critical VMs that can be brought online in seconds. During replica setup, the user specifies the number of recovery point snapshots to retain with the replica VM on the hypervisor.
You can configure your appliance to send system and application-specific alerts to your network management server using the SNMP protocol. Alerts are delivered as incoming trap messages to the network management application. This enables you to quickly identify and respond to hardware or software conditions that require action.
Once the above requirements have been met and you have added the database disk to your Unitrends Backup appliance, proceed to To create a separate database partition on your Unitrends Backup appliance to set up the partition and migrate the database.
Deduplication is a data compression technique that eliminates duplicate data blocks. To yield fastest performance, the Unitrends Backup appliance is configured to use the Level 1 deduplication setting. You can opt to modify this setting to increase on-appliance retention. Keep in mind that increasing the deduplication level decreases job speed.
The Unitrends agent needs access to the appliance's Samba share for backup and recovery operations. The SMB 2.0 security option is enabled by default on Unitrends appliances that were originally imaged or deployed with version 10.4.8 or higher. (The SMB 1.0 security option is enabled by default on appliances that were originally imaged or deployed with a pre-10.4.8 version. Upgrading the appliance does not change the SMB 1.0 setting.)
Fully optimize your remote access management with CMS reporting and deployments. SonicWall Central Management Server enables organizations, distributed enterprises and service providers to centrally manage and rapidly deploy secure access solutions, either deployed on a private cloud as a virtual appliance or on a public cloud (AWS or Microsoft Azure) using bring your own license (BYOL).
TurnKey works well with all the major virtualization platforms (e.g., VMWare, VirtualBox, Parallels, Xen, QEMU/KVM, etc.). It provides appliances in a range of build types optimized and pre-tested for various popular virtualization platforms.
If you don't already have virtualization software installed, VirtualBox is available in a free open source edition for major OSs. VMWare Player and Server products are proprietary but free to download. KVM is 100% free software built into the Linux kernel which supports many front-end management tools. Proxmox Virtual Environment is a free, open source enterprise grade hypervisor which provides both KVM and LXC.
The TurnKey LXC template is the same as the Proxmox build. The TurnKey LXC appliance leverages TurnKey these builds and patches them on the fly for deployment. They should also work with vanilla LXC, LXD or OpenVZ but it's currently undocumented.
If you click on the storage where the ISO and templates are stored by default (by default it's just called 'local') in the left hand pane, then in the left bar of the main pane, click "content". Towards the top you should see a "Template" button. Click that and you should be able to find all the TurnKey appliances in LXC format.
During a full failover, the internal interfaces of a network extension appliance are configured with the same IP addresses that the original gateways use for their virtual machines at the tenant site, one per network / port group. This way, no change to replicated VM IP configuration is needed during the failover and the NEA can act as the new default gateway.
During partial failover, only individual replica VMs are selected by a tenant to be powered on at the service provider, and those VMs will be able to connect to their original network at the tenant side, thanks to the network extension appliance.
On top of the L2 tunnel, a Proxy ARP solution running inside both network appliances forwards L2 datagrams from one side to the other, and vice versa. The result is that VMs can use the same subnet or broadcast domain, regardless of the site where they are powered on.
Because of the different networking configurations that a network extension appliance can have, a general firewall configuration for the appliance itself is not possible. There is one TCP port that is always open on the external interface:
The only difference is that while SSHD needs to be reached only from Veeam Backup & Replication server in order to control and reconfigure the network appliance, every other rule is meant to have no defined source IP address, as end user may need to connect from different locations to their replica VMs.
NOTE: Because the network extension appliance is already a firewall and opens only the minimum amount of ports required by an end user, there is little sense in putting an additional firewall in front of it. Service providers can filter and monitor incoming connections, if needed, using firewalls operating at L2 (or in transparent mode) or by configuring their firewall as the gateways of the public IPs used by the network appliances. This allows to use the real public IP of an appliance instead of complicated multiple NAT levels.
There is no need to monitor a network extension appliance because it is powered on on-demand by the Veeam Backup & Replication server at the service provider when needed in reaction to end user activities like the start of a partial or a full failover.
From a protection standpoint, a network extension appliance does not need to be saved because there is no permanent data on it. A significant part of configuration (the content of the floppy image) is created during appliance deployment; the managing VBR server passes additional configuration upon boot. In both cases, data is stored in the Veeam Backup & Replication server and reconfigured upon a redeployment of the NEA.
Hyper-V lets you create virtual hard drives, virtual switches and a number of other virtual devices all of which can be attached to virtual machines. This is a popular hypervisor that can be further enhanced with the networking capabilities brought by the open source VyOS. 2ff7e9595c
Comments